REPO-2819 : DELETE /shared-links/{id} with admin returns 403 (#9)

* REPO-2819 : DELETE /shared-links/{id} with admin returns 403 Add an extra check to QuickShareServiceImpl.canDeleteSharedLink, because the admin user can return the SiteName of a nodeRef (even if it's private). Add a JUnit test into QuickShareServiceIntegrationTest Add a comment to the test - no actual shared Link is needed for this test. * REPO-2520 : SiteMembership Java API calls should tell which site resulted in errors Add the test class into the test suite (was not previously added).
2025-07-31 17:39:05 +00:00 · 2017-08-30 10:26:07 +03:00
parent af2e069b2e
commit 4cbacecada
4 changed files with 74 additions and 1 deletions
--- a/src/main/java/org/alfresco/repo/quickshare/QuickShareServiceImpl.java
+++ b/src/main/java/org/alfresco/repo/quickshare/QuickShareServiceImpl.java
@@ -986,7 +986,8 @@ public class QuickShareServiceImpl implements QuickShareService,
        {
            // node belongs to a site - current user must be a manager or collaborator or someone who shared the link
            String role = siteService.getMembersRole(siteName, currentUser);
-            if (isSharedByCurrentUser || (role != null && (role.equals(SiteModel.SITE_MANAGER) || role.equals(SiteModel.SITE_COLLABORATOR))))
+            if (isSharedByCurrentUser || (role != null && (role.equals(SiteModel.SITE_MANAGER) || role.equals(SiteModel.SITE_COLLABORATOR)))
+                    || (authorityService.isAdminAuthority(currentUser)))
            {
                canDeleteSharedLink = true;
            }
--- a/src/test/java/org/alfresco/AllRepositoryTestsCatalogue.java
+++ b/src/test/java/org/alfresco/AllRepositoryTestsCatalogue.java
@@ -592,6 +592,7 @@ public class AllRepositoryTestsCatalogue
    // no context - true JUNIT tests
    static void unitTestsNoContext(TestSuite suite)
    {
+        suite.addTest(new JUnit4TestAdapter(org.alfresco.repo.site.SiteMembershipTest.class));
        suite.addTestSuite(org.alfresco.encryption.EncryptorTest.class);
        suite.addTestSuite(org.alfresco.encryption.KeyStoreKeyProviderTest.class);
        suite.addTest(new JUnit4TestAdapter(org.alfresco.filesys.config.ServerConfigurationBeanTest.class));
--- a/src/test/java/org/alfresco/repo/quickshare/QuickShareServiceIntegrationTest.java
+++ b/src/test/java/org/alfresco/repo/quickshare/QuickShareServiceIntegrationTest.java
@@ -63,6 +63,8 @@ import org.alfresco.service.cmr.repository.InvalidNodeRefException;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.security.PermissionService;
+import org.alfresco.service.cmr.site.SiteService;
+import org.alfresco.service.cmr.site.SiteVisibility;
 import org.alfresco.service.namespace.NamespaceService;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.util.test.junitrules.AlfrescoPerson;
@@ -134,6 +136,7 @@ public class QuickShareServiceIntegrationTest
    private static QuickShareLinkExpiryActionPersister quickShareLinkExpiryActionPersister;
    private static RetryingTransactionHelper transactionHelper;
    private static Properties globalProperties;
+    private static SiteService siteService;
    
    private static AlfrescoPerson user1 = new AlfrescoPerson(testContext, "UserOne");
    private static AlfrescoPerson user2 = new AlfrescoPerson(testContext, "UserTwo");
@@ -173,6 +176,7 @@ public class QuickShareServiceIntegrationTest
        quickShareLinkExpiryActionPersister = ctx.getBean("quickShareLinkExpiryActionPersister", QuickShareLinkExpiryActionPersister.class);
        transactionHelper = ctx.getBean("retryingTransactionHelper", RetryingTransactionHelper.class);
        globalProperties = ctx.getBean("global-properties", Properties.class);
+        siteService = (SiteService) ctx.getBean("SiteService");
    }
    
    @Before public void createTestData()
@@ -849,6 +853,52 @@ public class QuickShareServiceIntegrationTest
        }
    }

+    // Test SharedLink deletion by admin user based on REPO-2819 - test does not relay on whether a sharedLink
+    // exists or not.
+    @Test
+    public void testCanDeleteSharedLinkWithAdminUserForPrivateNodes() throws Exception
+    {
+        String currentUser = AuthenticationUtil.getFullyAuthenticatedUser();
+        try
+        {
+            // Create a private site
+            AuthenticationUtil.setFullyAuthenticatedUser(user1.getUsername());
+            String randomUUID = UUIDGenerator.getInstance().generateRandomBasedUUID().toString();
+            String siteName = "testSite" + randomUUID;
+            siteService.createSite("site-dashboard", siteName, "Title for " + siteName,
+                    "Description for " + siteName, SiteVisibility.PRIVATE);
+
+            // Create a node on the private site and user home
+            String nodeName = "testNode" + randomUUID;
+            NodeRef nodeRefOnPrivateSite = testNodes.createNode(siteService.getSite(siteName).getNodeRef(), nodeName,
+                    ContentModel.TYPE_CONTENT, user1.getUsername());
+            NodeRef nodeRefOnUserHome = testNodes.createNode(userHome, nodeName + "userHome",
+                    ContentModel.TYPE_CONTENT, user1.getUsername());
+
+            // Verify if the admin user "canDeleteSharedLink" on the nodes
+            AuthenticationUtil.setFullyAuthenticatedUser("admin");
+            boolean canDeleteSharedLink = userCanDeleteSharedLink(nodeRefOnPrivateSite,user1.getUsername());
+            assertEquals(true, canDeleteSharedLink);
+            canDeleteSharedLink = userCanDeleteSharedLink(nodeRefOnUserHome, user1.getUsername());
+            assertEquals(true, canDeleteSharedLink);
+
+            // Clean up
+            nodeService.deleteNode(nodeRefOnUserHome);
+            siteService.deleteSite(siteName);
+        }
+        finally
+        {
+            if (currentUser != null)
+            {
+                AuthenticationUtil.setFullyAuthenticatedUser(currentUser);
+            }
+            else 
+                {
+                AuthenticationUtil.clearCurrentSecurityContext();
+                }
+        }
+    }
+
    private QuickShareLinkExpiryAction getExpiryActionAndAttachSchedule(String sharedId)
    {

@@ -913,4 +963,11 @@ public class QuickShareServiceIntegrationTest
            return null;
        });
    }
+
+    private boolean userCanDeleteSharedLink(NodeRef nodeRef, String sharedByUserId)
+    {
+        return transactionHelper.doInTransaction(() -> {
+        return quickShareService.canDeleteSharedLink(nodeRef, sharedByUserId);
+        });
+    }
 }
--- a/src/test/java/org/alfresco/util/BaseAlfrescoSpringTest.java
+++ b/src/test/java/org/alfresco/util/BaseAlfrescoSpringTest.java
@@ -133,6 +133,7 @@ public abstract class BaseAlfrescoSpringTest extends BaseSpringTest
        createUser(userName, userName, "PWD");
    }

+    @SuppressWarnings("deprecation")
    protected void createUser(String userName, String nameSuffix, String password)
    {
        if (this.authenticationService.authenticationExists(userName) == false)
@@ -150,4 +151,17 @@ public abstract class BaseAlfrescoSpringTest extends BaseSpringTest
            personService.createPerson(ppOne);
        }
    }
+
+    /**
+     * We assume: Admin user is already authenticated and userName already exists.
+     * 
+     * @param userName
+     */
+    @SuppressWarnings("deprecation")
+    protected void deleteUser(String userName)
+    {
+        PersonService personService = (PersonService) applicationContext.getBean("personService");
+        personService.deletePerson(userName);
+    }
+
 }