diff --git a/config/alfresco/web-client-config.xml b/config/alfresco/web-client-config.xml
index d52687a4c4..b916d6f248 100644
--- a/config/alfresco/web-client-config.xml
+++ b/config/alfresco/web-client-config.xml
@@ -125,6 +125,10 @@
false
+
+
+
+ false
diff --git a/source/java/org/alfresco/web/app/servlet/command/ScriptCommandProcessor.java b/source/java/org/alfresco/web/app/servlet/command/ScriptCommandProcessor.java
index 3791d44127..2ef08890d0 100644
--- a/source/java/org/alfresco/web/app/servlet/command/ScriptCommandProcessor.java
+++ b/source/java/org/alfresco/web/app/servlet/command/ScriptCommandProcessor.java
@@ -28,15 +28,19 @@ import javax.servlet.http.HttpServletRequest;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.repo.jscript.ScriptableHashMap;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.service.ServiceRegistry;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.StoreRef;
import org.alfresco.service.cmr.security.AccessStatus;
+import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.web.app.Application;
import org.alfresco.web.app.servlet.BaseServlet;
import org.alfresco.web.bean.repository.Repository;
import org.alfresco.web.bean.repository.User;
+import org.alfresco.web.config.ClientConfigElement;
+import org.springframework.extensions.config.ConfigService;
/**
* Script command processor implementation.
@@ -98,7 +102,7 @@ public final class ScriptCommandProcessor implements CommandProcessor
}
}
- // check we can access the nodes specified
+ // check we can READ access the nodes specified
PermissionService ps = Repository.getServiceRegistry(sc).getPermissionService();
allowed = (ps.hasPermission(this.scriptRef, PermissionService.READ) == AccessStatus.ALLOWED);
if (this.docRef != null)
@@ -106,7 +110,14 @@ public final class ScriptCommandProcessor implements CommandProcessor
allowed &= (ps.hasPermission(this.docRef, PermissionService.READ) == AccessStatus.ALLOWED);
}
- // check that the user has at least READ access on the node - else redirect to the login page
+ // check to see if user is allowed to execute arbituary javascript
+ // by default only an admin authority can perform this action
+ ConfigService configService = Application.getConfigService(sc);
+ ClientConfigElement configElement = (ClientConfigElement)configService.getGlobalConfig().getConfigElement("client");
+ boolean allowScriptExecute = configElement.getAllowUserScriptExecute();
+ AuthorityService authService = Repository.getServiceRegistry(sc).getAuthorityService();
+ allowed &= (allowScriptExecute || authService.isAdminAuthority(AuthenticationUtil.getFullyAuthenticatedUser()));
+
return allowed;
}
diff --git a/source/java/org/alfresco/web/config/ClientConfigElement.java b/source/java/org/alfresco/web/config/ClientConfigElement.java
index c051f3636e..581b8af509 100644
--- a/source/java/org/alfresco/web/config/ClientConfigElement.java
+++ b/source/java/org/alfresco/web/config/ClientConfigElement.java
@@ -23,15 +23,15 @@ import java.util.List;
import javax.faces.context.FacesContext;
-import org.springframework.extensions.config.ConfigElement;
import org.alfresco.config.JNDIConstants;
-import org.springframework.extensions.config.element.ConfigElementAdapter;
import org.alfresco.mbeans.VirtServerRegistry;
import org.alfresco.service.namespace.QName;
import org.alfresco.util.ExpiringValueCache;
import org.alfresco.web.bean.repository.Repository;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.springframework.extensions.config.ConfigElement;
+import org.springframework.extensions.config.element.ConfigElementAdapter;
/**
* Custom config element that represents config values for the client
@@ -82,7 +82,8 @@ public class ClientConfigElement extends ConfigElementAdapter
private boolean userGroupAdmin = true;
private boolean allowUserConfig = true;
private int pickerSearchMinimum = 2;
- private boolean checkContextAgainstPath = false;
+ private boolean checkContextAgainstPath = false;
+ private boolean allowUserScriptExecute = false;
/**
@@ -312,8 +313,13 @@ public class ClientConfigElement extends ConfigElementAdapter
if (newElement.getCheckContextAgainstPath() != combinedElement.getCheckContextAgainstPath())
{
combinedElement.setCheckContextAgainstPath(newElement.getCheckContextAgainstPath());
+ }
+
+ if (newElement.getAllowUserScriptExecute() != combinedElement.getAllowUserScriptExecute())
+ {
+ combinedElement.setAllowUserScriptExecute(newElement.getAllowUserScriptExecute());
}
-
+
return combinedElement;
}
@@ -890,5 +896,21 @@ public class ClientConfigElement extends ConfigElementAdapter
/*package*/ void setCheckContextAgainstPath(boolean checkContextAgainstPath)
{
this.checkContextAgainstPath = checkContextAgainstPath;
+ }
+
+ /**
+ * @return true if any user can execute JavaScript via the command servlet
+ */
+ public boolean getAllowUserScriptExecute()
+ {
+ return this.allowUserScriptExecute;
+ }
+
+ /**
+ * @param allowUserScriptExecute true to allow any user to execute JavaScript via the command servlet
+ */
+ /*package*/ void setAllowUserScriptExecute(boolean allowUserScriptExecute)
+ {
+ this.allowUserScriptExecute = allowUserScriptExecute;
}
}
diff --git a/source/java/org/alfresco/web/config/ClientElementReader.java b/source/java/org/alfresco/web/config/ClientElementReader.java
index 583d8b2ca2..b984f2c51d 100644
--- a/source/java/org/alfresco/web/config/ClientElementReader.java
+++ b/source/java/org/alfresco/web/config/ClientElementReader.java
@@ -22,11 +22,11 @@ package org.alfresco.web.config;
import java.util.ArrayList;
import java.util.List;
+import org.alfresco.service.namespace.QName;
+import org.dom4j.Element;
import org.springframework.extensions.config.ConfigElement;
import org.springframework.extensions.config.ConfigException;
import org.springframework.extensions.config.xml.elementreader.ConfigElementReader;
-import org.alfresco.service.namespace.QName;
-import org.dom4j.Element;
/**
* Custom element reader to parse config for client config values
@@ -66,7 +66,8 @@ public class ClientElementReader implements ConfigElementReader
public static final String ELEMENT_USERGROUPADMIN = "user-group-admin";
public static final String ELEMENT_ALLOWUSERCONFIG = "allow-user-config";
public static final String ELEMENT_PICKERSEARCHMINIMUM = "picker-search-minimum";
- public static final String ELEMENT_CHECKCONTEXTPATH = "check-context-against-path";
+ public static final String ELEMENT_CHECKCONTEXTPATH = "check-context-against-path";
+ public static final String ELEMENT_ALLOWUSERSCRIPTEXECUTE = "allow-user-script-execute";
/**
@@ -325,7 +326,14 @@ public class ClientElementReader implements ConfigElementReader
if (checkContextAgainstPath != null)
{
configElement.setCheckContextAgainstPath(Boolean.parseBoolean(checkContextAgainstPath.getTextTrim()));
- }
+ }
+
+ // get allow any user to execute javascript via the command servlet
+ Element allowUserScriptExecute = element.element(ELEMENT_ALLOWUSERSCRIPTEXECUTE);
+ if (allowUserScriptExecute != null)
+ {
+ configElement.setAllowUserScriptExecute(Boolean.parseBoolean(allowUserScriptExecute.getTextTrim()));
+ }
}
return configElement;