inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-10-08 14:51:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

RM-563 (Add group id and title to Capability API and definitions)

Browse Source 
* Changed the Role class so that the i18n properties don't have to be maintained on both sides (server and share)

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@44244 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Tuna Aksoy
2012-12-03 11:41:28 +00:00
parent aaab4b2c9e
commit 583b4412a8
5 changed files with 359 additions and 361 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
rm-server/config/alfresco/templates/webscripts/org/alfresco/rma/admin/rmrole/rmrole.lib.ftl
View File

@@ -2,14 +2,14 @@
<#macro roleJSON role> <#macro roleJSON role>
<#escape x as jsonUtils.encodeJSONString(x)> <#escape x as jsonUtils.encodeJSONString(x)>
{ {
"name": "${role.name}", "name": "${role.name}",
"displayLabel": "${role.displayLabel}", "displayLabel": "${role.displayLabel}",
"capabilities" : "capabilities":
[ {
<#list role.capabilities as capability> <#list role.capabilities?keys as capability>
"${capability}"<#if capability_has_next>,</#if> "${capability}": "${role.capabilities[capability]}" <#if capability_has_next>,</#if>
</#list> </#list>
] }
} }
</#escape> </#escape>
</#macro> </#macro>

107
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/model/security/ModelSecurityServiceImpl.java
View File

@@ -25,14 +25,13 @@ import java.util.Map;
import java.util.Set; import java.util.Set;
import org.alfresco.module.org_alfresco_module_rm.RecordsManagementService; import org.alfresco.module.org_alfresco_module_rm.RecordsManagementService;
import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel; import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
import org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService; import org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService;
import org.alfresco.module.org_alfresco_module_rm.security.Role; import org.alfresco.module.org_alfresco_module_rm.security.Role;
import org.alfresco.repo.node.NodeServicePolicies; import org.alfresco.repo.node.NodeServicePolicies;
import org.alfresco.repo.policy.Behaviour.NotificationFrequency;
import org.alfresco.repo.policy.JavaBehaviour; import org.alfresco.repo.policy.JavaBehaviour;
import org.alfresco.repo.policy.PolicyComponent; import org.alfresco.repo.policy.PolicyComponent;
import org.alfresco.repo.policy.Behaviour.NotificationFrequency;
import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService; import org.alfresco.service.cmr.repository.NodeService;
@@ -45,7 +44,7 @@ import org.alfresco.util.EqualsHelper;
* Model security service implementation. * Model security service implementation.
* <p> * <p>
* This service records the protected properties and aspects, ensuring that only those with the appropriate capabilities can edit them. * This service records the protected properties and aspects, ensuring that only those with the appropriate capabilities can edit them.
* *
* @author Roy Wetherall * @author Roy Wetherall
* @since 2.1 * @since 2.1
*/ */
@@ -57,39 +56,39 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{ {
/** Indicates whether model security is enabled or not */ /** Indicates whether model security is enabled or not */
private boolean enabled = true; private boolean enabled = true;
/** Policy component */ /** Policy component */
private PolicyComponent policyComponent; private PolicyComponent policyComponent;
/** Node service */ /** Node service */
private NodeService nodeService; private NodeService nodeService;
/** Namespace service */ /** Namespace service */
private NamespaceService namespaceService; private NamespaceService namespaceService;
/** Security service */ /** Security service */
private RecordsManagementSecurityService securityService; private RecordsManagementSecurityService securityService;
/** Records management service */ /** Records management service */
private RecordsManagementService recordsManagementService; private RecordsManagementService recordsManagementService;
/** Map of protected properties keyed by name */ /** Map of protected properties keyed by name */
private Map<QName, ProtectedProperty> protectedProperties = new HashMap<QName, ProtectedProperty>(21); private Map<QName, ProtectedProperty> protectedProperties = new HashMap<QName, ProtectedProperty>(21);
/** Map of protected aspects keyed by name */ /** Map of protected aspects keyed by name */
private Map<QName, ProtectedAspect> protectedAspects= new HashMap<QName, ProtectedAspect>(21); private Map<QName, ProtectedAspect> protectedAspects= new HashMap<QName, ProtectedAspect>(21);
/** Behaviour instances */ /** Behaviour instances */
private JavaBehaviour beforeAddAspectBehaviour = new JavaBehaviour(this, private JavaBehaviour beforeAddAspectBehaviour = new JavaBehaviour(this,
"beforeAddAspect", "beforeAddAspect",
NotificationFrequency.EVERY_EVENT); NotificationFrequency.EVERY_EVENT);
private JavaBehaviour beforeRemoveAspectBehaviour = new JavaBehaviour(this, private JavaBehaviour beforeRemoveAspectBehaviour = new JavaBehaviour(this,
"beforeRemoveAspect", "beforeRemoveAspect",
NotificationFrequency.EVERY_EVENT); NotificationFrequency.EVERY_EVENT);
private JavaBehaviour onUpdatePropertiesBehaviour = new JavaBehaviour(this, private JavaBehaviour onUpdatePropertiesBehaviour = new JavaBehaviour(this,
"onUpdateProperties", "onUpdateProperties",
NotificationFrequency.EVERY_EVENT); NotificationFrequency.EVERY_EVENT);
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#setEnabled(boolean) * @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#setEnabled(boolean)
*/ */
@@ -97,7 +96,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{ {
this.enabled = enabled; this.enabled = enabled;
} }
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#isEnabled() * @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#isEnabled()
*/ */
@@ -105,7 +104,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{ {
return enabled; return enabled;
} }
/** /**
* @param policyComponent policy component * @param policyComponent policy component
*/ */
@@ -113,7 +112,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{ {
this.policyComponent = policyComponent; this.policyComponent = policyComponent;
} }
/** /**
* @param nodeService node service * @param nodeService node service
*/ */
@@ -121,7 +120,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{ {
this.nodeService = nodeService; this.nodeService = nodeService;
} }
/** /**
* @param namespaceService namespace service * @param namespaceService namespace service
*/ */
@@ -129,7 +128,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{ {
this.namespaceService = namespaceService; this.namespaceService = namespaceService;
} }
/** /**
* @param securityService records management security service * @param securityService records management security service
*/ */
@@ -137,7 +136,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{ {
this.securityService = securityService; this.securityService = securityService;
} }
/** /**
* @param recordsManagementService records management service * @param recordsManagementService records management service
*/ */
@@ -145,7 +144,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{ {
this.recordsManagementService = recordsManagementService; this.recordsManagementService = recordsManagementService;
} }
/** /**
* Init method * Init method
*/ */
@@ -153,19 +152,19 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{ {
// bind model security behaviours to all records management artifacts components // bind model security behaviours to all records management artifacts components
policyComponent.bindClassBehaviour( policyComponent.bindClassBehaviour(
NodeServicePolicies.BeforeAddAspectPolicy.QNAME, NodeServicePolicies.BeforeAddAspectPolicy.QNAME,
this, this,
beforeAddAspectBehaviour); beforeAddAspectBehaviour);
policyComponent.bindClassBehaviour( policyComponent.bindClassBehaviour(
NodeServicePolicies.BeforeRemoveAspectPolicy.QNAME, NodeServicePolicies.BeforeRemoveAspectPolicy.QNAME,
this, this,
beforeRemoveAspectBehaviour); beforeRemoveAspectBehaviour);
policyComponent.bindClassBehaviour( policyComponent.bindClassBehaviour(
NodeServicePolicies.OnUpdatePropertiesPolicy.QNAME, NodeServicePolicies.OnUpdatePropertiesPolicy.QNAME,
this, this,
onUpdatePropertiesBehaviour); onUpdatePropertiesBehaviour);
} }
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#register(org.alfresco.module.org_alfresco_module_rm.model.security.ProtectedModelArtifact) * @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#register(org.alfresco.module.org_alfresco_module_rm.model.security.ProtectedModelArtifact)
*/ */
@@ -173,7 +172,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
public void register(ProtectedModelArtifact artifact) public void register(ProtectedModelArtifact artifact)
{ {
// TODO validate that the artifact has a valid property and has a capability set ... // TODO validate that the artifact has a valid property and has a capability set ...
if (artifact instanceof ProtectedProperty) if (artifact instanceof ProtectedProperty)
{ {
protectedProperties.put(artifact.getQName(), (ProtectedProperty)artifact); protectedProperties.put(artifact.getQName(), (ProtectedProperty)artifact);
@@ -183,7 +182,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
protectedAspects.put(artifact.getQName(), (ProtectedAspect)artifact); protectedAspects.put(artifact.getQName(), (ProtectedAspect)artifact);
} }
} }
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#isProtectedProperty(org.alfresco.service.namespace.QName) * @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#isProtectedProperty(org.alfresco.service.namespace.QName)
*/ */
@@ -210,7 +209,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{ {
return protectedProperties.get(name); return protectedProperties.get(name);
} }
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#canEditProtectedProperty(org.alfresco.service.cmr.repository.NodeRef, org.alfresco.service.namespace.QName) * @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#canEditProtectedProperty(org.alfresco.service.cmr.repository.NodeRef, org.alfresco.service.namespace.QName)
*/ */
@@ -218,7 +217,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
public boolean canEditProtectedProperty(NodeRef nodeRef, QName property) public boolean canEditProtectedProperty(NodeRef nodeRef, QName property)
{ {
boolean result = false; boolean result = false;
ProtectedModelArtifact artifact = getProtectedProperty(property); ProtectedModelArtifact artifact = getProtectedProperty(property);
if (artifact == null) if (artifact == null)
{ {
@@ -228,14 +227,14 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{ {
result = canEdit(nodeRef, artifact); result = canEdit(nodeRef, artifact);
} }
return result; return result;
} }
/** /**
* Indicates whether the current user can edit protected model artifact in the context * Indicates whether the current user can edit protected model artifact in the context
* of a given node or not. * of a given node or not.
* *
* @param nodeRef node reference * @param nodeRef node reference
* @param artifact protected model artifact * @param artifact protected model artifact
* @return boolean true if the current user can edit the protected model artifact, false otherwise * @return boolean true if the current user can edit the protected model artifact, false otherwise
@@ -243,24 +242,24 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
private boolean canEdit(NodeRef nodeRef, ProtectedModelArtifact artifact) private boolean canEdit(NodeRef nodeRef, ProtectedModelArtifact artifact)
{ {
boolean result = false; boolean result = false;
NodeRef filePlan = recordsManagementService.getFilePlan(nodeRef); NodeRef filePlan = recordsManagementService.getFilePlan(nodeRef);
if (filePlan != null) if (filePlan != null)
{ {
Set<Role> roles = securityService.getRolesByUser(filePlan, AuthenticationUtil.getFullyAuthenticatedUser()); Set<Role> roles = securityService.getRolesByUser(filePlan, AuthenticationUtil.getFullyAuthenticatedUser());
for (Role role : roles) for (Role role : roles)
{ {
if (Collections.disjoint(role.getCapabilities(), artifact.getCapilityNames()) == false) if (Collections.disjoint(role.getCapabilities().keySet(), artifact.getCapilityNames()) == false)
{ {
result = true; result = true;
break; break;
} }
} }
} }
return result; return result;
} }
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#isProtectedAspect(org.alfresco.service.namespace.QName) * @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#isProtectedAspect(org.alfresco.service.namespace.QName)
*/ */
@@ -269,7 +268,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{ {
return protectedAspects.containsKey(aspect); return protectedAspects.containsKey(aspect);
} }
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#getProtectedAspects() * @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#getProtectedAspects()
*/ */
@@ -278,7 +277,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{ {
return Collections.unmodifiableSet(protectedAspects.keySet()); return Collections.unmodifiableSet(protectedAspects.keySet());
} }
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#getProtectedAspect(org.alfresco.service.namespace.QName) * @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#getProtectedAspect(org.alfresco.service.namespace.QName)
*/ */
@@ -295,7 +294,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
public boolean canEditProtectedAspect(NodeRef nodeRef, QName aspect) public boolean canEditProtectedAspect(NodeRef nodeRef, QName aspect)
{ {
boolean result = false; boolean result = false;
ProtectedModelArtifact artifact = getProtectedAspect(aspect); ProtectedModelArtifact artifact = getProtectedAspect(aspect);
if (artifact == null) if (artifact == null)
{ {
@@ -305,10 +304,10 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{ {
result = canEdit(nodeRef, artifact); result = canEdit(nodeRef, artifact);
} }
return result; return result;
} }
/** /**
* @see org.alfresco.repo.node.NodeServicePolicies.BeforeAddAspectPolicy#beforeAddAspect(org.alfresco.service.cmr.repository.NodeRef, org.alfresco.service.namespace.QName) * @see org.alfresco.repo.node.NodeServicePolicies.BeforeAddAspectPolicy#beforeAddAspect(org.alfresco.service.cmr.repository.NodeRef, org.alfresco.service.namespace.QName)
*/ */
@@ -320,12 +319,12 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
if (AuthenticationUtil.getFullyAuthenticatedUser() != null && if (AuthenticationUtil.getFullyAuthenticatedUser() != null &&
AuthenticationUtil.isRunAsUserTheSystemUser() == false && AuthenticationUtil.isRunAsUserTheSystemUser() == false &&
isProtectedAspect(aspect) == true && isProtectedAspect(aspect) == true &&
nodeService.exists(nodeRef) == true && nodeService.exists(nodeRef) == true &&
canEditProtectedAspect(nodeRef, aspect) == false) canEditProtectedAspect(nodeRef, aspect) == false)
{ {
// the user can't edit the protected aspect // the user can't edit the protected aspect
throw new ModelAccessDeniedException( throw new ModelAccessDeniedException(
"The user " + AuthenticationUtil.getFullyAuthenticatedUser() + "The user " + AuthenticationUtil.getFullyAuthenticatedUser() +
" does not have the permission to add the protected aspect " + aspect.toPrefixString(namespaceService) + " does not have the permission to add the protected aspect " + aspect.toPrefixString(namespaceService) +
" from the node " + nodeRef.toString()); " from the node " + nodeRef.toString());
} }
@@ -343,12 +342,12 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
if (AuthenticationUtil.getFullyAuthenticatedUser() != null && if (AuthenticationUtil.getFullyAuthenticatedUser() != null &&
AuthenticationUtil.isRunAsUserTheSystemUser() == false && AuthenticationUtil.isRunAsUserTheSystemUser() == false &&
isProtectedAspect(aspect) == true && isProtectedAspect(aspect) == true &&
nodeService.exists(nodeRef) == true && nodeService.exists(nodeRef) == true &&
canEditProtectedAspect(nodeRef, aspect) == false) canEditProtectedAspect(nodeRef, aspect) == false)
{ {
// the user can't edit the protected aspect // the user can't edit the protected aspect
throw new ModelAccessDeniedException( throw new ModelAccessDeniedException(
"The user " + AuthenticationUtil.getFullyAuthenticatedUser() + "The user " + AuthenticationUtil.getFullyAuthenticatedUser() +
" does not have the permission to remove the protected aspect " + aspect.toPrefixString(namespaceService) + " does not have the permission to remove the protected aspect " + aspect.toPrefixString(namespaceService) +
" from the node " + nodeRef.toString()); " from the node " + nodeRef.toString());
} }
@@ -376,7 +375,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{ {
return; return;
} }
if (EqualsHelper.nullSafeEquals(before.get(property), after.get(property)) == false && if (EqualsHelper.nullSafeEquals(before.get(property), after.get(property)) == false &&
canEditProtectedProperty(nodeRef, property) == false) canEditProtectedProperty(nodeRef, property) == false)
{ {
@@ -385,7 +384,7 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
"The user " + AuthenticationUtil.getFullyAuthenticatedUser() + "The user " + AuthenticationUtil.getFullyAuthenticatedUser() +
" does not have the permission to edit the protected property " + property.toPrefixString(namespaceService) + " does not have the permission to edit the protected property " + property.toPrefixString(namespaceService) +
" on the node " + nodeRef.toString()); " on the node " + nodeRef.toString());
} }
} }
} }
} }

381
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/RecordsManagementSecurityServiceImpl.java
View File

@@ -62,103 +62,103 @@ import org.json.JSONObject;
/** /**
* Records management permission service implementation * Records management permission service implementation
* *
* @author Roy Wetherall * @author Roy Wetherall
*/ */
public class RecordsManagementSecurityServiceImpl implements RecordsManagementSecurityService, public class RecordsManagementSecurityServiceImpl implements RecordsManagementSecurityService,
RecordsManagementModel RecordsManagementModel
{ {
/** Capability service */ /** Capability service */
private CapabilityService capabilityService; private CapabilityService capabilityService;
/** Authority service */ /** Authority service */
private AuthorityService authorityService; private AuthorityService authorityService;
/** Permission service */ /** Permission service */
private PermissionService permissionService; private PermissionService permissionService;
/** Policy component */ /** Policy component */
private PolicyComponent policyComponent; private PolicyComponent policyComponent;
/** Records management service */ /** Records management service */
private RecordsManagementService recordsManagementService; private RecordsManagementService recordsManagementService;
/** Model security service */ /** Model security service */
private ModelSecurityService modelSecurityService; private ModelSecurityService modelSecurityService;
/** Node service */ /** Node service */
private NodeService nodeService; private NodeService nodeService;
/** Records management role zone */ /** Records management role zone */
public static final String RM_ROLE_ZONE_PREFIX = "rmRoleZone"; public static final String RM_ROLE_ZONE_PREFIX = "rmRoleZone";
/** Unfiled record container name */ /** Unfiled record container name */
private static final String NAME_UNFILED_CONTAINER = "Unfiled Records"; private static final String NAME_UNFILED_CONTAINER = "Unfiled Records";
/** Logger */ /** Logger */
private static Log logger = LogFactory.getLog(RecordsManagementSecurityServiceImpl.class); private static Log logger = LogFactory.getLog(RecordsManagementSecurityServiceImpl.class);
/** /**
* Set the capability service * Set the capability service
* *
* @param capabilityService * @param capabilityService
*/ */
public void setCapabilityService(CapabilityService capabilityService) public void setCapabilityService(CapabilityService capabilityService)
{ {
this.capabilityService = capabilityService; this.capabilityService = capabilityService;
} }
/** /**
* Set the authortiy service * Set the authortiy service
* *
* @param authorityService * @param authorityService
*/ */
public void setAuthorityService(AuthorityService authorityService) public void setAuthorityService(AuthorityService authorityService)
{ {
this.authorityService = authorityService; this.authorityService = authorityService;
} }
/** /**
* Set the permission service * Set the permission service
* *
* @param permissionService * @param permissionService
*/ */
public void setPermissionService(PermissionService permissionService) public void setPermissionService(PermissionService permissionService)
{ {
this.permissionService = permissionService; this.permissionService = permissionService;
} }
/** /**
* Set the policy component * Set the policy component
* *
* @param policyComponent * @param policyComponent
*/ */
public void setPolicyComponent(PolicyComponent policyComponent) public void setPolicyComponent(PolicyComponent policyComponent)
{ {
this.policyComponent = policyComponent; this.policyComponent = policyComponent;
} }
/** /**
* Set records management service * Set records management service
* *
* @param recordsManagementService records management service * @param recordsManagementService records management service
*/ */
public void setRecordsManagementService(RecordsManagementService recordsManagementService) public void setRecordsManagementService(RecordsManagementService recordsManagementService)
{ {
this.recordsManagementService = recordsManagementService; this.recordsManagementService = recordsManagementService;
} }
/** /**
* Set the node service * Set the node service
* *
* @param nodeService * @param nodeService
*/ */
public void setNodeService(NodeService nodeService) public void setNodeService(NodeService nodeService)
{ {
this.nodeService = nodeService; this.nodeService = nodeService;
} }
/** /**
* @param modelSecurityService model security service * @param modelSecurityService model security service
*/ */
@@ -166,46 +166,46 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{ {
this.modelSecurityService = modelSecurityService; this.modelSecurityService = modelSecurityService;
} }
/** /**
* Initialisation method * Initialisation method
*/ */
public void init() public void init()
{ {
policyComponent.bindClassBehaviour( policyComponent.bindClassBehaviour(
NodeServicePolicies.OnCreateNodePolicy.QNAME, NodeServicePolicies.OnCreateNodePolicy.QNAME,
TYPE_FILE_PLAN, TYPE_FILE_PLAN,
new JavaBehaviour(this, "onCreateRootNode", NotificationFrequency.TRANSACTION_COMMIT)); new JavaBehaviour(this, "onCreateRootNode", NotificationFrequency.TRANSACTION_COMMIT));
policyComponent.bindClassBehaviour( policyComponent.bindClassBehaviour(
NodeServicePolicies.OnDeleteNodePolicy.QNAME, NodeServicePolicies.OnDeleteNodePolicy.QNAME,
TYPE_FILE_PLAN, TYPE_FILE_PLAN,
new JavaBehaviour(this, "onDeleteRootNode", NotificationFrequency.TRANSACTION_COMMIT)); new JavaBehaviour(this, "onDeleteRootNode", NotificationFrequency.TRANSACTION_COMMIT));
policyComponent.bindClassBehaviour( policyComponent.bindClassBehaviour(
NodeServicePolicies.OnCreateNodePolicy.QNAME, NodeServicePolicies.OnCreateNodePolicy.QNAME,
TYPE_RECORD_CATEGORY, TYPE_RECORD_CATEGORY,
new JavaBehaviour(this, "onCreateRMContainer", NotificationFrequency.TRANSACTION_COMMIT)); new JavaBehaviour(this, "onCreateRMContainer", NotificationFrequency.TRANSACTION_COMMIT));
policyComponent.bindClassBehaviour( policyComponent.bindClassBehaviour(
NodeServicePolicies.OnCreateNodePolicy.QNAME, NodeServicePolicies.OnCreateNodePolicy.QNAME,
TYPE_RECORD_FOLDER, TYPE_RECORD_FOLDER,
new JavaBehaviour(this, "onCreateRecordFolder", NotificationFrequency.TRANSACTION_COMMIT)); new JavaBehaviour(this, "onCreateRecordFolder", NotificationFrequency.TRANSACTION_COMMIT));
} }
/** /**
* Create root node behaviour * Create root node behaviour
* *
* @param childAssocRef * @param childAssocRef
*/ */
public void onCreateRootNode(ChildAssociationRef childAssocRef) public void onCreateRootNode(ChildAssociationRef childAssocRef)
{ {
final NodeRef rmRootNode = childAssocRef.getChildRef(); final NodeRef rmRootNode = childAssocRef.getChildRef();
// Do not execute behaviour if this has been created in the archive store // Do not execute behaviour if this has been created in the archive store
if(rmRootNode.getStoreRef().equals(StoreRef.STORE_REF_ARCHIVE_SPACESSTORE) == true) if(rmRootNode.getStoreRef().equals(StoreRef.STORE_REF_ARCHIVE_SPACESSTORE) == true)
{ {
// This is not the spaces store - probably the archive store // This is not the spaces store - probably the archive store
return; return;
} }
if (nodeService.exists(rmRootNode) == true) if (nodeService.exists(rmRootNode) == true)
{ {
NodeRef unfiledContainer = AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<NodeRef>() NodeRef unfiledContainer = AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<NodeRef>()
@@ -213,27 +213,27 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
public NodeRef doWork() public NodeRef doWork()
{ {
// Create "all" role group for root node // Create "all" role group for root node
String allRoles = authorityService.createAuthority(AuthorityType.GROUP, getAllRolesGroupShortName(rmRootNode), "All Roles", null); String allRoles = authorityService.createAuthority(AuthorityType.GROUP, getAllRolesGroupShortName(rmRootNode), "All Roles", null);
// Set the permissions // Set the permissions
permissionService.setInheritParentPermissions(rmRootNode, false); permissionService.setInheritParentPermissions(rmRootNode, false);
permissionService.setPermission(rmRootNode, allRoles, RMPermissionModel.READ_RECORDS, true); permissionService.setPermission(rmRootNode, allRoles, RMPermissionModel.READ_RECORDS, true);
permissionService.setPermission(rmRootNode, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.READ_RECORDS, true); permissionService.setPermission(rmRootNode, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.READ_RECORDS, true);
permissionService.setPermission(rmRootNode, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.VIEW_RECORDS, true); permissionService.setPermission(rmRootNode, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.VIEW_RECORDS, true);
// Create the unfiled record container // Create the unfiled record container
return createUnfiledContainer(rmRootNode, allRoles); return createUnfiledContainer(rmRootNode, allRoles);
} }
}, AuthenticationUtil.getSystemUserName()); }, AuthenticationUtil.getSystemUserName());
// Bootstrap in the default set of roles for the newly created root node // Bootstrap in the default set of roles for the newly created root node
bootstrapDefaultRoles(rmRootNode, unfiledContainer); bootstrapDefaultRoles(rmRootNode, unfiledContainer);
} }
} }
/** /**
* Creates unfiled container node and sets up permissions * Creates unfiled container node and sets up permissions
* *
* @param rmRootNode * @param rmRootNode
* @param allRoles * @param allRoles
*/ */
@@ -242,57 +242,57 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
// create the properties map // create the properties map
Map<QName, Serializable> properties = new HashMap<QName, Serializable>(1); Map<QName, Serializable> properties = new HashMap<QName, Serializable>(1);
properties.put(ContentModel.PROP_NAME, NAME_UNFILED_CONTAINER); properties.put(ContentModel.PROP_NAME, NAME_UNFILED_CONTAINER);
// create the unfiled container // create the unfiled container
NodeRef container = nodeService.createNode( NodeRef container = nodeService.createNode(
rmRootNode, rmRootNode,
ASSOC_UNFILED_RECORDS, ASSOC_UNFILED_RECORDS,
QName.createQName(RM_URI, NAME_UNFILED_CONTAINER), QName.createQName(RM_URI, NAME_UNFILED_CONTAINER),
TYPE_UNFILED_RECORD_CONTAINER, TYPE_UNFILED_RECORD_CONTAINER,
properties).getChildRef(); properties).getChildRef();
// set inheritance to false // set inheritance to false
permissionService.setInheritParentPermissions(container, false); permissionService.setInheritParentPermissions(container, false);
permissionService.setPermission(container, allRoles, RMPermissionModel.READ_RECORDS, true); permissionService.setPermission(container, allRoles, RMPermissionModel.READ_RECORDS, true);
permissionService.setPermission(container, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.READ_RECORDS, true); permissionService.setPermission(container, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.READ_RECORDS, true);
return container; return container;
} }
/** /**
* Delete root node behaviour * Delete root node behaviour
* *
* @param childAssocRef * @param childAssocRef
*/ */
public void onDeleteRootNode(ChildAssociationRef childAssocRef, boolean isNodeArchived) public void onDeleteRootNode(ChildAssociationRef childAssocRef, boolean isNodeArchived)
{ {
logger.debug("onDeleteRootNode called"); logger.debug("onDeleteRootNode called");
// get the deleted node // get the deleted node
final NodeRef rmRootNode = childAssocRef.getChildRef(); final NodeRef rmRootNode = childAssocRef.getChildRef();
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>() AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>()
{ {
public Object doWork() public Object doWork()
{ {
// cascade delete the 'all' roles group for the site // cascade delete the 'all' roles group for the site
String allRolesGroup = authorityService.getName(AuthorityType.GROUP, getAllRolesGroupShortName(rmRootNode)); String allRolesGroup = authorityService.getName(AuthorityType.GROUP, getAllRolesGroupShortName(rmRootNode));
Set<String> groups = authorityService.getContainedAuthorities(AuthorityType.GROUP, allRolesGroup, true); Set<String> groups = authorityService.getContainedAuthorities(AuthorityType.GROUP, allRolesGroup, true);
for (String group : groups) for (String group : groups)
{ {
authorityService.deleteAuthority(group); authorityService.deleteAuthority(group);
} }
authorityService.deleteAuthority(allRolesGroup, false); authorityService.deleteAuthority(allRolesGroup, false);
return null; return null;
} }
}, AuthenticationUtil.getSystemUserName()); }, AuthenticationUtil.getSystemUserName());
} }
/** /**
* Get all the roles by short name * Get all the roles by short name
* *
* @param rmRootNode * @param rmRootNode
* @return * @return
*/ */
@@ -300,7 +300,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{ {
return "AllRoles" + rmRootNode.getId(); return "AllRoles" + rmRootNode.getId();
} }
/** /**
* @param childAssocRef * @param childAssocRef
*/ */
@@ -308,7 +308,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{ {
final NodeRef recordCategory = childAssocRef.getChildRef(); final NodeRef recordCategory = childAssocRef.getChildRef();
setUpPermissions(recordCategory); setUpPermissions(recordCategory);
// Pull any permissions found on the parent (ie the record category) // Pull any permissions found on the parent (ie the record category)
final NodeRef parentNodeRef = childAssocRef.getParentRef(); final NodeRef parentNodeRef = childAssocRef.getParentRef();
if (parentNodeRef != null && nodeService.exists(parentNodeRef) == true) if (parentNodeRef != null && nodeService.exists(parentNodeRef) == true)
@@ -325,7 +325,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
// since this is not a root category, inherit from parent // since this is not a root category, inherit from parent
Set<AccessPermission> perms = permissionService.getAllSetPermissions(parentNodeRef); Set<AccessPermission> perms = permissionService.getAllSetPermissions(parentNodeRef);
for (AccessPermission perm : perms) for (AccessPermission perm : perms)
{ {
if (fillingOnly == false || if (fillingOnly == false ||
RMPermissionModel.FILING.equals(perm.getPermission()) == true) RMPermissionModel.FILING.equals(perm.getPermission()) == true)
@@ -337,19 +337,19 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
allow = true; allow = true;
} }
permissionService.setPermission( permissionService.setPermission(
recordCategory, recordCategory,
perm.getAuthority(), perm.getAuthority(),
perm.getPermission(), perm.getPermission(),
allow); allow);
} }
} }
return null; return null;
} }
}, AuthenticationUtil.getSystemUserName()); }, AuthenticationUtil.getSystemUserName());
} }
} }
/** /**
* @param childAssocRef * @param childAssocRef
*/ */
@@ -357,7 +357,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{ {
final NodeRef folderNodeRef = childAssocRef.getChildRef(); final NodeRef folderNodeRef = childAssocRef.getChildRef();
setUpPermissions(folderNodeRef); setUpPermissions(folderNodeRef);
// Pull any permissions found on the parent (ie the record category) // Pull any permissions found on the parent (ie the record category)
final NodeRef catNodeRef = childAssocRef.getParentRef(); final NodeRef catNodeRef = childAssocRef.getParentRef();
if (nodeService.exists(catNodeRef) == true) if (nodeService.exists(catNodeRef) == true)
@@ -367,7 +367,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
public Object doWork() public Object doWork()
{ {
Set<AccessPermission> perms = permissionService.getAllSetPermissions(catNodeRef); Set<AccessPermission> perms = permissionService.getAllSetPermissions(catNodeRef);
for (AccessPermission perm : perms) for (AccessPermission perm : perms)
{ {
if (ExtendedReaderDynamicAuthority.EXTENDED_READER.equals(perm.getAuthority()) == false) if (ExtendedReaderDynamicAuthority.EXTENDED_READER.equals(perm.getAuthority()) == false)
{ {
@@ -378,43 +378,43 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
allow = true; allow = true;
} }
permissionService.setPermission( permissionService.setPermission(
folderNodeRef, folderNodeRef,
perm.getAuthority(), perm.getAuthority(),
perm.getPermission(), perm.getPermission(),
allow); allow);
} }
} }
return null; return null;
} }
}, AuthenticationUtil.getSystemUserName()); }, AuthenticationUtil.getSystemUserName());
} }
} }
/** /**
* *
* @param nodeRef * @param nodeRef
*/ */
public void setUpPermissions(final NodeRef nodeRef) public void setUpPermissions(final NodeRef nodeRef)
{ {
if (nodeService.exists(nodeRef) == true) if (nodeService.exists(nodeRef) == true)
{ {
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>() AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>()
{ {
public Object doWork() public Object doWork()
{ {
// break inheritance // break inheritance
permissionService.setInheritParentPermissions(nodeRef, false); permissionService.setInheritParentPermissions(nodeRef, false);
// set extended reader permissions // set extended reader permissions
permissionService.setPermission(nodeRef, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.READ_RECORDS, true); permissionService.setPermission(nodeRef, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.READ_RECORDS, true);
return null; return null;
} }
}, AuthenticationUtil.getSystemUserName()); }, AuthenticationUtil.getSystemUserName());
} }
} }
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#bootstrapDefaultRoles(org.alfresco.service.cmr.repository.NodeRef) * @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#bootstrapDefaultRoles(org.alfresco.service.cmr.repository.NodeRef)
*/ */
@@ -422,7 +422,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{ {
bootstrapDefaultRoles(rmRootNode, null); bootstrapDefaultRoles(rmRootNode, null);
} }
private void bootstrapDefaultRoles(final NodeRef rmRootNode, final NodeRef unfiledContainer) private void bootstrapDefaultRoles(final NodeRef rmRootNode, final NodeRef unfiledContainer)
{ {
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>() AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>()
@@ -446,12 +446,12 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{ {
throw new AlfrescoRuntimeException("Unable to load rm-default-roles-bootstrap.json configuration file.", ioe); throw new AlfrescoRuntimeException("Unable to load rm-default-roles-bootstrap.json configuration file.", ioe);
} }
// Add each role to the rm root node // Add each role to the rm root node
for (int i = 0; i < array.length(); i++) for (int i = 0; i < array.length(); i++)
{ {
JSONObject object = array.getJSONObject(i); JSONObject object = array.getJSONObject(i);
// Get the name of the role // Get the name of the role
String name = null; String name = null;
if (object.has("name") == true) if (object.has("name") == true)
@@ -466,22 +466,22 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{ {
throw new AlfrescoRuntimeException("No name given to default bootstrap role. Check json configuration file."); throw new AlfrescoRuntimeException("No name given to default bootstrap role. Check json configuration file.");
} }
// Get the role's display label // Get the role's display label
String displayLabel = name; String displayLabel = name;
if (object.has("displayLabel") == true) if (object.has("displayLabel") == true)
{ {
displayLabel = object.getString("displayLabel"); displayLabel = object.getString("displayLabel");
} }
// Determine whether the role is an admin role or not // Determine whether the role is an admin role or not
boolean isAdmin = false; boolean isAdmin = false;
if (object.has("isAdmin") == true) if (object.has("isAdmin") == true)
{ {
isAdmin = object.getBoolean("isAdmin"); isAdmin = object.getBoolean("isAdmin");
} }
// Get the roles capabilities // Get the roles capabilities
Set<Capability> capabilities = new HashSet<Capability>(30); Set<Capability> capabilities = new HashSet<Capability>(30);
if (object.has("capabilities") == true) if (object.has("capabilities") == true)
@@ -498,10 +498,10 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
capabilities.add(capability); capabilities.add(capability);
} }
} }
// Create the role // Create the role
Role role = createRole(rmRootNode, name, displayLabel, capabilities); Role role = createRole(rmRootNode, name, displayLabel, capabilities);
// Add any additional admin permissions // Add any additional admin permissions
if (isAdmin == true) if (isAdmin == true)
{ {
@@ -511,7 +511,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{ {
permissionService.setPermission(unfiledContainer, role.getRoleGroupName(), RMPermissionModel.FILING, true); permissionService.setPermission(unfiledContainer, role.getRoleGroupName(), RMPermissionModel.FILING, true);
} }
// Add the creating user to the administration group // Add the creating user to the administration group
String user = AuthenticationUtil.getFullyAuthenticatedUser(); String user = AuthenticationUtil.getFullyAuthenticatedUser();
authorityService.addAuthority(role.getRoleGroupName(), user); authorityService.addAuthority(role.getRoleGroupName(), user);
@@ -522,15 +522,15 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{ {
throw new AlfrescoRuntimeException("Error loading json configuration file rm-default-roles-bootstrap.json", exception); throw new AlfrescoRuntimeException("Error loading json configuration file rm-default-roles-bootstrap.json", exception);
} }
return null; return null;
} }
}, AuthenticationUtil.getSystemUserName()); }, AuthenticationUtil.getSystemUserName());
} }
/** /**
* Helper method to convert a stream to a string. * Helper method to convert a stream to a string.
* *
* @param is input stream * @param is input stream
* @return {@link String} string * @return {@link String} string
* @throws IOException * @throws IOException
@@ -545,50 +545,50 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
*/ */
BufferedReader reader = new BufferedReader(new InputStreamReader(is)); BufferedReader reader = new BufferedReader(new InputStreamReader(is));
StringBuilder sb = new StringBuilder(); StringBuilder sb = new StringBuilder();
String line = null; String line = null;
try try
{ {
while ((line = reader.readLine()) != null) while ((line = reader.readLine()) != null)
{ {
sb.append(line + "\n"); sb.append(line + "\n");
} }
} }
finally finally
{ {
try {is.close();} catch (IOException e) {} try {is.close();} catch (IOException e) {}
} }
return sb.toString(); return sb.toString();
} }
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#getRoles() * @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#getRoles()
*/ */
public Set<Role> getRoles(final NodeRef rmRootNode) public Set<Role> getRoles(final NodeRef rmRootNode)
{ {
return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Set<Role>>() return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Set<Role>>()
{ {
public Set<Role> doWork() throws Exception public Set<Role> doWork() throws Exception
{ {
Set<Role> result = new HashSet<Role>(13); Set<Role> result = new HashSet<Role>(13);
Set<String> roleAuthorities = authorityService.getAllAuthoritiesInZone(getZoneName(rmRootNode), AuthorityType.GROUP); Set<String> roleAuthorities = authorityService.getAllAuthoritiesInZone(getZoneName(rmRootNode), AuthorityType.GROUP);
for (String roleAuthority : roleAuthorities) for (String roleAuthority : roleAuthorities)
{ {
String name = getShortRoleName(authorityService.getShortName(roleAuthority), rmRootNode); String name = getShortRoleName(authorityService.getShortName(roleAuthority), rmRootNode);
String displayLabel = authorityService.getAuthorityDisplayName(roleAuthority); String displayLabel = authorityService.getAuthorityDisplayName(roleAuthority);
Set<String> capabilities = getCapabilitiesImpl(rmRootNode, roleAuthority); Map<String, String> capabilities = getCapabilitiesImpl(rmRootNode, roleAuthority);
Role role = new Role(name, displayLabel, capabilities, roleAuthority); Role role = new Role(name, displayLabel, capabilities, roleAuthority);
result.add(role); result.add(role);
} }
return result; return result;
} }
}, AuthenticationUtil.getSystemUserName()); }, AuthenticationUtil.getSystemUserName());
} }
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#getRolesByUser(org.alfresco.service.cmr.repository.NodeRef, java.lang.String) * @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#getRolesByUser(org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
*/ */
@@ -599,29 +599,29 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
public Set<Role> doWork() throws Exception public Set<Role> doWork() throws Exception
{ {
Set<Role> result = new HashSet<Role>(13); Set<Role> result = new HashSet<Role>(13);
Set<String> roleAuthorities = authorityService.getAllAuthoritiesInZone(getZoneName(rmRootNode), AuthorityType.GROUP); Set<String> roleAuthorities = authorityService.getAllAuthoritiesInZone(getZoneName(rmRootNode), AuthorityType.GROUP);
for (String roleAuthority : roleAuthorities) for (String roleAuthority : roleAuthorities)
{ {
Set<String> users = authorityService.getContainedAuthorities(AuthorityType.USER, roleAuthority, false); Set<String> users = authorityService.getContainedAuthorities(AuthorityType.USER, roleAuthority, false);
if (users.contains(user) == true) if (users.contains(user) == true)
{ {
String name = getShortRoleName(authorityService.getShortName(roleAuthority), rmRootNode); String name = getShortRoleName(authorityService.getShortName(roleAuthority), rmRootNode);
String displayLabel = authorityService.getAuthorityDisplayName(roleAuthority); String displayLabel = authorityService.getAuthorityDisplayName(roleAuthority);
Set<String> capabilities = getCapabilitiesImpl(rmRootNode, roleAuthority); Map<String, String> capabilities = getCapabilitiesImpl(rmRootNode, roleAuthority);
Role role = new Role(name, displayLabel, capabilities, roleAuthority); Role role = new Role(name, displayLabel, capabilities, roleAuthority);
result.add(role); result.add(role);
} }
} }
return result; return result;
} }
}, AuthenticationUtil.getSystemUserName()); }, AuthenticationUtil.getSystemUserName());
} }
/** /**
* *
* @param rmRootNode * @param rmRootNode
* @return * @return
*/ */
@@ -629,10 +629,10 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{ {
return RM_ROLE_ZONE_PREFIX + rmRootNode.getId(); return RM_ROLE_ZONE_PREFIX + rmRootNode.getId();
} }
/** /**
* Get the full role name * Get the full role name
* *
* @param role * @param role
* @param rmRootNode * @param rmRootNode
* @return * @return
@@ -641,10 +641,10 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{ {
return role + rmRootNode.getId(); return role + rmRootNode.getId();
} }
/** /**
* Get the short role name * Get the short role name
* *
* @param fullRoleName * @param fullRoleName
* @param rmRootNode * @param rmRootNode
* @return * @return
@@ -653,7 +653,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{ {
return fullRoleName.replaceAll(rmRootNode.getId(), ""); return fullRoleName.replaceAll(rmRootNode.getId(), "");
} }
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#getRole(org.alfresco.service.cmr.repository.NodeRef, java.lang.String) * @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#getRole(org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
*/ */
@@ -662,46 +662,45 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Role>() return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Role>()
{ {
public Role doWork() throws Exception public Role doWork() throws Exception
{ {
Role result = null; Role result = null;
String roleAuthority = authorityService.getName(AuthorityType.GROUP, getFullRoleName(role, rmRootNode)); String roleAuthority = authorityService.getName(AuthorityType.GROUP, getFullRoleName(role, rmRootNode));
if (authorityService.authorityExists(roleAuthority) == true) if (authorityService.authorityExists(roleAuthority) == true)
{ {
String name = getShortRoleName(authorityService.getShortName(roleAuthority), rmRootNode); String name = getShortRoleName(authorityService.getShortName(roleAuthority), rmRootNode);
String displayLabel = authorityService.getAuthorityDisplayName(roleAuthority); String displayLabel = authorityService.getAuthorityDisplayName(roleAuthority);
Set<String> capabilities = getCapabilitiesImpl(rmRootNode, roleAuthority); Map<String, String> capabilities = getCapabilitiesImpl(rmRootNode, roleAuthority);
result = new Role(name, displayLabel, capabilities, roleAuthority); result = new Role(name, displayLabel, capabilities, roleAuthority);
} }
return result; return result;
} }
}, AuthenticationUtil.getSystemUserName()); }, AuthenticationUtil.getSystemUserName());
} }
/** /**
* *
* @param rmRootNode * @param rmRootNode
* @param roleAuthority * @param roleAuthority
* @return * @return
*/ */
private Set<String> getCapabilitiesImpl(NodeRef rmRootNode, String roleAuthority) private Map<String, String> getCapabilitiesImpl(NodeRef rmRootNode, String roleAuthority)
{ {
Set<AccessPermission> permissions = permissionService.getAllSetPermissions(rmRootNode); Set<AccessPermission> permissions = permissionService.getAllSetPermissions(rmRootNode);
Set<String> capabilities = new HashSet<String>(52); Map<String, String> capabilities = new HashMap<String, String>(52);
for (AccessPermission permission : permissions) for (AccessPermission permission : permissions)
{ {
if (permission.getAuthority().equals(roleAuthority) == true) if (permission.getAuthority().equals(roleAuthority) == true)
{ {
String capabilityName = permission.getPermission(); String capabilityName = permission.getPermission();
if (capabilityService.getCapability(capabilityName) != null) Capability capability = capabilityService.getCapability(capabilityName);
if (capability != null)
{ {
capabilities.add(permission.getPermission()); capabilities.put(capabilityName, capability.getTitle());
} }
} }
} }
return capabilities; return capabilities;
@@ -715,25 +714,25 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Boolean>() return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Boolean>()
{ {
public Boolean doWork() throws Exception public Boolean doWork() throws Exception
{ {
String fullRoleName = authorityService.getName(AuthorityType.GROUP, getFullRoleName(role, rmRootNode)); String fullRoleName = authorityService.getName(AuthorityType.GROUP, getFullRoleName(role, rmRootNode));
String zone = getZoneName(rmRootNode); String zone = getZoneName(rmRootNode);
Set<String> roles = authorityService.getAllAuthoritiesInZone(zone, AuthorityType.GROUP); Set<String> roles = authorityService.getAllAuthoritiesInZone(zone, AuthorityType.GROUP);
return new Boolean(roles.contains(fullRoleName)); return new Boolean(roles.contains(fullRoleName));
} }
}, AuthenticationUtil.getSystemUserName()).booleanValue(); }, AuthenticationUtil.getSystemUserName()).booleanValue();
} }
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#hasRMAdminRole(org.alfresco.service.cmr.repository.NodeRef, java.lang.String) * @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#hasRMAdminRole(org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
* *
* TODO .. change this to check a property of the role its self * TODO .. change this to check a property of the role its self
*/ */
public boolean hasRMAdminRole(NodeRef rmRootNode, String user) public boolean hasRMAdminRole(NodeRef rmRootNode, String user)
{ {
boolean isRMAdmin = false; boolean isRMAdmin = false;
Set<Role> userRoles = this.getRolesByUser(rmRootNode, user); Set<Role> userRoles = this.getRolesByUser(rmRootNode, user);
if (userRoles != null) if (userRoles != null)
{ {
@@ -746,10 +745,10 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
} }
} }
} }
return isRMAdmin; return isRMAdmin;
} }
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#createRole(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.lang.String, java.util.Set) * @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#createRole(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.lang.String, java.util.Set)
*/ */
@@ -760,44 +759,44 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
public Role doWork() throws Exception public Role doWork() throws Exception
{ {
String fullRoleName = getFullRoleName(role, rmRootNode); String fullRoleName = getFullRoleName(role, rmRootNode);
// Check that the role does not already exist for the rm root node // Check that the role does not already exist for the rm root node
if (authorityService.authorityExists(authorityService.getName(AuthorityType.GROUP, fullRoleName))) if (authorityService.authorityExists(authorityService.getName(AuthorityType.GROUP, fullRoleName)))
{ {
throw new AlfrescoRuntimeException("The role " + role + " already exists for root rm node " + rmRootNode.getId()); throw new AlfrescoRuntimeException("The role " + role + " already exists for root rm node " + rmRootNode.getId());
} }
// Create a group that relates to the records management role // Create a group that relates to the records management role
Set<String> zones = new HashSet<String>(2); Set<String> zones = new HashSet<String>(2);
zones.add(getZoneName(rmRootNode)); zones.add(getZoneName(rmRootNode));
zones.add(AuthorityService.ZONE_APP_DEFAULT); zones.add(AuthorityService.ZONE_APP_DEFAULT);
String roleGroup = authorityService.createAuthority(AuthorityType.GROUP, fullRoleName, roleDisplayLabel, zones); String roleGroup = authorityService.createAuthority(AuthorityType.GROUP, fullRoleName, roleDisplayLabel, zones);
// Add the roleGroup to the "all" role group // Add the roleGroup to the "all" role group
String allRoleGroup = authorityService.getName(AuthorityType.GROUP, getAllRolesGroupShortName(rmRootNode)); String allRoleGroup = authorityService.getName(AuthorityType.GROUP, getAllRolesGroupShortName(rmRootNode));
authorityService.addAuthority(allRoleGroup, roleGroup); authorityService.addAuthority(allRoleGroup, roleGroup);
// Assign the various capabilities to the group on the root records management node // Assign the various capabilities to the group on the root records management node
Set<String> capStrings = new HashSet<String>(53); Map<String, String> capStrings = new HashMap<String, String>(53);
if (capabilities != null) if (capabilities != null)
{ {
for (Capability capability : capabilities) for (Capability capability : capabilities)
{ {
permissionService.setPermission(rmRootNode, roleGroup, capability.getName(), true); permissionService.setPermission(rmRootNode, roleGroup, capability.getName(), true);
} }
// Create the role // Create the role
for (Capability capability : capabilities) for (Capability capability : capabilities)
{ {
capStrings.add(capability.getName()); capStrings.put(capability.getName(), capability.getTitle());
} }
} }
return new Role(role, roleDisplayLabel, capStrings, roleGroup); return new Role(role, roleDisplayLabel, capStrings, roleGroup);
} }
}, AuthenticationUtil.getSystemUserName()); }, AuthenticationUtil.getSystemUserName());
} }
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#updateRole(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.lang.String, java.util.Set) * @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#updateRole(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.lang.String, java.util.Set)
*/ */
@@ -806,30 +805,30 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Role>() return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Role>()
{ {
public Role doWork() throws Exception public Role doWork() throws Exception
{ {
String roleAuthority = authorityService.getName(AuthorityType.GROUP, getFullRoleName(role, rmRootNode)); String roleAuthority = authorityService.getName(AuthorityType.GROUP, getFullRoleName(role, rmRootNode));
// Reset the role display name // Reset the role display name
authorityService.setAuthorityDisplayName(roleAuthority, roleDisplayLabel); authorityService.setAuthorityDisplayName(roleAuthority, roleDisplayLabel);
// TODO this needs to be improved, removing all and readding is not ideal // TODO this needs to be improved, removing all and readding is not ideal
// Clear the current capabilities // Clear the current capabilities
permissionService.clearPermission(rmRootNode, roleAuthority); permissionService.clearPermission(rmRootNode, roleAuthority);
// Re-add the provided capabilities // Re-add the provided capabilities
for (Capability capability : capabilities) for (Capability capability : capabilities)
{ {
permissionService.setPermission(rmRootNode, roleAuthority, capability.getName(), true); permissionService.setPermission(rmRootNode, roleAuthority, capability.getName(), true);
} }
Set<String> capStrings = new HashSet<String>(capabilities.size()); Map<String, String> capStrings = new HashMap<String, String>(capabilities.size());
for (Capability capability : capabilities) for (Capability capability : capabilities)
{ {
capStrings.add(capability.getName()); capStrings.put(capability.getName(), capability.getTitle());
} }
return new Role(role, roleDisplayLabel, capStrings, roleAuthority); return new Role(role, roleDisplayLabel, capStrings, roleAuthority);
} }
}, AuthenticationUtil.getSystemUserName()); }, AuthenticationUtil.getSystemUserName());
} }
@@ -842,15 +841,15 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>() AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>()
{ {
public Boolean doWork() throws Exception public Boolean doWork() throws Exception
{ {
String roleAuthority = authorityService.getName(AuthorityType.GROUP, getFullRoleName(role, rmRootNode)); String roleAuthority = authorityService.getName(AuthorityType.GROUP, getFullRoleName(role, rmRootNode));
authorityService.deleteAuthority(roleAuthority); authorityService.deleteAuthority(roleAuthority);
return null; return null;
} }
}, AuthenticationUtil.getSystemUserName()); }, AuthenticationUtil.getSystemUserName());
} }
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#assignRoleToAuthority(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.lang.String) * @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#assignRoleToAuthority(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.lang.String)
*/ */
@@ -859,15 +858,15 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>() AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>()
{ {
public Boolean doWork() throws Exception public Boolean doWork() throws Exception
{ {
String roleAuthority = authorityService.getName(AuthorityType.GROUP, getFullRoleName(role, rmRootNode)); String roleAuthority = authorityService.getName(AuthorityType.GROUP, getFullRoleName(role, rmRootNode));
authorityService.addAuthority(roleAuthority, authorityName); authorityService.addAuthority(roleAuthority, authorityName);
return null; return null;
} }
}, AuthenticationUtil.getSystemUserName()); }, AuthenticationUtil.getSystemUserName());
} }
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#setPermission(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.lang.String, boolean) * @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#setPermission(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.lang.String, boolean)
*/ */
@@ -876,7 +875,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
ParameterCheck.mandatory("nodeRef", nodeRef); ParameterCheck.mandatory("nodeRef", nodeRef);
ParameterCheck.mandatory("authority", authority); ParameterCheck.mandatory("authority", authority);
ParameterCheck.mandatory("permission", permission); ParameterCheck.mandatory("permission", permission);
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>() AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>()
{ {
public Boolean doWork() throws Exception public Boolean doWork() throws Exception
@@ -902,15 +901,15 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
logger.warn("Setting permissions for this node is not supported. (nodeRef=" + nodeRef + ", authority=" + authority + ", permission=" + permission + ")"); logger.warn("Setting permissions for this node is not supported. (nodeRef=" + nodeRef + ", authority=" + authority + ", permission=" + permission + ")");
} }
} }
return null; return null;
} }
}, AuthenticationUtil.getSystemUserName()); }, AuthenticationUtil.getSystemUserName());
} }
/** /**
* Helper method to set the read permission up the hierarchy * Helper method to set the read permission up the hierarchy
* *
* @param nodeRef * @param nodeRef
* @param authority * @param authority
*/ */
@@ -924,10 +923,10 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
setReadPermissionUp(parent, authority); setReadPermissionUp(parent, authority);
} }
} }
/** /**
* Helper method to set the permission down the hierarchy * Helper method to set the permission down the hierarchy
* *
* @param nodeRef * @param nodeRef
* @param authority * @param authority
* @param permission * @param permission
@@ -949,10 +948,10 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
} }
} }
} }
/** /**
* Set the permission, taking into account that filing is a superset of read * Set the permission, taking into account that filing is a superset of read
* *
* @param nodeRef * @param nodeRef
* @param authority * @param authority
* @param permission * @param permission
@@ -964,10 +963,10 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
// Remove record read permission before adding filing permission // Remove record read permission before adding filing permission
permissionService.deletePermission(nodeRef, authority, RMPermissionModel.READ_RECORDS); permissionService.deletePermission(nodeRef, authority, RMPermissionModel.READ_RECORDS);
} }
permissionService.setPermission(nodeRef, authority, permission, true); permissionService.setPermission(nodeRef, authority, permission, true);
} }
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#deletePermission(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.lang.String) * @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#deletePermission(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.lang.String)
*/ */
@@ -976,10 +975,10 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>() AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>()
{ {
public Boolean doWork() throws Exception public Boolean doWork() throws Exception
{ {
// Delete permission on this node // Delete permission on this node
permissionService.deletePermission(nodeRef, authority, permission); permissionService.deletePermission(nodeRef, authority, permission);
if (recordsManagementService.isRecordsManagementContainer(nodeRef) == true) if (recordsManagementService.isRecordsManagementContainer(nodeRef) == true)
{ {
List<ChildAssociationRef> assocs = nodeService.getChildAssocs(nodeRef, ContentModel.ASSOC_CONTAINS, RegexQNamePattern.MATCH_ALL); List<ChildAssociationRef> assocs = nodeService.getChildAssocs(nodeRef, ContentModel.ASSOC_CONTAINS, RegexQNamePattern.MATCH_ALL);
@@ -993,12 +992,12 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
} }
} }
} }
return null; return null;
} }
}, AuthenticationUtil.getSystemUserName()); }, AuthenticationUtil.getSystemUserName());
} }
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#getProtectedAspects() * @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#getProtectedAspects()
*/ */
@@ -1008,7 +1007,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
{ {
return modelSecurityService.getProtectedAspects(); return modelSecurityService.getProtectedAspects();
} }
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#getProtectedProperties() * @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#getProtectedProperties()
*/ */

12
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/Role.java
View File

@@ -18,10 +18,10 @@
*/ */
package org.alfresco.module.org_alfresco_module_rm.security; package org.alfresco.module.org_alfresco_module_rm.security;
import java.util.Set; import java.util.Map;
/** /**
* Records management role class * Records management role class
* *
* @author Roy Wetherall * @author Roy Wetherall
*/ */
@@ -29,15 +29,15 @@ public class Role
{ {
private String name; private String name;
private String displayLabel; private String displayLabel;
private Set<String> capabilities; private Map<String, String> capabilities;
private String roleGroupName; private String roleGroupName;
/** /**
* @param name * @param name
* @param displayLabel * @param displayLabel
* @param capabilities * @param capabilities
*/ */
public Role(String name, String displayLabel, Set<String> capabilities, String roleGroupName) public Role(String name, String displayLabel, Map<String, String> capabilities, String roleGroupName)
{ {
this.name = name; this.name = name;
this.displayLabel = displayLabel; this.displayLabel = displayLabel;
@@ -64,7 +64,7 @@ public class Role
/** /**
* @return the capabilities * @return the capabilities
*/ */
public Set<String> getCapabilities() public Map<String, String> getCapabilities()
{ {
return capabilities; return capabilities;
} }

204
rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/capabilities/DeclarativeCapabilityTest.java
View File

@@ -41,7 +41,7 @@ import org.alfresco.service.cmr.security.AccessStatus;
/** /**
* Declarative capability unit test * Declarative capability unit test
* *
* @author Roy Wetherall * @author Roy Wetherall
*/ */
public class DeclarativeCapabilityTest extends BaseRMTestCase public class DeclarativeCapabilityTest extends BaseRMTestCase
@@ -49,33 +49,33 @@ public class DeclarativeCapabilityTest extends BaseRMTestCase
private NodeRef record; private NodeRef record;
private NodeRef declaredRecord; private NodeRef declaredRecord;
private NodeRef undeclaredRecord; private NodeRef undeclaredRecord;
private NodeRef recordFolderContainsFrozen; private NodeRef recordFolderContainsFrozen;
private NodeRef frozenRecord; private NodeRef frozenRecord;
private NodeRef frozenRecord2; private NodeRef frozenRecord2;
private NodeRef frozenRecordFolder; private NodeRef frozenRecordFolder;
private NodeRef closedFolder; private NodeRef closedFolder;
private NodeRef moveToFolder; private NodeRef moveToFolder;
private NodeRef moveToCategory; private NodeRef moveToCategory;
@Override @Override
protected boolean isUserTest() protected boolean isUserTest()
{ {
return true; return true;
} }
@Override @Override
protected void setupTestDataImpl() protected void setupTestDataImpl()
{ {
super.setupTestDataImpl(); super.setupTestDataImpl();
// Pre-filed content // Pre-filed content
record = utils.createRecord(rmFolder, "record.txt"); record = utils.createRecord(rmFolder, "record.txt");
declaredRecord = utils.createRecord(rmFolder, "declaredRecord.txt"); declaredRecord = utils.createRecord(rmFolder, "declaredRecord.txt");
undeclaredRecord = utils.createRecord(rmFolder, "undeclaredRecord.txt"); undeclaredRecord = utils.createRecord(rmFolder, "undeclaredRecord.txt");
// Closed folder // Closed folder
closedFolder = rmService.createRecordFolder(rmContainer, "closedFolder"); closedFolder = rmService.createRecordFolder(rmContainer, "closedFolder");
utils.closeFolder(closedFolder); utils.closeFolder(closedFolder);
@@ -85,36 +85,36 @@ public class DeclarativeCapabilityTest extends BaseRMTestCase
frozenRecord = utils.createRecord(rmFolder, "frozenRecord.txt"); frozenRecord = utils.createRecord(rmFolder, "frozenRecord.txt");
frozenRecord2 = utils.createRecord(recordFolderContainsFrozen, "frozen2.txt"); frozenRecord2 = utils.createRecord(recordFolderContainsFrozen, "frozen2.txt");
frozenRecordFolder = rmService.createRecordFolder(rmContainer, "frozenRecordFolder"); frozenRecordFolder = rmService.createRecordFolder(rmContainer, "frozenRecordFolder");
// MoveTo artifacts // MoveTo artifacts
moveToFolder = rmService.createRecordFolder(rmContainer, "moveToFolder"); moveToFolder = rmService.createRecordFolder(rmContainer, "moveToFolder");
moveToCategory = rmService.createRecordCategory(rmContainer, "moveToCategory"); moveToCategory = rmService.createRecordCategory(rmContainer, "moveToCategory");
} }
@Override @Override
protected void setupTestData() protected void setupTestData()
{ {
super.setupTestData(); super.setupTestData();
retryingTransactionHelper.doInTransaction(new RetryingTransactionCallback<Object>() retryingTransactionHelper.doInTransaction(new RetryingTransactionCallback<Object>()
{ {
@Override @Override
public Object execute() throws Throwable public Object execute() throws Throwable
{ {
AuthenticationUtil.setFullyAuthenticatedUser(AuthenticationUtil.getSystemUserName()); AuthenticationUtil.setFullyAuthenticatedUser(AuthenticationUtil.getSystemUserName());
utils.declareRecord(declaredRecord); utils.declareRecord(declaredRecord);
utils.declareRecord(frozenRecord); utils.declareRecord(frozenRecord);
utils.declareRecord(frozenRecord2); utils.declareRecord(frozenRecord2);
utils.freeze(frozenRecord); utils.freeze(frozenRecord);
utils.freeze(frozenRecordFolder); utils.freeze(frozenRecordFolder);
utils.freeze(frozenRecord2); utils.freeze(frozenRecord2);
return null; return null;
} }
}); });
} }
@Override @Override
protected void tearDownImpl() protected void tearDownImpl()
{ {
@@ -122,30 +122,30 @@ public class DeclarativeCapabilityTest extends BaseRMTestCase
utils.unfreeze(frozenRecord); utils.unfreeze(frozenRecord);
utils.unfreeze(frozenRecordFolder); utils.unfreeze(frozenRecordFolder);
utils.unfreeze(frozenRecord2); utils.unfreeze(frozenRecord2);
super.tearDownImpl(); super.tearDownImpl();
} }
@Override @Override
protected void setupTestUsersImpl(NodeRef filePlan) protected void setupTestUsersImpl(NodeRef filePlan)
{ {
super.setupTestUsersImpl(filePlan); super.setupTestUsersImpl(filePlan);
// Give all the users file permission objects // Give all the users file permission objects
for (String user : testUsers) for (String user : testUsers)
{ {
securityService.setPermission(rmFolder, user, RMPermissionModel.FILING); securityService.setPermission(rmFolder, user, RMPermissionModel.FILING);
securityService.setPermission(moveToFolder, user, RMPermissionModel.READ_RECORDS); securityService.setPermission(moveToFolder, user, RMPermissionModel.READ_RECORDS);
securityService.setPermission(moveToCategory, user, RMPermissionModel.READ_RECORDS); securityService.setPermission(moveToCategory, user, RMPermissionModel.READ_RECORDS);
} }
} }
public void testDeclarativeCapabilities() public void testDeclarativeCapabilities()
{ {
Set<Capability> capabilities = capabilityService.getCapabilities(); Set<Capability> capabilities = capabilityService.getCapabilities();
for (Capability capability : capabilities) for (Capability capability : capabilities)
{ {
if (capability instanceof DeclarativeCapability && if (capability instanceof DeclarativeCapability &&
capability instanceof CompositeCapability == false && capability instanceof CompositeCapability == false &&
capability.isPrivate() == false && capability.isPrivate() == false &&
capability.getName().equals("MoveRecords") == false && capability.getName().equals("MoveRecords") == false &&
@@ -156,84 +156,84 @@ public class DeclarativeCapabilityTest extends BaseRMTestCase
} }
} }
} }
private void testDeclarativeCapability(final DeclarativeCapability capability) private void testDeclarativeCapability(final DeclarativeCapability capability)
{ {
for (String user : testUsers) for (String user : testUsers)
{ {
testDeclarativeCapability(capability, user, filePlan); testDeclarativeCapability(capability, user, filePlan);
testDeclarativeCapability(capability, user, rmContainer); testDeclarativeCapability(capability, user, rmContainer);
testDeclarativeCapability(capability, user, rmFolder); testDeclarativeCapability(capability, user, rmFolder);
testDeclarativeCapability(capability, user, record); testDeclarativeCapability(capability, user, record);
} }
} }
private void testDeclarativeCapability(final DeclarativeCapability capability, final String userName, final NodeRef filePlanComponent) private void testDeclarativeCapability(final DeclarativeCapability capability, final String userName, final NodeRef filePlanComponent)
{ {
doTestInTransaction(new Test<Void>() doTestInTransaction(new Test<Void>()
{ {
@Override @Override
public Void run() public Void run()
{ {
AccessStatus accessStatus = capability.hasPermission(filePlanComponent); AccessStatus accessStatus = capability.hasPermission(filePlanComponent);
Set<Role> roles = securityService.getRolesByUser(filePlan, userName); Set<Role> roles = securityService.getRolesByUser(filePlan, userName);
if (roles.isEmpty() == true) if (roles.isEmpty() == true)
{ {
assertEquals("User " + userName + " has no RM role so we expect access to be denied for capability " + capability.getName(), assertEquals("User " + userName + " has no RM role so we expect access to be denied for capability " + capability.getName(),
AccessStatus.DENIED, AccessStatus.DENIED,
accessStatus); accessStatus);
} }
else else
{ {
// Do the kind check here ... // Do the kind check here ...
FilePlanComponentKind actualKind = rmService.getFilePlanComponentKind(filePlanComponent); FilePlanComponentKind actualKind = rmService.getFilePlanComponentKind(filePlanComponent);
List<String> kinds = capability.getKinds(); List<String> kinds = capability.getKinds();
if (kinds == null || if (kinds == null ||
kinds.contains(actualKind.toString()) == true) kinds.contains(actualKind.toString()) == true)
{ {
Map<String, Boolean> conditions = capability.getConditions(); Map<String, Boolean> conditions = capability.getConditions();
boolean conditionResult = getConditionResult(filePlanComponent, conditions); boolean conditionResult = getConditionResult(filePlanComponent, conditions);
assertEquals("User is expected to only have one role.", 1, roles.size()); assertEquals("User is expected to only have one role.", 1, roles.size());
Role role = new ArrayList<Role>(roles).get(0); Role role = new ArrayList<Role>(roles).get(0);
assertNotNull(role); assertNotNull(role);
Set<String> roleCapabilities = role.getCapabilities(); Map<String, String> roleCapabilities = role.getCapabilities();
if (roleCapabilities.contains(capability.getName()) == true && conditionResult == true) if (roleCapabilities.containsKey(capability.getName()) == true && conditionResult == true)
{ {
assertEquals("User " + userName + " has the role " + role.getDisplayLabel() + assertEquals("User " + userName + " has the role " + role.getDisplayLabel() +
" so we expect access to be allowed for capability " + capability.getName() + " on the object " + " so we expect access to be allowed for capability " + capability.getName() + " on the object " +
(String)nodeService.getProperty(filePlanComponent, ContentModel.PROP_NAME), (String)nodeService.getProperty(filePlanComponent, ContentModel.PROP_NAME),
AccessStatus.ALLOWED, AccessStatus.ALLOWED,
accessStatus); accessStatus);
} }
else else
{ {
assertEquals("User " + userName + " has the role " + role.getDisplayLabel() + " so we expect access to be denied for capability " + capability.getName(), assertEquals("User " + userName + " has the role " + role.getDisplayLabel() + " so we expect access to be denied for capability " + capability.getName(),
AccessStatus.DENIED, AccessStatus.DENIED,
accessStatus); accessStatus);
} }
} }
else else
{ {
// Expect fail since the kind is not expected by the capability // Expect fail since the kind is not expected by the capability
assertEquals("NodeRef is of kind" + actualKind + " so we expect access to be denied for capability " + capability.getName(), assertEquals("NodeRef is of kind" + actualKind + " so we expect access to be denied for capability " + capability.getName(),
AccessStatus.DENIED, AccessStatus.DENIED,
accessStatus); accessStatus);
} }
} }
return null; return null;
} }
}, userName); }, userName);
} }
private boolean getConditionResult(NodeRef nodeRef, Map<String, Boolean> conditions) private boolean getConditionResult(NodeRef nodeRef, Map<String, Boolean> conditions)
{ {
boolean result = true; boolean result = true;
if (conditions != null && conditions.size() != 0) if (conditions != null && conditions.size() != 0)
{ {
for (Map.Entry<String, Boolean> entry : conditions.entrySet()) for (Map.Entry<String, Boolean> entry : conditions.entrySet())
@@ -241,7 +241,7 @@ public class DeclarativeCapabilityTest extends BaseRMTestCase
// Get the condition bean // Get the condition bean
CapabilityCondition condition = (CapabilityCondition)applicationContext.getBean(entry.getKey()); CapabilityCondition condition = (CapabilityCondition)applicationContext.getBean(entry.getKey());
assertNotNull("Invalid condition name.", condition); assertNotNull("Invalid condition name.", condition);
boolean actual = condition.evaluate(nodeRef); boolean actual = condition.evaluate(nodeRef);
if (actual != entry.getValue().booleanValue()) if (actual != entry.getValue().booleanValue())
{ {
@@ -250,35 +250,17 @@ public class DeclarativeCapabilityTest extends BaseRMTestCase
} }
} }
} }
return result; return result;
} }
/** Specific declarative capability tests */ /** Specific declarative capability tests */
public void testFileCapability() public void testFileCapability()
{ {
final Capability capability = capabilityService.getCapability("File"); final Capability capability = capabilityService.getCapability("File");
assertNotNull(capability); assertNotNull(capability);
doTestInTransaction(new Test<Void>()
{
@Override
public Void run()
{
assertEquals(AccessStatus.DENIED, capability.hasPermission(rmContainer));
assertEquals(AccessStatus.ALLOWED, capability.hasPermission(rmFolder));
assertEquals(AccessStatus.ALLOWED, capability.hasPermission(record));
assertEquals(AccessStatus.DENIED, capability.hasPermission(declaredRecord));
assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecordFolder));
assertEquals(AccessStatus.DENIED, capability.hasPermission(recordFolderContainsFrozen));
assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecord));
assertEquals(AccessStatus.DENIED, capability.hasPermission(closedFolder));
return null;
}
}, recordsManagerName);
doTestInTransaction(new Test<Void>() doTestInTransaction(new Test<Void>()
{ {
@Override @Override
@@ -291,19 +273,37 @@ public class DeclarativeCapabilityTest extends BaseRMTestCase
assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecordFolder)); assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecordFolder));
assertEquals(AccessStatus.DENIED, capability.hasPermission(recordFolderContainsFrozen)); assertEquals(AccessStatus.DENIED, capability.hasPermission(recordFolderContainsFrozen));
assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecord)); assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecord));
assertEquals(AccessStatus.DENIED, capability.hasPermission(closedFolder)); assertEquals(AccessStatus.DENIED, capability.hasPermission(closedFolder));
return null;
}
}, recordsManagerName);
doTestInTransaction(new Test<Void>()
{
@Override
public Void run()
{
assertEquals(AccessStatus.DENIED, capability.hasPermission(rmContainer));
assertEquals(AccessStatus.ALLOWED, capability.hasPermission(rmFolder));
assertEquals(AccessStatus.ALLOWED, capability.hasPermission(record));
assertEquals(AccessStatus.DENIED, capability.hasPermission(declaredRecord));
assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecordFolder));
assertEquals(AccessStatus.DENIED, capability.hasPermission(recordFolderContainsFrozen));
assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecord));
assertEquals(AccessStatus.DENIED, capability.hasPermission(closedFolder));
return null; return null;
} }
}, rmUserName); }, rmUserName);
} }
public void testMoveRecordCapability() public void testMoveRecordCapability()
{ {
// grab the move record capability // grab the move record capability
final Capability capability = capabilityService.getCapability("MoveRecords"); final Capability capability = capabilityService.getCapability("MoveRecords");
assertNotNull(capability); assertNotNull(capability);
doTestInTransaction(new Test<Void>() doTestInTransaction(new Test<Void>()
{ {
@Override @Override
@@ -317,21 +317,21 @@ public class DeclarativeCapabilityTest extends BaseRMTestCase
assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecordFolder)); assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecordFolder));
assertEquals(AccessStatus.DENIED, capability.hasPermission(recordFolderContainsFrozen)); assertEquals(AccessStatus.DENIED, capability.hasPermission(recordFolderContainsFrozen));
assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecord)); assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecord));
assertEquals(AccessStatus.DENIED, capability.hasPermission(closedFolder)); assertEquals(AccessStatus.DENIED, capability.hasPermission(closedFolder));
assertEquals(AccessStatus.UNDETERMINED, capability.hasPermission(undeclaredRecord)); assertEquals(AccessStatus.UNDETERMINED, capability.hasPermission(undeclaredRecord));
// now lets take a look when we know what the destination is // now lets take a look when we know what the destination is
// NOTE: should be denied since we do not have file permission on the destination folder // NOTE: should be denied since we do not have file permission on the destination folder
// despite having the capability! // despite having the capability!
assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(record, moveToFolder)); assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(record, moveToFolder));
assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(declaredRecord, moveToFolder)); assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(declaredRecord, moveToFolder));
assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(undeclaredRecord, moveToFolder)); assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(undeclaredRecord, moveToFolder));
assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(frozenRecord, moveToFolder)); assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(frozenRecord, moveToFolder));
return null; return null;
} }
}, recordsManagerName); }, recordsManagerName);
doTestInTransaction(new Test<Void>() doTestInTransaction(new Test<Void>()
{ {
@Override @Override
@@ -344,7 +344,7 @@ public class DeclarativeCapabilityTest extends BaseRMTestCase
return null; return null;
} }
}, rmAdminName); }, rmAdminName);
doTestInTransaction(new Test<Void>() doTestInTransaction(new Test<Void>()
{ {
@Override @Override
@@ -358,20 +358,20 @@ public class DeclarativeCapabilityTest extends BaseRMTestCase
assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecordFolder)); assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecordFolder));
assertEquals(AccessStatus.DENIED, capability.hasPermission(recordFolderContainsFrozen)); assertEquals(AccessStatus.DENIED, capability.hasPermission(recordFolderContainsFrozen));
assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecord)); assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecord));
assertEquals(AccessStatus.DENIED, capability.hasPermission(closedFolder)); assertEquals(AccessStatus.DENIED, capability.hasPermission(closedFolder));
assertEquals(AccessStatus.UNDETERMINED, capability.hasPermission(undeclaredRecord)); assertEquals(AccessStatus.UNDETERMINED, capability.hasPermission(undeclaredRecord));
// now lets take a look when we know what the destination is // now lets take a look when we know what the destination is
// NOTE: should be allowed now since we have filling permission on the destination folder // NOTE: should be allowed now since we have filling permission on the destination folder
assertEquals(AccessDecisionVoter.ACCESS_GRANTED, capability.evaluate(record, moveToFolder)); assertEquals(AccessDecisionVoter.ACCESS_GRANTED, capability.evaluate(record, moveToFolder));
assertEquals(AccessDecisionVoter.ACCESS_GRANTED, capability.evaluate(declaredRecord, moveToFolder)); assertEquals(AccessDecisionVoter.ACCESS_GRANTED, capability.evaluate(declaredRecord, moveToFolder));
assertEquals(AccessDecisionVoter.ACCESS_GRANTED, capability.evaluate(undeclaredRecord, moveToFolder)); assertEquals(AccessDecisionVoter.ACCESS_GRANTED, capability.evaluate(undeclaredRecord, moveToFolder));
assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(frozenRecord, moveToFolder)); assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(frozenRecord, moveToFolder));
return null; return null;
} }
}, recordsManagerName); }, recordsManagerName);
doTestInTransaction(new Test<Void>() doTestInTransaction(new Test<Void>()
{ {
@Override @Override
@@ -385,27 +385,27 @@ public class DeclarativeCapabilityTest extends BaseRMTestCase
assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecordFolder)); assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecordFolder));
assertEquals(AccessStatus.DENIED, capability.hasPermission(recordFolderContainsFrozen)); assertEquals(AccessStatus.DENIED, capability.hasPermission(recordFolderContainsFrozen));
assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecord)); assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecord));
assertEquals(AccessStatus.DENIED, capability.hasPermission(closedFolder)); assertEquals(AccessStatus.DENIED, capability.hasPermission(closedFolder));
assertEquals(AccessStatus.DENIED, capability.hasPermission(undeclaredRecord)); assertEquals(AccessStatus.DENIED, capability.hasPermission(undeclaredRecord));
// now lets take a look when we know what the destination is // now lets take a look when we know what the destination is
// NOTE: should be allowed now since we have filling permission on the destination folder // NOTE: should be allowed now since we have filling permission on the destination folder
assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(record, moveToFolder)); assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(record, moveToFolder));
assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(declaredRecord, moveToFolder)); assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(declaredRecord, moveToFolder));
assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(undeclaredRecord, moveToFolder)); assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(undeclaredRecord, moveToFolder));
assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(frozenRecord, moveToFolder)); assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(frozenRecord, moveToFolder));
return null; return null;
} }
}, rmUserName); }, rmUserName);
} }
public void testMoveRecordFolderCapability() public void testMoveRecordFolderCapability()
{ {
// grab the move record capability // grab the move record capability
final Capability capability = capabilityService.getCapability("MoveRecordFolder"); final Capability capability = capabilityService.getCapability("MoveRecordFolder");
assertNotNull(capability); assertNotNull(capability);
doTestInTransaction(new Test<Void>() doTestInTransaction(new Test<Void>()
{ {
@Override @Override
@@ -419,15 +419,15 @@ public class DeclarativeCapabilityTest extends BaseRMTestCase
assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecordFolder)); assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecordFolder));
assertEquals(AccessStatus.DENIED, capability.hasPermission(recordFolderContainsFrozen)); assertEquals(AccessStatus.DENIED, capability.hasPermission(recordFolderContainsFrozen));
assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecord)); assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecord));
assertEquals(AccessStatus.DENIED, capability.hasPermission(closedFolder)); assertEquals(AccessStatus.DENIED, capability.hasPermission(closedFolder));
assertEquals(AccessStatus.DENIED, capability.hasPermission(undeclaredRecord)); assertEquals(AccessStatus.DENIED, capability.hasPermission(undeclaredRecord));
assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(rmFolder, moveToCategory)); assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(rmFolder, moveToCategory));
return null; return null;
} }
}, recordsManagerName); }, recordsManagerName);
doTestInTransaction(new Test<Void>() doTestInTransaction(new Test<Void>()
{ {
@Override @Override
@@ -440,7 +440,7 @@ public class DeclarativeCapabilityTest extends BaseRMTestCase
return null; return null;
} }
}, rmAdminName); }, rmAdminName);
doTestInTransaction(new Test<Void>() doTestInTransaction(new Test<Void>()
{ {
@Override @Override
@@ -453,15 +453,15 @@ public class DeclarativeCapabilityTest extends BaseRMTestCase
assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecordFolder)); assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecordFolder));
assertEquals(AccessStatus.DENIED, capability.hasPermission(recordFolderContainsFrozen)); assertEquals(AccessStatus.DENIED, capability.hasPermission(recordFolderContainsFrozen));
assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecord)); assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecord));
assertEquals(AccessStatus.DENIED, capability.hasPermission(closedFolder)); assertEquals(AccessStatus.DENIED, capability.hasPermission(closedFolder));
assertEquals(AccessStatus.DENIED, capability.hasPermission(undeclaredRecord)); assertEquals(AccessStatus.DENIED, capability.hasPermission(undeclaredRecord));
assertEquals(AccessDecisionVoter.ACCESS_GRANTED, capability.evaluate(rmFolder, moveToCategory)); assertEquals(AccessDecisionVoter.ACCESS_GRANTED, capability.evaluate(rmFolder, moveToCategory));
return null; return null;
} }
}, recordsManagerName); }, recordsManagerName);
doTestInTransaction(new Test<Void>() doTestInTransaction(new Test<Void>()
{ {
@Override @Override
@@ -474,11 +474,11 @@ public class DeclarativeCapabilityTest extends BaseRMTestCase
assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecordFolder)); assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecordFolder));
assertEquals(AccessStatus.DENIED, capability.hasPermission(recordFolderContainsFrozen)); assertEquals(AccessStatus.DENIED, capability.hasPermission(recordFolderContainsFrozen));
assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecord)); assertEquals(AccessStatus.DENIED, capability.hasPermission(frozenRecord));
assertEquals(AccessStatus.DENIED, capability.hasPermission(closedFolder)); assertEquals(AccessStatus.DENIED, capability.hasPermission(closedFolder));
assertEquals(AccessStatus.DENIED, capability.hasPermission(undeclaredRecord)); assertEquals(AccessStatus.DENIED, capability.hasPermission(undeclaredRecord));
assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(rmFolder, moveToCategory)); assertEquals(AccessDecisionVoter.ACCESS_DENIED, capability.evaluate(rmFolder, moveToCategory));
return null; return null;
} }
}, rmUserName); }, rmUserName);