From 57f02054c42eac684c26c749c69b91f824cf512e Mon Sep 17 00:00:00 2001
From: Grzegorz Oleksy <106805864+goleksyalfresco@users.noreply.github.com>
Date: Mon, 18 Jul 2022 12:37:22 +0200
Subject: [PATCH] ACS-3170 Implement Tests For Mail Actions (#1213)

Added tests for restApi with all 4 external endpoints kept track of (running-actions from v0 wasn't needed, as that only allows admin to run actions).
Unit tests added, 1 spring test to verify admin privilege check in AccessRestriction class.

Co-authored-by: mstrankowski <marcin.strankowski@hyland.com>
---
 .../actions/access/AccessRestrictionUtil.java | 102 ++++++++++++++
 .../FormProcAdminAccessRestrictionTest.java   |  84 ++++++++++++
 .../RuleAdminAccessRestrictionTest.java       | 102 ++++++++++++++
 .../access/V0AdminAccessRestrictionTest.java  |  76 +++++++++++
 .../access/V1AdminAccessRestrictionTest.java  |  64 +++++++++
 .../rest/actions/access/pojo/Action.java      |  57 ++++++++
 .../actions/access/pojo/ActionCondition.java  |  24 ++++
 .../rest/actions/access/pojo/Rule.java        |  78 +++++++++++
 .../ActionAccessRestrictionAbstractBase.java  |   4 +-
 .../org/alfresco/AppContext01TestSuite.java   |   4 +
 ...tionAccessRestrictionAbstractBaseTest.java | 127 ++++++++++++++++++
 .../access/ActionAccessRestrictionTest.java   |  43 ++++++
 .../AdminActionAccessRestrictionTest.java     |  89 ++++++++++++
 13 files changed, 852 insertions(+), 2 deletions(-)
 create mode 100644 packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/AccessRestrictionUtil.java
 create mode 100644 packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/FormProcAdminAccessRestrictionTest.java
 create mode 100644 packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/RuleAdminAccessRestrictionTest.java
 create mode 100644 packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/V0AdminAccessRestrictionTest.java
 create mode 100644 packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/V1AdminAccessRestrictionTest.java
 create mode 100644 packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/pojo/Action.java
 create mode 100644 packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/pojo/ActionCondition.java
 create mode 100644 packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/pojo/Rule.java
 create mode 100644 repository/src/test/java/org/alfresco/repo/action/access/ActionAccessRestrictionAbstractBaseTest.java
 create mode 100644 repository/src/test/java/org/alfresco/repo/action/access/ActionAccessRestrictionTest.java
 create mode 100644 repository/src/test/java/org/alfresco/repo/action/access/AdminActionAccessRestrictionTest.java

diff --git a/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/AccessRestrictionUtil.java b/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/AccessRestrictionUtil.java
new file mode 100644
index 0000000000..42e81e875f
--- /dev/null
+++ b/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/AccessRestrictionUtil.java
@@ -0,0 +1,102 @@
+package org.alfresco.rest.actions.access;
+
+import com.google.gson.Gson;
+import org.alfresco.rest.actions.access.pojo.Action;
+import org.alfresco.rest.actions.access.pojo.ActionCondition;
+import org.alfresco.rest.actions.access.pojo.Rule;
+import org.alfresco.utility.model.UserModel;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+public class AccessRestrictionUtil {
+
+    public static final String MAIL_ACTION = "mail";
+
+    public static final String ERROR_MESSAGE_FIELD = "message";
+    public static final String ERROR_MESSAGE_ACCESS_RESTRICTED =
+            "Only admin or system user is allowed to define uses of or directly execute this action";
+    private static final String ERROR_MESSAGE_FAILED_TO_SEND_EMAIL = "Failed to send email to:";
+
+    public static Map<String, String> createMailParameters(UserModel sender, UserModel recipient) {
+        Map<String, String> parameterValues = new HashMap<>();
+        parameterValues.put("from", sender.getEmailAddress());
+        parameterValues.put("to", recipient.getEmailAddress());
+        parameterValues.put("subject", "Test");
+        parameterValues.put("text", "<html>content</html>");
+
+        return parameterValues;
+    }
+
+    public static Rule createRuleWithAction(String actionName, Map<String, String> parameterValues) {
+        Rule rule = new Rule();
+        rule.setId("");
+        rule.setTitle("Test rule title");
+        rule.setDescription("Test rule description");
+        rule.setRuleType(List.of("inbound"));
+        rule.setDisabled(false);
+        rule.setApplyToChildren(false);
+        rule.setExecuteAsynchronously(false);
+
+        Action compositeAction = new Action();
+        compositeAction.setActionDefinitionName("composite-action");
+
+        ActionCondition actionCondition = new ActionCondition();
+        actionCondition.setConditionDefinitionName("no-condition");
+        actionCondition.setParameterValues(new HashMap<>());
+
+        compositeAction.setConditions(List.of(actionCondition));
+
+        Action action = createAction(actionName, parameterValues);
+
+        compositeAction.setActions(List.of(action));
+
+        rule.setAction(compositeAction);
+
+        return rule;
+    }
+
+    public static Action createActionWithParameters(String actionName, Map<String, String> parameterValues) {
+        Action compositeAction = new Action();
+        compositeAction.setActionDefinitionName("composite-action");
+
+        ActionCondition actionCondition = new ActionCondition();
+        actionCondition.setConditionDefinitionName("no-condition");
+        actionCondition.setParameterValues(new HashMap<>());
+
+        compositeAction.setConditions(List.of(actionCondition));
+
+        Action action = createAction(actionName, parameterValues);
+        action.setExecuteAsynchronously(false);
+
+        compositeAction.setActions(List.of(action));
+
+        return action;
+    }
+
+
+    public static Action createAction(String actionName, Map<String, String> parameterValues) {
+        Action action = new Action();
+        action.setActionDefinitionName(actionName);
+        action.setParameterValues(parameterValues);
+
+        return action;
+    }
+
+    public static String mapObjectToJSON(Object object) {
+        Gson gson = new Gson();
+        return gson.toJson(object);
+    }
+
+    /**
+     * Return error message that in fact means that the action has passed access restriction correctly,
+     * but due to non-configured smtp couldn't send email.
+     *
+     * @param userModel
+     * @return
+     */
+    public static String getExpectedEmailSendFailureMessage(UserModel userModel) {
+        return ERROR_MESSAGE_FAILED_TO_SEND_EMAIL + userModel.getEmailAddress();
+    }
+}
diff --git a/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/FormProcAdminAccessRestrictionTest.java b/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/FormProcAdminAccessRestrictionTest.java
new file mode 100644
index 0000000000..efab76da58
--- /dev/null
+++ b/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/FormProcAdminAccessRestrictionTest.java
@@ -0,0 +1,84 @@
+package org.alfresco.rest.actions.access;
+
+import org.alfresco.rest.RestTest;
+import org.alfresco.rest.core.RestRequest;
+import org.alfresco.rest.core.RestResponse;
+import org.alfresco.rest.core.RestWrapper;
+import org.alfresco.utility.model.UserModel;
+import org.json.simple.JSONObject;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+import java.util.Map;
+
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.ERROR_MESSAGE_ACCESS_RESTRICTED;
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.ERROR_MESSAGE_FIELD;
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.MAIL_ACTION;
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.createMailParameters;
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.getExpectedEmailSendFailureMessage;
+import static org.hamcrest.Matchers.containsString;
+
+public class FormProcAdminAccessRestrictionTest extends RestTest {
+
+    private static final String ACTION_FORM_PROCESSOR_ENDPOINT = "alfresco/service/api/action/%s/formprocessor";
+
+    private static final String PROPERTY_PREFIX = "prop_";
+
+    private UserModel adminUser;
+    private UserModel testUser;
+
+    @Autowired
+    protected RestWrapper restClient;
+
+    @BeforeClass(alwaysRun = true)
+    public void dataPreparation() throws Exception {
+        adminUser = dataUser.getAdminUser();
+        testUser = dataUser.createRandomTestUser();
+    }
+
+    @BeforeMethod(alwaysRun=true)
+    public void setup() {
+        restClient.configureRequestSpec()
+                .setBasePath("")
+                .addHeader("Content-Type", "application/json");
+    }
+
+    @Test
+    public void userShouldNotCreateAMailForm() {
+        restClient.authenticateUser(testUser);
+
+        String body = generateBody(createMailParameters(adminUser, testUser));
+        String endpoint = String.format(ACTION_FORM_PROCESSOR_ENDPOINT, MAIL_ACTION);
+
+        RestRequest request = RestRequest.requestWithBody(HttpMethod.POST, body, endpoint);
+        RestResponse response = restClient.process(request);
+
+        response.assertThat().statusCode(HttpStatus.INTERNAL_SERVER_ERROR.value())
+                .assertThat().body(ERROR_MESSAGE_FIELD, containsString(ERROR_MESSAGE_ACCESS_RESTRICTED));
+    }
+
+    @Test
+    public void adminShouldCreateAMailForm() {
+        restClient.authenticateUser(adminUser);
+
+        String body = generateBody(createMailParameters(adminUser, testUser));
+        String endpoint = String.format(ACTION_FORM_PROCESSOR_ENDPOINT, MAIL_ACTION);
+
+        RestRequest request = RestRequest.requestWithBody(HttpMethod.POST, body, endpoint);
+        RestResponse response = restClient.process(request);
+
+        response.assertThat().statusCode(HttpStatus.INTERNAL_SERVER_ERROR.value())
+                .assertThat().body(ERROR_MESSAGE_FIELD, containsString(getExpectedEmailSendFailureMessage(testUser)));
+    }
+
+    private String generateBody(Map<String, String> mailParameters) {
+        JSONObject json = new JSONObject();
+        mailParameters.forEach((key, value) -> json.put(PROPERTY_PREFIX + key, value));
+
+        return json.toJSONString();
+    }
+}
diff --git a/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/RuleAdminAccessRestrictionTest.java b/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/RuleAdminAccessRestrictionTest.java
new file mode 100644
index 0000000000..8ec6ffbda4
--- /dev/null
+++ b/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/RuleAdminAccessRestrictionTest.java
@@ -0,0 +1,102 @@
+package org.alfresco.rest.actions.access;
+
+import org.alfresco.rest.RestTest;
+import org.alfresco.rest.actions.access.pojo.Rule;
+import org.alfresco.rest.core.RestRequest;
+import org.alfresco.rest.core.RestResponse;
+import org.alfresco.rest.core.RestWrapper;
+import org.alfresco.utility.model.FileModel;
+import org.alfresco.utility.model.FileType;
+import org.alfresco.utility.model.FolderModel;
+import org.alfresco.utility.model.UserModel;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.ERROR_MESSAGE_ACCESS_RESTRICTED;
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.ERROR_MESSAGE_FIELD;
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.MAIL_ACTION;
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.createMailParameters;
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.createRuleWithAction;
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.mapObjectToJSON;
+import static org.hamcrest.Matchers.containsString;
+
+public class RuleAdminAccessRestrictionTest extends RestTest {
+
+    private static final String CREATE_RULE_ENDPOINT = "alfresco/service/api/node/workspace/SpacesStore/%s/ruleset/rules";
+
+    private UserModel adminUser;
+    private UserModel testUser;
+    private FolderModel testFolder;
+
+    @Autowired
+    protected RestWrapper restClient;
+
+    @BeforeClass(alwaysRun = true)
+    public void dataPreparation() throws Exception {
+        adminUser = dataUser.getAdminUser();
+
+        testUser = dataUser.createRandomTestUser();
+        testSite = dataSite.usingUser(testUser)
+                .createPublicRandomSite();
+        testFolder = dataContent.usingUser(testUser)
+                .usingSite(testSite)
+                .createFolder();
+    }
+
+    @BeforeMethod(alwaysRun=true)
+    public void setup() {
+        restClient.configureRequestSpec().setBasePath("");
+    }
+
+    @Test
+    public void userShouldNotBeAbleToCreateANewRule() {
+        restClient.authenticateUser(testUser);
+
+        Rule rule = createRuleWithAction(MAIL_ACTION, createMailParameters(adminUser, testUser));
+        String ruleRequestBody = mapObjectToJSON(rule);
+        String ruleEndpoint = String.format(CREATE_RULE_ENDPOINT, testFolder.getNodeRef());
+
+        RestRequest request = RestRequest.requestWithBody(HttpMethod.POST, ruleRequestBody, ruleEndpoint);
+        RestResponse response = restClient.process(request);
+
+        response.assertThat().statusCode(HttpStatus.INTERNAL_SERVER_ERROR.value())
+                .assertThat().body(ERROR_MESSAGE_FIELD, containsString(ERROR_MESSAGE_ACCESS_RESTRICTED));
+    }
+
+    @Test
+    public void adminShouldBeAbleToCreateANewRule() {
+        restClient.authenticateUser(adminUser);
+
+        Rule rule = createRuleWithAction(MAIL_ACTION, createMailParameters(adminUser, testUser));
+        String ruleRequestBody = mapObjectToJSON(rule);
+        String ruleEndpoint = String.format(CREATE_RULE_ENDPOINT, testFolder.getNodeRef());
+
+        RestRequest request = RestRequest.requestWithBody(HttpMethod.POST, ruleRequestBody, ruleEndpoint);
+        RestResponse response = restClient.process(request);
+
+        response.assertThat().statusCode(HttpStatus.OK.value());
+    }
+
+    @Test
+    public void userShouldAddAFileToFolderWithMailRule() {
+        restClient.authenticateUser(adminUser);
+
+        Rule rule = createRuleWithAction(MAIL_ACTION, createMailParameters(adminUser, testUser));
+        String ruleRequestBody = mapObjectToJSON(rule);
+        String ruleEndpoint = String.format(CREATE_RULE_ENDPOINT, testFolder.getNodeRef());
+
+        RestRequest request = RestRequest.requestWithBody(HttpMethod.POST, ruleRequestBody, ruleEndpoint);
+        RestResponse response = restClient.process(request);
+
+        response.assertThat().statusCode(HttpStatus.OK.value());
+
+        dataContent.usingUser(testUser)
+                .usingSite(testSite)
+                .usingResource(testFolder)
+                .createContent(FileModel.getRandomFileModel(FileType.TEXT_PLAIN));
+    }
+}
diff --git a/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/V0AdminAccessRestrictionTest.java b/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/V0AdminAccessRestrictionTest.java
new file mode 100644
index 0000000000..ffabba2a36
--- /dev/null
+++ b/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/V0AdminAccessRestrictionTest.java
@@ -0,0 +1,76 @@
+package org.alfresco.rest.actions.access;
+
+import org.alfresco.rest.actions.access.pojo.Action;
+import org.alfresco.rest.RestTest;
+import org.alfresco.rest.core.RestRequest;
+import org.alfresco.rest.core.RestResponse;
+import org.alfresco.rest.core.RestWrapper;
+import org.alfresco.utility.model.UserModel;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.ERROR_MESSAGE_ACCESS_RESTRICTED;
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.ERROR_MESSAGE_FIELD;
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.MAIL_ACTION;
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.createActionWithParameters;
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.createMailParameters;
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.getExpectedEmailSendFailureMessage;
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.mapObjectToJSON;
+import static org.hamcrest.Matchers.containsString;
+
+public class V0AdminAccessRestrictionTest extends RestTest {
+
+    private static final String ACTION_QUEUE_ENDPOINT = "alfresco/service/api/actionQueue?async=false";
+
+    private UserModel adminUser;
+    private UserModel testUser;
+
+    @Autowired
+    protected RestWrapper restClient;
+
+    @BeforeClass(alwaysRun = true)
+    public void dataPreparation() throws Exception {
+        adminUser = dataUser.getAdminUser();
+
+        testUser = dataUser.createRandomTestUser();
+        testSite = dataSite.usingUser(testUser)
+                .createPublicRandomSite();
+    }
+
+    @BeforeMethod(alwaysRun=true)
+    public void setup() {
+        restClient.configureRequestSpec().setBasePath("");
+    }
+
+    @Test
+    public void userShouldNotExecuteMailActionQueue() {
+        restClient.authenticateUser(testUser);
+
+        Action action = createActionWithParameters(MAIL_ACTION, createMailParameters(adminUser, testUser));
+        String actionRequestBody = mapObjectToJSON(action);
+
+        RestRequest request = RestRequest.requestWithBody(HttpMethod.POST, actionRequestBody, ACTION_QUEUE_ENDPOINT);
+        RestResponse response = restClient.process(request);
+
+        response.assertThat().statusCode(HttpStatus.INTERNAL_SERVER_ERROR.value())
+                .assertThat().body(ERROR_MESSAGE_FIELD, containsString(ERROR_MESSAGE_ACCESS_RESTRICTED));
+    }
+
+    @Test
+    public void adminShouldExecuteMailActionQueue() {
+        restClient.authenticateUser(adminUser);
+
+        Action action = createActionWithParameters(MAIL_ACTION, createMailParameters(adminUser, testUser));
+        String actionRequestBody = mapObjectToJSON(action);
+
+        RestRequest request = RestRequest.requestWithBody(HttpMethod.POST, actionRequestBody, ACTION_QUEUE_ENDPOINT);
+        RestResponse response = restClient.process(request);
+
+        response.assertThat().statusCode(HttpStatus.INTERNAL_SERVER_ERROR.value())
+                .assertThat().body(ERROR_MESSAGE_FIELD, containsString(getExpectedEmailSendFailureMessage(testUser)));
+    }
+}
diff --git a/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/V1AdminAccessRestrictionTest.java b/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/V1AdminAccessRestrictionTest.java
new file mode 100644
index 0000000000..3d866ee662
--- /dev/null
+++ b/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/V1AdminAccessRestrictionTest.java
@@ -0,0 +1,64 @@
+package org.alfresco.rest.actions.access;
+
+import org.alfresco.rest.RestTest;
+import org.alfresco.utility.model.FolderModel;
+import org.alfresco.utility.model.UserModel;
+import org.springframework.http.HttpStatus;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.Test;
+
+import org.alfresco.rest.core.RestWrapper;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.ERROR_MESSAGE_ACCESS_RESTRICTED;
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.MAIL_ACTION;
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.createMailParameters;
+import static org.hamcrest.Matchers.notNullValue;
+import static org.hamcrest.Matchers.nullValue;
+
+public class V1AdminAccessRestrictionTest extends RestTest {
+
+    private UserModel adminUser;
+    private UserModel testUser;
+    private FolderModel testFolder;
+
+    @Autowired
+    protected RestWrapper restClient;
+
+    @BeforeClass(alwaysRun = true)
+    public void dataPreparation() throws Exception {
+        adminUser = dataUser.getAdminUser();
+
+        testUser = dataUser.createRandomTestUser();
+        testSite = dataSite.usingUser(testUser)
+                           .createPublicRandomSite();
+        testFolder = dataContent.usingUser(testUser)
+                                .usingSite(testSite)
+                                .createFolder();
+    }
+
+    @Test
+    public void userShouldNotExecuteMailAction() throws Exception {
+        restClient.authenticateUser(testUser)
+                          .withCoreAPI()
+                          .usingActions()
+                          .executeAction(MAIL_ACTION, testFolder, createMailParameters(adminUser, testUser));
+
+        restClient.onResponse()
+                .assertThat().statusCode(HttpStatus.INTERNAL_SERVER_ERROR.value())
+                .assertThat().body("entry.id", nullValue());
+        restClient.assertLastError().containsSummary(ERROR_MESSAGE_ACCESS_RESTRICTED);
+    }
+
+    @Test
+    public void adminShouldExecuteMailAction() throws Exception {
+        restClient.authenticateUser(adminUser)
+                          .withCoreAPI()
+                          .usingActions()
+                          .executeAction(MAIL_ACTION, testFolder, createMailParameters(adminUser, testUser));
+
+        restClient.onResponse()
+                .assertThat().statusCode(HttpStatus.ACCEPTED.value())
+                .assertThat().body("entry.id", notNullValue());
+    }
+}
diff --git a/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/pojo/Action.java b/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/pojo/Action.java
new file mode 100644
index 0000000000..d1f746d25d
--- /dev/null
+++ b/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/pojo/Action.java
@@ -0,0 +1,57 @@
+package org.alfresco.rest.actions.access.pojo;
+
+import java.util.List;
+import java.util.Map;
+
+public class Action {
+    private String actionDefinitionName;
+    private String actionedUponNode;
+    private List<ActionCondition> conditions;
+    private List<Action> actions;
+    private Map<String, String> parameterValues;
+
+    private boolean executeAsynchronously;
+
+    public void setExecuteAsynchronously(boolean executeAsynchronously) {
+        this.executeAsynchronously = executeAsynchronously;
+    }
+    public String getActionDefinitionName() {
+        return actionDefinitionName;
+    }
+
+    public void setActionDefinitionName(String actionDefinitionName) {
+        this.actionDefinitionName = actionDefinitionName;
+    }
+
+    public String getActionedUponNode() {
+        return actionedUponNode;
+    }
+
+    public void setActionedUponNode(String actionedUponNode) {
+        this.actionedUponNode = actionedUponNode;
+    }
+
+    public List<ActionCondition> getConditions() {
+        return conditions;
+    }
+
+    public void setConditions(List<ActionCondition> conditions) {
+        this.conditions = conditions;
+    }
+
+    public List<Action> getActions() {
+        return actions;
+    }
+
+    public void setActions(List<Action> actions) {
+        this.actions = actions;
+    }
+
+    public Map<String, String> getParameterValues() {
+        return parameterValues;
+    }
+
+    public void setParameterValues(Map<String, String> parameterValues) {
+        this.parameterValues = parameterValues;
+    }
+}
diff --git a/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/pojo/ActionCondition.java b/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/pojo/ActionCondition.java
new file mode 100644
index 0000000000..9514169965
--- /dev/null
+++ b/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/pojo/ActionCondition.java
@@ -0,0 +1,24 @@
+package org.alfresco.rest.actions.access.pojo;
+
+import java.util.Map;
+
+public class ActionCondition {
+    private String conditionDefinitionName;
+    private Map<String, String> parameterValues;
+
+    public String getConditionDefinitionName() {
+        return conditionDefinitionName;
+    }
+
+    public void setConditionDefinitionName(String conditionDefinitionName) {
+        this.conditionDefinitionName = conditionDefinitionName;
+    }
+
+    public Map<String, String> getParameterValues() {
+        return parameterValues;
+    }
+
+    public void setParameterValues(Map<String, String> parameterValues) {
+        this.parameterValues = parameterValues;
+    }
+}
diff --git a/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/pojo/Rule.java b/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/pojo/Rule.java
new file mode 100644
index 0000000000..2b47748cc5
--- /dev/null
+++ b/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/actions/access/pojo/Rule.java
@@ -0,0 +1,78 @@
+package org.alfresco.rest.actions.access.pojo;
+
+import java.util.List;
+
+public class Rule {
+    private String id;
+    private String title;
+    private String description;
+    private List<String> ruleType;
+    private boolean executeAsynchronously;
+    private boolean disabled;
+    private boolean applyToChildren;
+    private Action action;
+
+    public String getId() {
+        return id;
+    }
+
+    public void setId(String id) {
+        this.id = id;
+    }
+
+    public String getTitle() {
+        return title;
+    }
+
+    public void setTitle(String title) {
+        this.title = title;
+    }
+
+    public String getDescription() {
+        return description;
+    }
+
+    public void setDescription(String description) {
+        this.description = description;
+    }
+
+    public List<String> getRuleType() {
+        return ruleType;
+    }
+
+    public void setRuleType(List<String> ruleType) {
+        this.ruleType = ruleType;
+    }
+
+    public boolean isExecuteAsynchronously() {
+        return executeAsynchronously;
+    }
+
+    public void setExecuteAsynchronously(boolean executeAsynchronously) {
+        this.executeAsynchronously = executeAsynchronously;
+    }
+
+    public boolean isDisabled() {
+        return disabled;
+    }
+
+    public void setDisabled(boolean disabled) {
+        this.disabled = disabled;
+    }
+
+    public boolean isApplyToChildren() {
+        return applyToChildren;
+    }
+
+    public void setApplyToChildren(boolean applyToChildren) {
+        this.applyToChildren = applyToChildren;
+    }
+
+    public Action getAction() {
+        return action;
+    }
+
+    public void setAction(Action action) {
+        this.action = action;
+    }
+}
diff --git a/repository/src/main/java/org/alfresco/repo/action/access/ActionAccessRestrictionAbstractBase.java b/repository/src/main/java/org/alfresco/repo/action/access/ActionAccessRestrictionAbstractBase.java
index 0139d7515b..af847ec7f4 100644
--- a/repository/src/main/java/org/alfresco/repo/action/access/ActionAccessRestrictionAbstractBase.java
+++ b/repository/src/main/java/org/alfresco/repo/action/access/ActionAccessRestrictionAbstractBase.java
@@ -101,8 +101,8 @@ public abstract class ActionAccessRestrictionAbstractBase implements ActionAcces
         if (context != null)
         {
             return Stream.of(
-                    getConfigKey(context, actionName),
-                    getConfigKey(context));
+                    getConfigKey(actionName, context),
+                    getConfigKey(actionName));
         }
         return Stream.of(getConfigKey(actionName));
     }
diff --git a/repository/src/test/java/org/alfresco/AppContext01TestSuite.java b/repository/src/test/java/org/alfresco/AppContext01TestSuite.java
index 1533550859..277bb60627 100644
--- a/repository/src/test/java/org/alfresco/AppContext01TestSuite.java
+++ b/repository/src/test/java/org/alfresco/AppContext01TestSuite.java
@@ -51,6 +51,10 @@ import org.junit.runners.Suite;
     org.alfresco.repo.action.executer.ContentMetadataEmbedderTest.class,
     org.alfresco.repo.action.executer.AsynchronousExtractorTest.class,
 
+    org.alfresco.repo.action.access.ActionAccessRestrictionAbstractBaseTest.class,
+    org.alfresco.repo.action.access.ActionAccessRestrictionTest.class,
+    org.alfresco.repo.action.access.AdminActionAccessRestrictionTest.class,
+
     org.alfresco.repo.rule.RuleLinkTest.class,
     org.alfresco.repo.rule.RuleServiceCoverageTest.class,
     org.alfresco.repo.rule.RuleServiceImplTest.class,
diff --git a/repository/src/test/java/org/alfresco/repo/action/access/ActionAccessRestrictionAbstractBaseTest.java b/repository/src/test/java/org/alfresco/repo/action/access/ActionAccessRestrictionAbstractBaseTest.java
new file mode 100644
index 0000000000..305de60868
--- /dev/null
+++ b/repository/src/test/java/org/alfresco/repo/action/access/ActionAccessRestrictionAbstractBaseTest.java
@@ -0,0 +1,127 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2022 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.action.access;
+
+import org.alfresco.repo.action.ActionImpl;
+import org.alfresco.service.cmr.action.Action;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.lang.NonNull;
+
+import java.util.Properties;
+
+import static org.junit.Assert.assertThrows;
+
+public class ActionAccessRestrictionAbstractBaseTest {
+
+    private static final String GLOBAL_PROPERTIES_ACTION_EXPOSE_PREFIX = "org.alfresco.repo.action";
+    private static final String GLOBAL_PROPERTIES_ACTION_EXPOSE_SUFFIX = ".exposed";
+    private static final String CONTROLLED_CONTEXT = ActionAccessRestriction.V1_ACTION_CONTEXT;
+    private static final String NONCONTROLLED_CONTEXT = "random321";
+
+    private static final String MAIL_ACTION = "mail";
+
+
+    private ActionAccessRestrictionAbstractBase accessRestriction;
+    private Properties globalProperties;
+
+    @Before
+    public void setup() {
+        globalProperties = new Properties();
+
+        accessRestriction = new ActionAccessRestrictionAbstractBase() {
+            @Override
+            protected void innerVerifyAccessRestriction(Action action) {
+                throw new ActionAccessException("Executing verification");
+            }
+        };
+        accessRestriction.setConfigProperties(globalProperties);
+    }
+
+    @Test
+    public void skipVerificationForNullContext() {
+        Action action = getActionWithContext(MAIL_ACTION, null);
+        accessRestriction.verifyAccessRestriction(action);
+    }
+
+    @Test
+    public void skipVerificationForNonControlledContext() {
+        Action action = getActionWithContext(MAIL_ACTION, NONCONTROLLED_CONTEXT);
+        accessRestriction.verifyAccessRestriction(action);
+    }
+
+    @Test
+    public void callVerificationForControlledContext() {
+        Action action = getActionWithContext(MAIL_ACTION, CONTROLLED_CONTEXT);
+        assertThrows(ActionAccessException.class, () -> accessRestriction.verifyAccessRestriction(action));
+    }
+
+    @Test
+    public void skipVerificationForExposedActionConfig() {
+        setGlobalPropertiesActionExposed(MAIL_ACTION, null, true);
+        Action action = getActionWithContext(MAIL_ACTION, CONTROLLED_CONTEXT);
+        accessRestriction.verifyAccessRestriction(action);
+    }
+
+    @Test
+    public void skipVerificationForExposedActionContextConfig() {
+        setGlobalPropertiesActionExposed(MAIL_ACTION, CONTROLLED_CONTEXT, true);
+        Action action = getActionWithContext(MAIL_ACTION, CONTROLLED_CONTEXT);
+        accessRestriction.verifyAccessRestriction(action);
+    }
+
+    @Test
+    public void callVerificationForNonExposedActionConfig() {
+        setGlobalPropertiesActionExposed(MAIL_ACTION, null, false);
+        Action action = getActionWithContext(MAIL_ACTION, CONTROLLED_CONTEXT);
+        assertThrows(ActionAccessException.class, () -> accessRestriction.verifyAccessRestriction(action));
+    }
+
+    @Test
+    public void callVerificationForNonExposedActionContextConfig() {
+        setGlobalPropertiesActionExposed(MAIL_ACTION, CONTROLLED_CONTEXT, false);
+        Action action = getActionWithContext(MAIL_ACTION, CONTROLLED_CONTEXT);
+        assertThrows(ActionAccessException.class, () -> accessRestriction.verifyAccessRestriction(action));
+    }
+
+    private Action getActionWithContext(String actionName, String context) {
+        Action action = new ActionImpl(null, "12345", actionName);
+        ActionAccessRestriction.setActionContext(action, context);
+
+        return action;
+    }
+
+    private void setGlobalPropertiesActionExposed(@NonNull String action, String context, boolean isExposed) {
+        StringBuilder property = new StringBuilder(GLOBAL_PROPERTIES_ACTION_EXPOSE_PREFIX);
+        property.append("." + action);
+        if (context != null) {
+            property.append("." + context);
+        }
+        property.append(GLOBAL_PROPERTIES_ACTION_EXPOSE_SUFFIX);
+
+        globalProperties.setProperty(property.toString(), Boolean.toString(isExposed));
+    }
+}
diff --git a/repository/src/test/java/org/alfresco/repo/action/access/ActionAccessRestrictionTest.java b/repository/src/test/java/org/alfresco/repo/action/access/ActionAccessRestrictionTest.java
new file mode 100644
index 0000000000..775c7c3add
--- /dev/null
+++ b/repository/src/test/java/org/alfresco/repo/action/access/ActionAccessRestrictionTest.java
@@ -0,0 +1,43 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2022 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.action.access;
+
+import org.alfresco.repo.action.ActionImpl;
+import org.alfresco.service.cmr.action.Action;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+
+public class ActionAccessRestrictionTest {
+
+    @Test
+    public void testSettingContext() {
+        Action mailAction = new ActionImpl(null, "12345", "mail");
+
+        ActionAccessRestriction.setActionContext(mailAction, ActionAccessRestriction.RULE_ACTION_CONTEXT);
+        assertEquals(ActionAccessRestriction.RULE_ACTION_CONTEXT, ActionAccessRestriction.getActionContext(mailAction));
+    }
+}
diff --git a/repository/src/test/java/org/alfresco/repo/action/access/AdminActionAccessRestrictionTest.java b/repository/src/test/java/org/alfresco/repo/action/access/AdminActionAccessRestrictionTest.java
new file mode 100644
index 0000000000..f574cb219c
--- /dev/null
+++ b/repository/src/test/java/org/alfresco/repo/action/access/AdminActionAccessRestrictionTest.java
@@ -0,0 +1,89 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2022 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.action.access;
+
+import org.alfresco.repo.action.ActionImpl;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
+import org.alfresco.service.cmr.action.Action;
+import org.alfresco.util.BaseSpringTest;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.io.Serializable;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.junit.Assert.assertThrows;
+
+public class AdminActionAccessRestrictionTest extends BaseSpringTest {
+
+    private static final String MAIL_ACTION = "mail";
+    private static final String CONTROLLED_CONTEXT = ActionAccessRestriction.V1_ACTION_CONTEXT;
+
+    private ActionAccessRestriction adminActionAccessRestriction;
+
+    @Before
+    public void setup() {
+        adminActionAccessRestriction = applicationContext.getBean("adminActionAccessRestriction", AdminActionAccessRestriction.class);
+    }
+
+    @Test
+    public void adminCanExecute() {
+        AuthenticationUtil.setFullyAuthenticatedUser(AuthenticationUtil.getAdminUserName());
+
+        Action action = createMailAction();
+        adminActionAccessRestriction.verifyAccessRestriction(action);
+    }
+
+    @Test
+    public void systemCanExecute() {
+        AuthenticationUtil.setRunAsUserSystem();
+
+        Action action = createMailAction();
+        adminActionAccessRestriction.verifyAccessRestriction(action);
+    }
+
+    @Test
+    public void userCantExecute() {
+        AuthenticationUtil.setFullyAuthenticatedUser(AuthenticationUtil.getGuestUserName());
+
+        Action action = createMailAction();
+        assertThrows(ActionAccessException.class, () -> adminActionAccessRestriction.verifyAccessRestriction(action));
+    }
+
+    private Action createMailAction() {
+        Map<String, Serializable> params = new HashMap<>();
+        params.put("from", "admin@alfresco.com");
+        params.put("to", "test@wp.pl");
+        params.put("subject", "test");
+        params.put("text", "test");
+
+        Action action = new ActionImpl(null, "123", MAIL_ACTION, params);
+        ActionAccessRestriction.setActionContext(action, CONTROLLED_CONTEXT);
+
+        return action;
+    }
+}