inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-10-08 14:51:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

RM-563 (Add group id and title to Capability API and definitions)

Browse Source 
* Changed the Role class so that the i18n properties don't have to be maintained on both sides (server and share)

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@44244 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Tuna Aksoy
2012-12-03 11:41:28 +00:00
parent aaab4b2c9e
commit 583b4412a8
5 changed files with 359 additions and 361 deletions
Download Patch File Download Diff File Expand all files Collapse all files

107
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/model/security/ModelSecurityServiceImpl.java
View File

@@ -25,14 +25,13 @@ import java.util.Map;
import java.util.Set;
import org.alfresco.module.org_alfresco_module_rm.RecordsManagementService;
import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
import org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService;
import org.alfresco.module.org_alfresco_module_rm.security.Role;
import org.alfresco.repo.node.NodeServicePolicies;
import org.alfresco.repo.policy.Behaviour.NotificationFrequency;
import org.alfresco.repo.policy.JavaBehaviour;
import org.alfresco.repo.policy.PolicyComponent;
import org.alfresco.repo.policy.Behaviour.NotificationFrequency;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
@@ -45,7 +44,7 @@ import org.alfresco.util.EqualsHelper;
* Model security service implementation.
* <p>
* This service records the protected properties and aspects, ensuring that only those with the appropriate capabilities can edit them.
*
*
* @author Roy Wetherall
* @since 2.1
*/
@@ -57,39 +56,39 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{
/** Indicates whether model security is enabled or not */
private boolean enabled = true;
/** Policy component */
private PolicyComponent policyComponent;
/** Node service */
private NodeService nodeService;
/** Namespace service */
private NamespaceService namespaceService;
/** Security service */
private RecordsManagementSecurityService securityService;
/** Records management service */
private RecordsManagementService recordsManagementService;
/** Map of protected properties keyed by name */
private Map<QName, ProtectedProperty> protectedProperties = new HashMap<QName, ProtectedProperty>(21);
/** Map of protected aspects keyed by name */
private Map<QName, ProtectedAspect> protectedAspects= new HashMap<QName, ProtectedAspect>(21);
/** Behaviour instances */
private JavaBehaviour beforeAddAspectBehaviour = new JavaBehaviour(this,
"beforeAddAspect",
private JavaBehaviour beforeAddAspectBehaviour = new JavaBehaviour(this,
"beforeAddAspect",
NotificationFrequency.EVERY_EVENT);
private JavaBehaviour beforeRemoveAspectBehaviour = new JavaBehaviour(this,
"beforeRemoveAspect",
private JavaBehaviour beforeRemoveAspectBehaviour = new JavaBehaviour(this,
"beforeRemoveAspect",
NotificationFrequency.EVERY_EVENT);
private JavaBehaviour onUpdatePropertiesBehaviour = new JavaBehaviour(this,
"onUpdateProperties",
private JavaBehaviour onUpdatePropertiesBehaviour = new JavaBehaviour(this,
"onUpdateProperties",
NotificationFrequency.EVERY_EVENT);
/**
* @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#setEnabled(boolean)
*/
@@ -97,7 +96,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{
this.enabled = enabled;
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#isEnabled()
*/
@@ -105,7 +104,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{
return enabled;
}
/**
* @param policyComponent policy component
*/
@@ -113,7 +112,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{
this.policyComponent = policyComponent;
}
/**
* @param nodeService node service
*/
@@ -121,7 +120,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{
this.nodeService = nodeService;
}
/**
* @param namespaceService namespace service
*/
@@ -129,7 +128,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{
this.namespaceService = namespaceService;
}
/**
* @param securityService records management security service
*/
@@ -137,7 +136,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{
this.securityService = securityService;
}
/**
* @param recordsManagementService records management service
*/
@@ -145,7 +144,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{
this.recordsManagementService = recordsManagementService;
}
/**
* Init method
*/
@@ -153,19 +152,19 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{
// bind model security behaviours to all records management artifacts components
policyComponent.bindClassBehaviour(
NodeServicePolicies.BeforeAddAspectPolicy.QNAME,
this,
NodeServicePolicies.BeforeAddAspectPolicy.QNAME,
this,
beforeAddAspectBehaviour);
policyComponent.bindClassBehaviour(
NodeServicePolicies.BeforeRemoveAspectPolicy.QNAME,
this,
NodeServicePolicies.BeforeRemoveAspectPolicy.QNAME,
this,
beforeRemoveAspectBehaviour);
policyComponent.bindClassBehaviour(
NodeServicePolicies.OnUpdatePropertiesPolicy.QNAME,
this,
NodeServicePolicies.OnUpdatePropertiesPolicy.QNAME,
this,
onUpdatePropertiesBehaviour);
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#register(org.alfresco.module.org_alfresco_module_rm.model.security.ProtectedModelArtifact)
*/
@@ -173,7 +172,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
public void register(ProtectedModelArtifact artifact)
{
// TODO validate that the artifact has a valid property and has a capability set ...
if (artifact instanceof ProtectedProperty)
{
protectedProperties.put(artifact.getQName(), (ProtectedProperty)artifact);
@@ -183,7 +182,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
protectedAspects.put(artifact.getQName(), (ProtectedAspect)artifact);
}
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#isProtectedProperty(org.alfresco.service.namespace.QName)
*/
@@ -210,7 +209,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{
return protectedProperties.get(name);
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#canEditProtectedProperty(org.alfresco.service.cmr.repository.NodeRef, org.alfresco.service.namespace.QName)
*/
@@ -218,7 +217,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
public boolean canEditProtectedProperty(NodeRef nodeRef, QName property)
{
boolean result = false;
ProtectedModelArtifact artifact = getProtectedProperty(property);
if (artifact == null)
{
@@ -228,14 +227,14 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{
result = canEdit(nodeRef, artifact);
}
return result;
}
/**
* Indicates whether the current user can edit protected model artifact in the context
* of a given node or not.
*
*
* @param nodeRef node reference
* @param artifact protected model artifact
* @return boolean true if the current user can edit the protected model artifact, false otherwise
@@ -243,24 +242,24 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
private boolean canEdit(NodeRef nodeRef, ProtectedModelArtifact artifact)
{
boolean result = false;
NodeRef filePlan = recordsManagementService.getFilePlan(nodeRef);
if (filePlan != null)
{
Set<Role> roles = securityService.getRolesByUser(filePlan, AuthenticationUtil.getFullyAuthenticatedUser());
for (Role role : roles)
{
if (Collections.disjoint(role.getCapabilities(), artifact.getCapilityNames()) == false)
if (Collections.disjoint(role.getCapabilities().keySet(), artifact.getCapilityNames()) == false)
{
result = true;
break;
}
}
}
return result;
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#isProtectedAspect(org.alfresco.service.namespace.QName)
*/
@@ -269,7 +268,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{
return protectedAspects.containsKey(aspect);
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#getProtectedAspects()
*/
@@ -278,7 +277,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{
return Collections.unmodifiableSet(protectedAspects.keySet());
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#getProtectedAspect(org.alfresco.service.namespace.QName)
*/
@@ -295,7 +294,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
public boolean canEditProtectedAspect(NodeRef nodeRef, QName aspect)
{
boolean result = false;
ProtectedModelArtifact artifact = getProtectedAspect(aspect);
if (artifact == null)
{
@@ -305,10 +304,10 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{
result = canEdit(nodeRef, artifact);
}
return result;
}
/**
* @see org.alfresco.repo.node.NodeServicePolicies.BeforeAddAspectPolicy#beforeAddAspect(org.alfresco.service.cmr.repository.NodeRef, org.alfresco.service.namespace.QName)
*/
@@ -320,12 +319,12 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
if (AuthenticationUtil.getFullyAuthenticatedUser() != null &&
AuthenticationUtil.isRunAsUserTheSystemUser() == false &&
isProtectedAspect(aspect) == true &&
nodeService.exists(nodeRef) == true &&
nodeService.exists(nodeRef) == true &&
canEditProtectedAspect(nodeRef, aspect) == false)
{
// the user can't edit the protected aspect
throw new ModelAccessDeniedException(
"The user " + AuthenticationUtil.getFullyAuthenticatedUser() +
"The user " + AuthenticationUtil.getFullyAuthenticatedUser() +
" does not have the permission to add the protected aspect " + aspect.toPrefixString(namespaceService) +
" from the node " + nodeRef.toString());
}
@@ -343,12 +342,12 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
if (AuthenticationUtil.getFullyAuthenticatedUser() != null &&
AuthenticationUtil.isRunAsUserTheSystemUser() == false &&
isProtectedAspect(aspect) == true &&
nodeService.exists(nodeRef) == true &&
nodeService.exists(nodeRef) == true &&
canEditProtectedAspect(nodeRef, aspect) == false)
{
// the user can't edit the protected aspect
throw new ModelAccessDeniedException(
"The user " + AuthenticationUtil.getFullyAuthenticatedUser() +
"The user " + AuthenticationUtil.getFullyAuthenticatedUser() +
" does not have the permission to remove the protected aspect " + aspect.toPrefixString(namespaceService) +
" from the node " + nodeRef.toString());
}
@@ -376,7 +375,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{
return;
}
if (EqualsHelper.nullSafeEquals(before.get(property), after.get(property)) == false &&
canEditProtectedProperty(nodeRef, property) == false)
{
@@ -385,7 +384,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
"The user " + AuthenticationUtil.getFullyAuthenticatedUser() +
" does not have the permission to edit the protected property " + property.toPrefixString(namespaceService) +
" on the node " + nodeRef.toString());
}
}
}
}
}

381
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/RecordsManagementSecurityServiceImpl.java
View File

@@ -62,103 +62,103 @@ import org.json.JSONObject;
/**
* Records management permission service implementation
*
*
* @author Roy Wetherall
*/
public class RecordsManagementSecurityServiceImpl implements RecordsManagementSecurityService,
public class RecordsManagementSecurityServiceImpl implements RecordsManagementSecurityService,
RecordsManagementModel
{
/** Capability service */
private CapabilityService capabilityService;
/** Authority service */
private AuthorityService authorityService;
/** Permission service */
private PermissionService permissionService;
/** Policy component */
private PolicyComponent policyComponent;
/** Records management service */
private RecordsManagementService recordsManagementService;
/** Model security service */
private ModelSecurityService modelSecurityService;
/** Node service */
private NodeService nodeService;
/** Records management role zone */
public static final String RM_ROLE_ZONE_PREFIX = "rmRoleZone";
/** Unfiled record container name */
private static final String NAME_UNFILED_CONTAINER = "Unfiled Records";
/** Logger */
private static Log logger = LogFactory.getLog(RecordsManagementSecurityServiceImpl.class);
/**
* Set the capability service
*
*
* @param capabilityService
*/
public void setCapabilityService(CapabilityService capabilityService)
{
this.capabilityService = capabilityService;
}
/**
* Set the authortiy service
*
*
* @param authorityService
*/
public void setAuthorityService(AuthorityService authorityService)
{
this.authorityService = authorityService;
}
/**
* Set the permission service
*
*
* @param permissionService
*/
public void setPermissionService(PermissionService permissionService)
{
this.permissionService = permissionService;
}
}
/**
* Set the policy component
*
*
* @param policyComponent
*/
public void setPolicyComponent(PolicyComponent policyComponent)
{
this.policyComponent = policyComponent;
}
/**
* Set records management service
*
*
* @param recordsManagementService records management service
*/
public void setRecordsManagementService(RecordsManagementService recordsManagementService)
{
this.recordsManagementService = recordsManagementService;
}
/**
* Set the node service
*
*
* @param nodeService
*/
public void setNodeService(NodeService nodeService)
{
this.nodeService = nodeService;
}
/**
* @param modelSecurityService model security service
*/
@@ -166,46 +166,46 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{
this.modelSecurityService = modelSecurityService;
}
/**
* Initialisation method
*/
public void init()
{
policyComponent.bindClassBehaviour(
NodeServicePolicies.OnCreateNodePolicy.QNAME,
TYPE_FILE_PLAN,
NodeServicePolicies.OnCreateNodePolicy.QNAME,
TYPE_FILE_PLAN,
new JavaBehaviour(this, "onCreateRootNode", NotificationFrequency.TRANSACTION_COMMIT));
policyComponent.bindClassBehaviour(
NodeServicePolicies.OnDeleteNodePolicy.QNAME,
TYPE_FILE_PLAN,
NodeServicePolicies.OnDeleteNodePolicy.QNAME,
TYPE_FILE_PLAN,
new JavaBehaviour(this, "onDeleteRootNode", NotificationFrequency.TRANSACTION_COMMIT));
policyComponent.bindClassBehaviour(
NodeServicePolicies.OnCreateNodePolicy.QNAME,
TYPE_RECORD_CATEGORY,
NodeServicePolicies.OnCreateNodePolicy.QNAME,
TYPE_RECORD_CATEGORY,
new JavaBehaviour(this, "onCreateRMContainer", NotificationFrequency.TRANSACTION_COMMIT));
policyComponent.bindClassBehaviour(
NodeServicePolicies.OnCreateNodePolicy.QNAME,
TYPE_RECORD_FOLDER,
new JavaBehaviour(this, "onCreateRecordFolder", NotificationFrequency.TRANSACTION_COMMIT));
NodeServicePolicies.OnCreateNodePolicy.QNAME,
TYPE_RECORD_FOLDER,
new JavaBehaviour(this, "onCreateRecordFolder", NotificationFrequency.TRANSACTION_COMMIT));
}
/**
* Create root node behaviour
*
*
* @param childAssocRef
*/
public void onCreateRootNode(ChildAssociationRef childAssocRef)
{
{
final NodeRef rmRootNode = childAssocRef.getChildRef();
// Do not execute behaviour if this has been created in the archive store
if(rmRootNode.getStoreRef().equals(StoreRef.STORE_REF_ARCHIVE_SPACESSTORE) == true)
{
// This is not the spaces store - probably the archive store
return;
}
if (nodeService.exists(rmRootNode) == true)
{
NodeRef unfiledContainer = AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<NodeRef>()
@@ -213,27 +213,27 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
public NodeRef doWork()
{
// Create "all" role group for root node
String allRoles = authorityService.createAuthority(AuthorityType.GROUP, getAllRolesGroupShortName(rmRootNode), "All Roles", null);
String allRoles = authorityService.createAuthority(AuthorityType.GROUP, getAllRolesGroupShortName(rmRootNode), "All Roles", null);
// Set the permissions
permissionService.setInheritParentPermissions(rmRootNode, false);
permissionService.setPermission(rmRootNode, allRoles, RMPermissionModel.READ_RECORDS, true);
permissionService.setPermission(rmRootNode, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.READ_RECORDS, true);
permissionService.setPermission(rmRootNode, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.VIEW_RECORDS, true);
// Create the unfiled record container
return createUnfiledContainer(rmRootNode, allRoles);
}
}, AuthenticationUtil.getSystemUserName());
// Bootstrap in the default set of roles for the newly created root node
bootstrapDefaultRoles(rmRootNode, unfiledContainer);
}
}
/**
* Creates unfiled container node and sets up permissions
*
*
* @param rmRootNode
* @param allRoles
*/
@@ -242,57 +242,57 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
// create the properties map
Map<QName, Serializable> properties = new HashMap<QName, Serializable>(1);
properties.put(ContentModel.PROP_NAME, NAME_UNFILED_CONTAINER);
// create the unfiled container
NodeRef container = nodeService.createNode(
rmRootNode,
ASSOC_UNFILED_RECORDS,
QName.createQName(RM_URI, NAME_UNFILED_CONTAINER),
rmRootNode,
ASSOC_UNFILED_RECORDS,
QName.createQName(RM_URI, NAME_UNFILED_CONTAINER),
TYPE_UNFILED_RECORD_CONTAINER,
properties).getChildRef();
// set inheritance to false
permissionService.setInheritParentPermissions(container, false);
permissionService.setPermission(container, allRoles, RMPermissionModel.READ_RECORDS, true);
permissionService.setPermission(container, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.READ_RECORDS, true);
return container;
}
/**
* Delete root node behaviour
*
*
* @param childAssocRef
*/
public void onDeleteRootNode(ChildAssociationRef childAssocRef, boolean isNodeArchived)
{
logger.debug("onDeleteRootNode called");
// get the deleted node
final NodeRef rmRootNode = childAssocRef.getChildRef();
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>()
{
public Object doWork()
{
// cascade delete the 'all' roles group for the site
String allRolesGroup = authorityService.getName(AuthorityType.GROUP, getAllRolesGroupShortName(rmRootNode));
String allRolesGroup = authorityService.getName(AuthorityType.GROUP, getAllRolesGroupShortName(rmRootNode));
Set<String> groups = authorityService.getContainedAuthorities(AuthorityType.GROUP, allRolesGroup, true);
for (String group : groups)
{
authorityService.deleteAuthority(group);
}
authorityService.deleteAuthority(allRolesGroup, false);
return null;
}
}, AuthenticationUtil.getSystemUserName());
}, AuthenticationUtil.getSystemUserName());
}
/**
* Get all the roles by short name
*
*
* @param rmRootNode
* @return
*/
@@ -300,7 +300,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{
return "AllRoles" + rmRootNode.getId();
}
/**
* @param childAssocRef
*/
@@ -308,7 +308,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{
final NodeRef recordCategory = childAssocRef.getChildRef();
setUpPermissions(recordCategory);
// Pull any permissions found on the parent (ie the record category)
final NodeRef parentNodeRef = childAssocRef.getParentRef();
if (parentNodeRef != null && nodeService.exists(parentNodeRef) == true)
@@ -325,7 +325,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
// since this is not a root category, inherit from parent
Set<AccessPermission> perms = permissionService.getAllSetPermissions(parentNodeRef);
for (AccessPermission perm : perms)
for (AccessPermission perm : perms)
{
if (fillingOnly == false ||
RMPermissionModel.FILING.equals(perm.getPermission()) == true)
@@ -337,19 +337,19 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
allow = true;
}
permissionService.setPermission(
recordCategory,
perm.getAuthority(),
perm.getPermission(),
recordCategory,
perm.getAuthority(),
perm.getPermission(),
allow);
}
}
return null;
}
}, AuthenticationUtil.getSystemUserName());
}, AuthenticationUtil.getSystemUserName());
}
}
/**
* @param childAssocRef
*/
@@ -357,7 +357,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{
final NodeRef folderNodeRef = childAssocRef.getChildRef();
setUpPermissions(folderNodeRef);
// Pull any permissions found on the parent (ie the record category)
final NodeRef catNodeRef = childAssocRef.getParentRef();
if (nodeService.exists(catNodeRef) == true)
@@ -367,7 +367,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
public Object doWork()
{
Set<AccessPermission> perms = permissionService.getAllSetPermissions(catNodeRef);
for (AccessPermission perm : perms)
for (AccessPermission perm : perms)
{
if (ExtendedReaderDynamicAuthority.EXTENDED_READER.equals(perm.getAuthority()) == false)
{
@@ -378,43 +378,43 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
allow = true;
}
permissionService.setPermission(
folderNodeRef,
perm.getAuthority(),
perm.getPermission(),
folderNodeRef,
perm.getAuthority(),
perm.getPermission(),
allow);
}
}
return null;
}
}, AuthenticationUtil.getSystemUserName());
}, AuthenticationUtil.getSystemUserName());
}
}
/**
*
*
* @param nodeRef
*/
public void setUpPermissions(final NodeRef nodeRef)
{
if (nodeService.exists(nodeRef) == true)
{
{
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>()
{
public Object doWork()
{
// break inheritance
// break inheritance
permissionService.setInheritParentPermissions(nodeRef, false);
// set extended reader permissions
// set extended reader permissions
permissionService.setPermission(nodeRef, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.READ_RECORDS, true);
return null;
}
}, AuthenticationUtil.getSystemUserName());
}, AuthenticationUtil.getSystemUserName());
}
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#bootstrapDefaultRoles(org.alfresco.service.cmr.repository.NodeRef)
*/
@@ -422,7 +422,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{
bootstrapDefaultRoles(rmRootNode, null);
}
private void bootstrapDefaultRoles(final NodeRef rmRootNode, final NodeRef unfiledContainer)
{
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>()
@@ -446,12 +446,12 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{
throw new AlfrescoRuntimeException("Unable to load rm-default-roles-bootstrap.json configuration file.", ioe);
}
// Add each role to the rm root node
for (int i = 0; i < array.length(); i++)
{
JSONObject object = array.getJSONObject(i);
// Get the name of the role
String name = null;
if (object.has("name") == true)
@@ -466,22 +466,22 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{
throw new AlfrescoRuntimeException("No name given to default bootstrap role. Check json configuration file.");
}
// Get the role's display label
String displayLabel = name;
if (object.has("displayLabel") == true)
{
displayLabel = object.getString("displayLabel");
}
// Determine whether the role is an admin role or not
boolean isAdmin = false;
if (object.has("isAdmin") == true)
{
isAdmin = object.getBoolean("isAdmin");
}
// Get the roles capabilities
Set<Capability> capabilities = new HashSet<Capability>(30);
if (object.has("capabilities") == true)
@@ -498,10 +498,10 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
capabilities.add(capability);
}
}
// Create the role
Role role = createRole(rmRootNode, name, displayLabel, capabilities);
// Add any additional admin permissions
if (isAdmin == true)
{
@@ -511,7 +511,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{
permissionService.setPermission(unfiledContainer, role.getRoleGroupName(), RMPermissionModel.FILING, true);
}
// Add the creating user to the administration group
String user = AuthenticationUtil.getFullyAuthenticatedUser();
authorityService.addAuthority(role.getRoleGroupName(), user);
@@ -522,15 +522,15 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{
throw new AlfrescoRuntimeException("Error loading json configuration file rm-default-roles-bootstrap.json", exception);
}
return null;
}
}, AuthenticationUtil.getSystemUserName());
}
/**
* Helper method to convert a stream to a string.
*
*
* @param is input stream
* @return {@link String} string
* @throws IOException
@@ -545,50 +545,50 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
*/
BufferedReader reader = new BufferedReader(new InputStreamReader(is));
StringBuilder sb = new StringBuilder();
String line = null;
try
try
{
while ((line = reader.readLine()) != null)
while ((line = reader.readLine()) != null)
{
sb.append(line + "\n");
}
}
finally
finally
{
try {is.close();} catch (IOException e) {}
}
return sb.toString();
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#getRoles()
*/
public Set<Role> getRoles(final NodeRef rmRootNode)
{
{
return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Set<Role>>()
{
public Set<Role> doWork() throws Exception
{
Set<Role> result = new HashSet<Role>(13);
Set<String> roleAuthorities = authorityService.getAllAuthoritiesInZone(getZoneName(rmRootNode), AuthorityType.GROUP);
Set<String> roleAuthorities = authorityService.getAllAuthoritiesInZone(getZoneName(rmRootNode), AuthorityType.GROUP);
for (String roleAuthority : roleAuthorities)
{
String name = getShortRoleName(authorityService.getShortName(roleAuthority), rmRootNode);
String displayLabel = authorityService.getAuthorityDisplayName(roleAuthority);
Set<String> capabilities = getCapabilitiesImpl(rmRootNode, roleAuthority);
Map<String, String> capabilities = getCapabilitiesImpl(rmRootNode, roleAuthority);
Role role = new Role(name, displayLabel, capabilities, roleAuthority);
result.add(role);
result.add(role);
}
return result;
}
}, AuthenticationUtil.getSystemUserName());
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#getRolesByUser(org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
*/
@@ -599,29 +599,29 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
public Set<Role> doWork() throws Exception
{
Set<Role> result = new HashSet<Role>(13);
Set<String> roleAuthorities = authorityService.getAllAuthoritiesInZone(getZoneName(rmRootNode), AuthorityType.GROUP);
Set<String> roleAuthorities = authorityService.getAllAuthoritiesInZone(getZoneName(rmRootNode), AuthorityType.GROUP);
for (String roleAuthority : roleAuthorities)
{
Set<String> users = authorityService.getContainedAuthorities(AuthorityType.USER, roleAuthority, false);
if (users.contains(user) == true)
{
{
String name = getShortRoleName(authorityService.getShortName(roleAuthority), rmRootNode);
String displayLabel = authorityService.getAuthorityDisplayName(roleAuthority);
Set<String> capabilities = getCapabilitiesImpl(rmRootNode, roleAuthority);
Map<String, String> capabilities = getCapabilitiesImpl(rmRootNode, roleAuthority);
Role role = new Role(name, displayLabel, capabilities, roleAuthority);
result.add(role);
result.add(role);
}
}
return result;
}
}, AuthenticationUtil.getSystemUserName());
}
/**
*
*
* @param rmRootNode
* @return
*/
@@ -629,10 +629,10 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{
return RM_ROLE_ZONE_PREFIX + rmRootNode.getId();
}
/**
* Get the full role name
*
*
* @param role
* @param rmRootNode
* @return
@@ -641,10 +641,10 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{
return role + rmRootNode.getId();
}
/**
* Get the short role name
*
*
* @param fullRoleName
* @param rmRootNode
* @return
@@ -653,7 +653,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{
return fullRoleName.replaceAll(rmRootNode.getId(), "");
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#getRole(org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
*/
@@ -662,46 +662,45 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Role>()
{
public Role doWork() throws Exception
{
{
Role result = null;
String roleAuthority = authorityService.getName(AuthorityType.GROUP, getFullRoleName(role, rmRootNode));
if (authorityService.authorityExists(roleAuthority) == true)
{
String name = getShortRoleName(authorityService.getShortName(roleAuthority), rmRootNode);
String displayLabel = authorityService.getAuthorityDisplayName(roleAuthority);
Set<String> capabilities = getCapabilitiesImpl(rmRootNode, roleAuthority);
String displayLabel = authorityService.getAuthorityDisplayName(roleAuthority);
Map<String, String> capabilities = getCapabilitiesImpl(rmRootNode, roleAuthority);
result = new Role(name, displayLabel, capabilities, roleAuthority);
}
return result;
}
}, AuthenticationUtil.getSystemUserName());
}
/**
*
*
* @param rmRootNode
* @param roleAuthority
* @return
*/
private Set<String> getCapabilitiesImpl(NodeRef rmRootNode, String roleAuthority)
private Map<String, String> getCapabilitiesImpl(NodeRef rmRootNode, String roleAuthority)
{
Set<AccessPermission> permissions = permissionService.getAllSetPermissions(rmRootNode);
Set<String> capabilities = new HashSet<String>(52);
Map<String, String> capabilities = new HashMap<String, String>(52);
for (AccessPermission permission : permissions)
{
if (permission.getAuthority().equals(roleAuthority) == true)
{
String capabilityName = permission.getPermission();
if (capabilityService.getCapability(capabilityName) != null)
Capability capability = capabilityService.getCapability(capabilityName);
if (capability != null)
{
capabilities.add(permission.getPermission());
capabilities.put(capabilityName, capability.getTitle());
}
}
}
return capabilities;
@@ -715,25 +714,25 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Boolean>()
{
public Boolean doWork() throws Exception
{
{
String fullRoleName = authorityService.getName(AuthorityType.GROUP, getFullRoleName(role, rmRootNode));
String zone = getZoneName(rmRootNode);
Set<String> roles = authorityService.getAllAuthoritiesInZone(zone, AuthorityType.GROUP);
return new Boolean(roles.contains(fullRoleName));
}
}, AuthenticationUtil.getSystemUserName()).booleanValue();
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#hasRMAdminRole(org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
*
*
* TODO .. change this to check a property of the role its self
*/
public boolean hasRMAdminRole(NodeRef rmRootNode, String user)
{
boolean isRMAdmin = false;
Set<Role> userRoles = this.getRolesByUser(rmRootNode, user);
if (userRoles != null)
{
@@ -746,10 +745,10 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
}
}
}
return isRMAdmin;
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#createRole(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.lang.String, java.util.Set)
*/
@@ -760,44 +759,44 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
public Role doWork() throws Exception
{
String fullRoleName = getFullRoleName(role, rmRootNode);
// Check that the role does not already exist for the rm root node
if (authorityService.authorityExists(authorityService.getName(AuthorityType.GROUP, fullRoleName)))
{
throw new AlfrescoRuntimeException("The role " + role + " already exists for root rm node " + rmRootNode.getId());
}
// Create a group that relates to the records management role
Set<String> zones = new HashSet<String>(2);
zones.add(getZoneName(rmRootNode));
zones.add(AuthorityService.ZONE_APP_DEFAULT);
String roleGroup = authorityService.createAuthority(AuthorityType.GROUP, fullRoleName, roleDisplayLabel, zones);
// Add the roleGroup to the "all" role group
String allRoleGroup = authorityService.getName(AuthorityType.GROUP, getAllRolesGroupShortName(rmRootNode));
authorityService.addAuthority(allRoleGroup, roleGroup);
// Assign the various capabilities to the group on the root records management node
Set<String> capStrings = new HashSet<String>(53);
Map<String, String> capStrings = new HashMap<String, String>(53);
if (capabilities != null)
{
for (Capability capability : capabilities)
{
permissionService.setPermission(rmRootNode, roleGroup, capability.getName(), true);
}
// Create the role
for (Capability capability : capabilities)
{
capStrings.add(capability.getName());
capStrings.put(capability.getName(), capability.getTitle());
}
}
return new Role(role, roleDisplayLabel, capStrings, roleGroup);
}
}, AuthenticationUtil.getSystemUserName());
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#updateRole(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.lang.String, java.util.Set)
*/
@@ -806,30 +805,30 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Role>()
{
public Role doWork() throws Exception
{
{
String roleAuthority = authorityService.getName(AuthorityType.GROUP, getFullRoleName(role, rmRootNode));
// Reset the role display name
authorityService.setAuthorityDisplayName(roleAuthority, roleDisplayLabel);
// TODO this needs to be improved, removing all and readding is not ideal
// Clear the current capabilities
permissionService.clearPermission(rmRootNode, roleAuthority);
// Re-add the provided capabilities
for (Capability capability : capabilities)
{
permissionService.setPermission(rmRootNode, roleAuthority, capability.getName(), true);
}
Set<String> capStrings = new HashSet<String>(capabilities.size());
Map<String, String> capStrings = new HashMap<String, String>(capabilities.size());
for (Capability capability : capabilities)
{
capStrings.add(capability.getName());
capStrings.put(capability.getName(), capability.getTitle());
}
return new Role(role, roleDisplayLabel, capStrings, roleAuthority);
}
}, AuthenticationUtil.getSystemUserName());
}
@@ -842,15 +841,15 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>()
{
public Boolean doWork() throws Exception
{
{
String roleAuthority = authorityService.getName(AuthorityType.GROUP, getFullRoleName(role, rmRootNode));
authorityService.deleteAuthority(roleAuthority);
authorityService.deleteAuthority(roleAuthority);
return null;
}
}, AuthenticationUtil.getSystemUserName());
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#assignRoleToAuthority(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.lang.String)
*/
@@ -859,15 +858,15 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>()
{
public Boolean doWork() throws Exception
{
{
String roleAuthority = authorityService.getName(AuthorityType.GROUP, getFullRoleName(role, rmRootNode));
authorityService.addAuthority(roleAuthority, authorityName);
authorityService.addAuthority(roleAuthority, authorityName);
return null;
}
}, AuthenticationUtil.getSystemUserName());
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#setPermission(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.lang.String, boolean)
*/
@@ -876,7 +875,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
ParameterCheck.mandatory("nodeRef", nodeRef);
ParameterCheck.mandatory("authority", authority);
ParameterCheck.mandatory("permission", permission);
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>()
{
public Boolean doWork() throws Exception
@@ -902,15 +901,15 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
logger.warn("Setting permissions for this node is not supported. (nodeRef=" + nodeRef + ", authority=" + authority + ", permission=" + permission + ")");
}
}
return null;
}
}, AuthenticationUtil.getSystemUserName());
}
/**
* Helper method to set the read permission up the hierarchy
*
*
* @param nodeRef
* @param authority
*/
@@ -924,10 +923,10 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
setReadPermissionUp(parent, authority);
}
}
/**
* Helper method to set the permission down the hierarchy
*
*
* @param nodeRef
* @param authority
* @param permission
@@ -949,10 +948,10 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
}
}
}
/**
* Set the permission, taking into account that filing is a superset of read
*
*
* @param nodeRef
* @param authority
* @param permission
@@ -964,10 +963,10 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
// Remove record read permission before adding filing permission
permissionService.deletePermission(nodeRef, authority, RMPermissionModel.READ_RECORDS);
}
permissionService.setPermission(nodeRef, authority, permission, true);
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#deletePermission(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.lang.String)
*/
@@ -976,10 +975,10 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>()
{
public Boolean doWork() throws Exception
{
{
// Delete permission on this node
permissionService.deletePermission(nodeRef, authority, permission);
if (recordsManagementService.isRecordsManagementContainer(nodeRef) == true)
{
List<ChildAssociationRef> assocs = nodeService.getChildAssocs(nodeRef, ContentModel.ASSOC_CONTAINS, RegexQNamePattern.MATCH_ALL);
@@ -993,12 +992,12 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
}
}
}
return null;
}
}, AuthenticationUtil.getSystemUserName());
}, AuthenticationUtil.getSystemUserName());
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#getProtectedAspects()
*/
@@ -1008,7 +1007,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{
return modelSecurityService.getProtectedAspects();
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#getProtectedProperties()
*/

12
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/Role.java
View File

@@ -18,10 +18,10 @@
*/
package org.alfresco.module.org_alfresco_module_rm.security;
import java.util.Set;
import java.util.Map;
/**
* Records management role class
* Records management role class
*
* @author Roy Wetherall
*/
@@ -29,15 +29,15 @@ public class Role
{
private String name;
private String displayLabel;
private Set<String> capabilities;
private Map<String, String> capabilities;
private String roleGroupName;
/**
* @param name
* @param displayLabel
* @param capabilities
*/
public Role(String name, String displayLabel, Set<String> capabilities, String roleGroupName)
public Role(String name, String displayLabel, Map<String, String> capabilities, String roleGroupName)
{
this.name = name;
this.displayLabel = displayLabel;
@@ -64,7 +64,7 @@ public class Role
/**
* @return the capabilities
*/
public Set<String> getCapabilities()
public Map<String, String> getCapabilities()
{
return capabilities;
}