REPO-2819 : DELETE /shared-links/{id} with admin returns 403 (#9)

* REPO-2819 : DELETE /shared-links/{id} with admin returns 403 Add an extra check to QuickShareServiceImpl.canDeleteSharedLink, because the admin user can return the SiteName of a nodeRef (even if it's private). Add a JUnit test into QuickShareServiceIntegrationTest Add a comment to the test - no actual shared Link is needed for this test. * REPO-2520 : SiteMembership Java API calls should tell which site resulted in errors Add the test class into the test suite (was not previously added).
2025-07-31 17:39:05 +00:00 · 2017-08-30 10:26:07 +03:00
parent af2e069b2e
commit 4cbacecada
4 changed files with 74 additions and 1 deletions
--- a/src/main/java/org/alfresco/repo/quickshare/QuickShareServiceImpl.java
+++ b/src/main/java/org/alfresco/repo/quickshare/QuickShareServiceImpl.java
@@ -986,7 +986,8 @@ public class QuickShareServiceImpl implements QuickShareService,
        {
            // node belongs to a site - current user must be a manager or collaborator or someone who shared the link
            String role = siteService.getMembersRole(siteName, currentUser);
-            if (isSharedByCurrentUser || (role != null && (role.equals(SiteModel.SITE_MANAGER) || role.equals(SiteModel.SITE_COLLABORATOR))))
+            if (isSharedByCurrentUser || (role != null && (role.equals(SiteModel.SITE_MANAGER) || role.equals(SiteModel.SITE_COLLABORATOR)))
+                    || (authorityService.isAdminAuthority(currentUser)))
            {
                canDeleteSharedLink = true;
            }