diff --git a/source/java/org/alfresco/repo/admin/patch/impl/SitePermissionRefactorPatch.java b/source/java/org/alfresco/repo/admin/patch/impl/SitePermissionRefactorPatch.java index 1cdd595f17..5560bc3607 100644 --- a/source/java/org/alfresco/repo/admin/patch/impl/SitePermissionRefactorPatch.java +++ b/source/java/org/alfresco/repo/admin/patch/impl/SitePermissionRefactorPatch.java @@ -97,7 +97,7 @@ public class SitePermissionRefactorPatch extends AbstractPatch String siteGroup = authorityService.createAuthority( AuthorityType.GROUP, null, - ((SiteServiceImpl)this.siteService).getSiteGroupName(siteInfo.getShortName(), + ((SiteServiceImpl)this.siteService).getSiteGroup(siteInfo.getShortName(), false)); Set permissions = permissionService.getSettablePermissions(SiteModel.TYPE_SITE); for (String permission : permissions) @@ -106,7 +106,7 @@ public class SitePermissionRefactorPatch extends AbstractPatch String permissionGroup = authorityService.createAuthority( AuthorityType.GROUP, siteGroup, - ((SiteServiceImpl)this.siteService).getSitePermissionGroupName( + ((SiteServiceImpl)this.siteService).getSiteRoleGroup( siteInfo.getShortName(), permission, false)); @@ -123,7 +123,7 @@ public class SitePermissionRefactorPatch extends AbstractPatch if (permission.getAuthorityType() == AuthorityType.USER) { // Add this authority to the appropriate group - String group = ((SiteServiceImpl)this.siteService).getSitePermissionGroupName( + String group = ((SiteServiceImpl)this.siteService).getSiteRoleGroup( siteInfo.getShortName(), permission.getPermission(), true); diff --git a/source/java/org/alfresco/repo/site/SiteService.java b/source/java/org/alfresco/repo/site/SiteService.java index 32fa425de9..511837a62d 100644 --- a/source/java/org/alfresco/repo/site/SiteService.java +++ b/source/java/org/alfresco/repo/site/SiteService.java @@ -154,4 +154,22 @@ public interface SiteService */ boolean hasContainer(String shortName, String componentId); + /** + * Gets the sites group. All members of the site are contained within this group. + * + * @param shortName site short name + * @return String group name + */ + String getSiteGroup(String shortName); + + /** + * Gets the sites role group. All members assigned the given role will be memebers of + * the returned group. + * + * @param shortName site short name + * @param role membership role + * @return String group name + */ + String getSiteRoleGroup(String shortName, String role); + } diff --git a/source/java/org/alfresco/repo/site/SiteServiceImpl.java b/source/java/org/alfresco/repo/site/SiteServiceImpl.java index f45e270f95..4905b3622d 100644 --- a/source/java/org/alfresco/repo/site/SiteServiceImpl.java +++ b/source/java/org/alfresco/repo/site/SiteServiceImpl.java @@ -229,12 +229,12 @@ public class SiteServiceImpl implements SiteService, SiteModel public String doWork() throws Exception { // Create the site's groups - String siteGroup = authorityService.createAuthority(AuthorityType.GROUP, null, getSiteGroupName(shortName, false)); + String siteGroup = authorityService.createAuthority(AuthorityType.GROUP, null, getSiteGroup(shortName, false)); Set permissions = permissionService.getSettablePermissions(SiteModel.TYPE_SITE); for (String permission : permissions) { // Create a group for the permission - String permissionGroup = authorityService.createAuthority(AuthorityType.GROUP, siteGroup, getSitePermissionGroupName(shortName, permission, false)); + String permissionGroup = authorityService.createAuthority(AuthorityType.GROUP, siteGroup, getSiteRoleGroup(shortName, permission, false)); // Assign the group the relevant permission on the site permissionService.setPermission(siteNodeRef, permissionGroup, permission, true); @@ -249,7 +249,7 @@ public class SiteServiceImpl implements SiteService, SiteModel permissionService.setPermission(siteNodeRef, PermissionService.ALL_AUTHORITIES, SITE_CONSUMER, true); } permissionService.setPermission(siteNodeRef, PermissionService.ALL_AUTHORITIES, PermissionService.READ_PERMISSIONS, true); - authorityService.addAuthority(getSitePermissionGroupName(shortName, SiteModel.SITE_MANAGER, true), currentUser); + authorityService.addAuthority(getSiteRoleGroup(shortName, SiteModel.SITE_MANAGER, true), currentUser); // Return nothing return null; @@ -262,13 +262,29 @@ public class SiteServiceImpl implements SiteService, SiteModel return siteInfo; } + /** + * @see org.alfresco.repo.site.SiteService#getSiteGroup(java.lang.String) + */ + public String getSiteGroup(String shortName) + { + return getSiteGroup(shortName, true); + } + + /** + * @see org.alfresco.repo.site.SiteService#getSiteRoleGroup(java.lang.String, java.lang.String) + */ + public String getSiteRoleGroup(String shortName, String role) + { + return getSiteRoleGroup(shortName, role, true); + } + /** * Helper method to get the name of the site group * * @param shortName site short name * @return String site group name */ - public String getSiteGroupName(String shortName, boolean withGroupPrefix) + public String getSiteGroup(String shortName, boolean withGroupPrefix) { StringBuffer sb = new StringBuffer(64); if (withGroupPrefix == true) @@ -287,9 +303,9 @@ public class SiteServiceImpl implements SiteService, SiteModel * @param permission permission name * @return String site permission group name */ - public String getSitePermissionGroupName(String shortName, String permission, boolean withGroupPrefix) + public String getSiteRoleGroup(String shortName, String permission, boolean withGroupPrefix) { - return getSiteGroupName(shortName, withGroupPrefix) + "_" + permission; + return getSiteGroup(shortName, withGroupPrefix) + "_" + permission; } /** @@ -514,7 +530,7 @@ public class SiteServiceImpl implements SiteService, SiteModel { public Object doWork() throws Exception { - authorityService.deleteAuthority(getSiteGroupName(shortName, true)); + authorityService.deleteAuthority(getSiteGroup(shortName, true)); return null; } }, AuthenticationUtil.getSystemUserName()); @@ -536,7 +552,7 @@ public class SiteServiceImpl implements SiteService, SiteModel Set permissions = permissionService.getSettablePermissions(SiteModel.TYPE_SITE); for (String permission : permissions) { - String groupName = getSitePermissionGroupName(shortName, permission, true); + String groupName = getSiteRoleGroup(shortName, permission, true); Set users = this.authorityService.getContainedAuthorities(AuthorityType.USER, groupName, true); for (String user : users) { @@ -626,7 +642,7 @@ public class SiteServiceImpl implements SiteService, SiteModel { Set siteMangers = this.authorityService.getContainedAuthorities( AuthorityType.USER, - getSitePermissionGroupName(shortName, SITE_MANAGER, true), + getSiteRoleGroup(shortName, SITE_MANAGER, true), true); if (siteMangers.size() == 1) { @@ -653,7 +669,7 @@ public class SiteServiceImpl implements SiteService, SiteModel public Object doWork() throws Exception { // Remove the user from the current permission group - String currentGroup = getSitePermissionGroupName(shortName, role, true); + String currentGroup = getSiteRoleGroup(shortName, role, true); authorityService.removeAuthority(currentGroup, userName); return null; @@ -723,7 +739,7 @@ public class SiteServiceImpl implements SiteService, SiteModel { Set siteMangers = this.authorityService.getContainedAuthorities( AuthorityType.USER, - getSitePermissionGroupName(shortName, SITE_MANAGER, true), + getSiteRoleGroup(shortName, SITE_MANAGER, true), true); if (siteMangers.size() == 1) { @@ -739,12 +755,12 @@ public class SiteServiceImpl implements SiteService, SiteModel if (currentRole != null) { // Remove the user from the current permission group - String currentGroup = getSitePermissionGroupName(shortName, currentRole, true); + String currentGroup = getSiteRoleGroup(shortName, currentRole, true); authorityService.removeAuthority(currentGroup, userName); } // Add the user to the new permission group - String newGroup = getSitePermissionGroupName(shortName, role, true); + String newGroup = getSiteRoleGroup(shortName, role, true); authorityService.addAuthority(newGroup, userName); return null; diff --git a/source/java/org/alfresco/repo/site/script/Site.java b/source/java/org/alfresco/repo/site/script/Site.java index c6f2c0af62..4c6e659ccd 100644 --- a/source/java/org/alfresco/repo/site/script/Site.java +++ b/source/java/org/alfresco/repo/site/script/Site.java @@ -33,9 +33,12 @@ import org.alfresco.repo.jscript.ScriptableHashMap; import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork; import org.alfresco.repo.site.SiteInfo; +import org.alfresco.repo.site.SiteModel; import org.alfresco.repo.site.SiteService; import org.alfresco.service.ServiceRegistry; import org.alfresco.service.cmr.repository.NodeRef; +import org.alfresco.service.cmr.security.AccessStatus; +import org.alfresco.service.cmr.security.PermissionService; import org.alfresco.service.namespace.QName; import org.mozilla.javascript.Scriptable; import org.mozilla.javascript.ScriptableObject; @@ -408,4 +411,127 @@ public class Site implements Serializable return hasContainer; } + /** + * Reset any permissions that have been set on the node. + *

+ * All permissions will be deleted and the node set to inherit permissions. + * + * @param nodeRef node reference + */ + public void resetAllPermissions(ScriptNode node) + { + final NodeRef nodeRef = node.getNodeRef(); + + // TODO Check that the node is indeed a child of the site + + // Check that the user has permissions to change permissions on the node + if (AccessStatus.ALLOWED.equals(this.serviceRegistry.getPermissionService().hasPermission(nodeRef, PermissionService.CHANGE_PERMISSIONS)) == true) + { + // Do the work as system as we are messing about with permissions + AuthenticationUtil.runAs( + new AuthenticationUtil.RunAsWork() + { + public Object doWork() throws Exception + { + // Reset all the permissions on the node + serviceRegistry.getPermissionService().setInheritParentPermissions(nodeRef, true); + serviceRegistry.getPermissionService().deletePermissions(nodeRef); + return null; + } + + }, AuthenticationUtil.getSystemUserName()); + + + } + else + { + throw new AlfrescoRuntimeException("You do not have permissions to reset permissions on this node."); + } + } + + /** + * Allows all members of the site collaboration rights on the node. + * + * @param nodeRef node reference + */ + public void allowAllMembersCollaborate(ScriptNode node) + { + final NodeRef nodeRef = node.getNodeRef(); + + // TODO Check that the node is indeed a child of the site + + // Get the permission service + final PermissionService permissionService = this.serviceRegistry.getPermissionService(); + + // Check that the user has permissions to change permissions on the node + if (AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, PermissionService.CHANGE_PERMISSIONS)) == true) + { + // Do the work as system as we are messing about with permissions + AuthenticationUtil.runAs( + new AuthenticationUtil.RunAsWork() + { + public Object doWork() throws Exception + { + // Get the site groups + String siteGroup = siteService.getSiteGroup(siteInfo.getShortName()); + String managerGroup = siteService.getSiteRoleGroup(siteInfo.getShortName(), SiteModel.SITE_MANAGER); + + // Assign the correct permissions + permissionService.setInheritParentPermissions(nodeRef, false); + permissionService.deletePermissions(nodeRef); + permissionService.setPermission(nodeRef, siteGroup, SiteModel.SITE_COLLABORATOR, true); + permissionService.setPermission(nodeRef, managerGroup, SiteModel.SITE_MANAGER, true); + + return null; + } + }, AuthenticationUtil.getSystemUserName()); + } + else + { + throw new AlfrescoRuntimeException("You do not have permissions to all memebers contribute permissions on this node."); + } + } + + /** + * Deny access to all members of the site to the node. + *

+ * Note, site managers will stil have appropriate permissions on the node. + * + * @param nodeRef node reference + */ + public void denyAllAccess(ScriptNode node) + { + final NodeRef nodeRef = node.getNodeRef(); + + // TODO Check that the node is indeed a child of the site + + // Get the permission service + final PermissionService permissionService = this.serviceRegistry.getPermissionService(); + + // Check that the user has permissions to change permissions on the node + if (AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, PermissionService.CHANGE_PERMISSIONS)) == true) + { + // Do the work as system as we are messing about with permissions + AuthenticationUtil.runAs( + new AuthenticationUtil.RunAsWork() + { + public Object doWork() throws Exception + { + // Get the site groups + String managerGroup = siteService.getSiteRoleGroup(siteInfo.getShortName(), SiteModel.SITE_MANAGER); + + // Assign the correct permissions + permissionService.setInheritParentPermissions(nodeRef, false); + permissionService.deletePermissions(nodeRef); + permissionService.setPermission(nodeRef, managerGroup, SiteModel.SITE_MANAGER, true); + + return null; + } + }, AuthenticationUtil.getSystemUserName()); + } + else + { + throw new AlfrescoRuntimeException("You do not have permissions to all memebers contribute permissions on this node."); + } + } } diff --git a/source/java/org/alfresco/repo/site/script/test_siteService.js b/source/java/org/alfresco/repo/site/script/test_siteService.js index 7f026fd8be..67064c6279 100644 --- a/source/java/org/alfresco/repo/site/script/test_siteService.js +++ b/source/java/org/alfresco/repo/site/script/test_siteService.js @@ -130,9 +130,75 @@ function testContainer() } } +function testPermissions() +{ + var site = siteService.createSite("sitePreset", "siteShortNameToo", "siteTitle", "siteDescription", false); + test.assertNotNull(site); + var container = site.createContainer("test.permissions"); + test.assertNotNull(container); + + // check the current permissions + var setPerms = container.getPermissions(); + test.assertNotNull(setPerms); + var bManagers = false; + for (index in setPerms) + { + if (setPerms[index] == "ALLOWED;GROUP_site_siteShortNameToo_SiteManager;SiteManager") + { + bManagers = true; + } + } + if (bManagers == false) + { + test.fail("Managers where not assigned to the site group successfully"); + } + + // allow all members collaborate + site.allowAllMembersCollaborate(container); + setPerms = container.getPermissions(); + test.assertNotNull(setPerms); + bManagers = false; + bContributor = false; + for (index in setPerms) + { + if (setPerms[index] == "ALLOWED;GROUP_site_siteShortNameToo_SiteManager;SiteManager") + { + bManagers = true; + } + if (setPerms[index] == "ALLOWED;GROUP_site_siteShortNameToo;SiteCollaborator") + { + bContributor = true; + } + } + if (bManagers == false || bContributor == false) + { + test.fail("Allow all members contribute failed"); + } + + // deny all + site.denyAllAccess(container); + setPerms = container.getPermissions(); + test.assertNotNull(setPerms); + bManagers = false; + for (index in setPerms) + { + if (setPerms[index] == "ALLOWED;GROUP_site_siteShortNameToo_SiteManager;SiteManager") + { + bManagers = true; + } + } + if (bManagers == false) + { + test.fail("Deny all access failed."); + } + + // reset permissions + site.resetAllPermissions(container); +} // Execute test's testCRUD(); testListSites(); testMembership(); -testContainer(); \ No newline at end of file +testContainer(); +testPermissions(); \ No newline at end of file