From 5d69f6aec7cdb2c8e813ce3fce4b1144c0f5b1d3 Mon Sep 17 00:00:00 2001 From: Roy Wetherall Date: Wed, 24 Apr 2013 07:44:51 +0000 Subject: [PATCH] RM-672: Permissions should be maintained when moving a record * add move behaviour to file plan permission service .. inherited permissions are adjusted, any set directly on the record are kept * added missing unit test for file plan permission service * test add/remove * test record move git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@49535 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../rm-service-context.xml | 1 + .../FilePlanPermissionServiceImpl.java | 135 ++++- .../test/ServicesTestSuite.java | 4 +- .../FilePlanPermissionServiceImplTest.java | 524 ++++++++++++++++++ 4 files changed, 635 insertions(+), 29 deletions(-) create mode 100644 rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml index 94634dba81..67f7f702a7 100644 --- a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml +++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml @@ -491,6 +491,7 @@ + diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java index f723a83a79..267c6fc918 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java @@ -18,6 +18,7 @@ */ package org.alfresco.module.org_alfresco_module_rm.security; +import java.util.HashSet; import java.util.List; import java.util.Set; @@ -26,6 +27,7 @@ import org.alfresco.module.org_alfresco_module_rm.RecordsManagementService; import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel; import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService; import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel; +import org.alfresco.module.org_alfresco_module_rm.record.RecordService; import org.alfresco.repo.node.NodeServicePolicies; import org.alfresco.repo.policy.JavaBehaviour; import org.alfresco.repo.policy.PolicyComponent; @@ -66,6 +68,9 @@ public class FilePlanPermissionServiceImpl implements FilePlanPermissionService, /** File plan service */ private FilePlanService filePlanService; + + /** Record service */ + private RecordService recordService; /** Logger */ private static Log logger = LogFactory.getLog(FilePlanPermissionServiceImpl.class); @@ -87,6 +92,10 @@ public class FilePlanPermissionServiceImpl implements FilePlanPermissionService, NodeServicePolicies.OnAddAspectPolicy.QNAME, ASPECT_RECORD, new JavaBehaviour(this, "onAddRecord", NotificationFrequency.TRANSACTION_COMMIT)); + policyComponent.bindClassBehaviour( + NodeServicePolicies.OnMoveNodePolicy.QNAME, + ASPECT_RECORD, + new JavaBehaviour(this, "onMoveRecord", NotificationFrequency.TRANSACTION_COMMIT)); } /** @@ -128,6 +137,14 @@ public class FilePlanPermissionServiceImpl implements FilePlanPermissionService, { this.filePlanService = filePlanService; } + + /** + * @param recordService record service + */ + public void setRecordService(RecordService recordService) + { + this.recordService = recordService; + } /** * @param childAssocRef @@ -238,35 +255,98 @@ public class FilePlanPermissionServiceImpl implements FilePlanPermissionService, { if (nodeService.exists(record) == true && nodeService.hasAspect(record, aspectTypeQName) == true) { - NodeRef recordFolder = nodeService.getPrimaryParent(record).getParentRef(); - - setUpPermissions(record); - - Set perms = permissionService.getAllSetPermissions(recordFolder); - for (AccessPermission perm : perms) - { - if (ExtendedReaderDynamicAuthority.EXTENDED_READER.equals(perm.getAuthority()) == false && - ExtendedWriterDynamicAuthority.EXTENDED_WRITER.equals(perm.getAuthority()) == false) - { - AccessStatus accessStatus = perm.getAccessStatus(); - boolean allow = false; - if (AccessStatus.ALLOWED.equals(accessStatus) == true) - { - allow = true; - } - permissionService.setPermission( - record, - perm.getAuthority(), - perm.getPermission(), - allow); - } - } + NodeRef recordFolder = nodeService.getPrimaryParent(record).getParentRef(); + initialiseRecordPermissions(record, recordFolder); } return null; } - }, AuthenticationUtil.getSystemUserName()); + }, AuthenticationUtil.getSystemUserName()); + } + + /** + * Initialise the record permissions for the given record folder. + * + * @param record record + * @param recordFolder record folder + */ + private void initialiseRecordPermissions(NodeRef record, NodeRef recordFolder) + { + setUpPermissions(record); + Set perms = permissionService.getAllSetPermissions(recordFolder); + for (AccessPermission perm : perms) + { + if (ExtendedReaderDynamicAuthority.EXTENDED_READER.equals(perm.getAuthority()) == false && + ExtendedWriterDynamicAuthority.EXTENDED_WRITER.equals(perm.getAuthority()) == false) + { + AccessStatus accessStatus = perm.getAccessStatus(); + boolean allow = false; + if (AccessStatus.ALLOWED.equals(accessStatus) == true) + { + allow = true; + } + permissionService.setPermission( + record, + perm.getAuthority(), + perm.getPermission(), + allow); + } + } + + } + + /** + * onMoveRecord behaviour + * + * @param sourceAssocRef source association reference + * @param destinationAssocRef destination association reference + */ + public void onMoveRecord(final ChildAssociationRef sourceAssocRef, final ChildAssociationRef destinationAssocRef) + { + AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork() + { + public Void doWork() + { + NodeRef record = sourceAssocRef.getChildRef(); + if (nodeService.exists(record) == true && nodeService.hasAspect(record, ASPECT_RECORD) == true) + { + Set keepPerms = new HashSet(5); + + // record any permissions specifically set on the record (ie any filling or record_file permisions not on the parent) + Set origionalParentPerms = permissionService.getAllSetPermissions(sourceAssocRef.getParentRef()); + Set origionalRecordPerms= permissionService.getAllSetPermissions(record); + for (AccessPermission perm : origionalRecordPerms) + { + if (ExtendedReaderDynamicAuthority.EXTENDED_READER.equals(perm.getAuthority()) == false && + ExtendedWriterDynamicAuthority.EXTENDED_WRITER.equals(perm.getAuthority()) == false) + { + if ((perm.getPermission().equals(RMPermissionModel.FILING) == true || + perm.getPermission().equals(RMPermissionModel.FILE_RECORDS) == true) && + origionalParentPerms.contains(perm) == false) + { + // then we can assume this is a permission we want to preserve + keepPerms.add(perm); + } + } + } + + // clear all existing permissions and start again + permissionService.deletePermissions(record); + + // re-setup the records permissions + initialiseRecordPermissions(record, destinationAssocRef.getParentRef()); + + // re-add keep'er permissions + for (AccessPermission keeper : keepPerms) + { + setPermission(record, keeper.getAuthority(), keeper.getPermission()); + } + } + + return null; + } + }, AuthenticationUtil.getSystemUserName()); } /** @@ -313,7 +393,7 @@ public class FilePlanPermissionServiceImpl implements FilePlanPermissionService, } else if (recordsManagementService.isRecordsManagementContainer(nodeRef) == true || recordsManagementService.isRecordFolder(nodeRef) == true || - recordsManagementService.isRecord(nodeRef) == true) + recordService.isRecord(nodeRef) == true) { setReadPermissionUp(nodeRef, authority); setPermissionDown(nodeRef, authority, permission); @@ -367,7 +447,7 @@ public class FilePlanPermissionServiceImpl implements FilePlanPermissionService, NodeRef child = assoc.getChildRef(); if (recordsManagementService.isRecordsManagementContainer(child) == true || recordsManagementService.isRecordFolder(child) == true || - recordsManagementService.isRecord(child) == true) + recordService.isRecord(child) == true) { setPermissionDown(child, authority, permission); } @@ -414,7 +494,7 @@ public class FilePlanPermissionServiceImpl implements FilePlanPermissionService, NodeRef child = assoc.getChildRef(); if (recordsManagementService.isRecordsManagementContainer(child) == true || recordsManagementService.isRecordFolder(child) == true || - recordsManagementService.isRecord(child) == true) + recordService.isRecord(child) == true) { deletePermission(child, authority, permission); } @@ -425,5 +505,4 @@ public class FilePlanPermissionServiceImpl implements FilePlanPermissionService, } }, AuthenticationUtil.getSystemUserName()); } - } diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/ServicesTestSuite.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/ServicesTestSuite.java index 8797624568..31d60e7b78 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/ServicesTestSuite.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/ServicesTestSuite.java @@ -23,6 +23,7 @@ import org.alfresco.module.org_alfresco_module_rm.test.service.DataSetServiceImp import org.alfresco.module.org_alfresco_module_rm.test.service.DispositionServiceImplTest; import org.alfresco.module.org_alfresco_module_rm.test.service.ExtendedActionServiceTest; import org.alfresco.module.org_alfresco_module_rm.test.service.ExtendedSecurityServiceImplTest; +import org.alfresco.module.org_alfresco_module_rm.test.service.FilePlanPermissionServiceImplTest; import org.alfresco.module.org_alfresco_module_rm.test.service.FilePlanRoleServiceImplTest; import org.alfresco.module.org_alfresco_module_rm.test.service.FilePlanServiceImplTest; import org.alfresco.module.org_alfresco_module_rm.test.service.FreezeServiceImplTest; @@ -62,7 +63,8 @@ import org.junit.runners.Suite.SuiteClasses; RecordServiceImplTest.class, CapabilityServiceImplTest.class, FilePlanRoleServiceImplTest.class, - FilePlanServiceImplTest.class + FilePlanServiceImplTest.class, + FilePlanPermissionServiceImplTest.class }) public class ServicesTestSuite { diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java new file mode 100644 index 0000000000..72a8e4e268 --- /dev/null +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java @@ -0,0 +1,524 @@ +/* + * Copyright (C) 2005-2013 Alfresco Software Limited. + * + * This file is part of Alfresco + * + * Alfresco is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * Alfresco is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with Alfresco. If not, see . + */ +package org.alfresco.module.org_alfresco_module_rm.test.service; + +import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel; +import org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService; +import org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase; +import org.alfresco.repo.security.authentication.AuthenticationUtil; +import org.alfresco.service.cmr.repository.NodeRef; +import org.alfresco.service.cmr.security.AccessStatus; +import org.springframework.extensions.webscripts.GUID; + +/** + * File plan permission service unit test + * + * @author Roy Wetherall + * @since 2.1 + */ +public class FilePlanPermissionServiceImplTest extends BaseRMTestCase +{ + /** + * @see org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase#isUserTest() + */ + @Override + protected boolean isUserTest() + { + return true; + } + + /** + * @see org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase#isRecordTest() + */ + @Override + protected boolean isRecordTest() + { + return true; + } + + /** + * Helper to create test user + */ + private String createTestUser() + { + return doTestInTransaction(new Test() + { + @Override + public String run() + { + String userName = GUID.generate(); + createPerson(userName); + filePlanRoleService.assignRoleToAuthority(filePlan, FilePlanRoleService.ROLE_USER, userName); + return userName; + } + }, AuthenticationUtil.getSystemUserName()); + } + + /** + * Helper to set permission + */ + private void setPermission(final NodeRef nodeRef, final String userName, final String permission) + { + doTestInTransaction(new Test() + { + @Override + public Void run() + { + filePlanPermissionService.setPermission(nodeRef, userName, permission); + return null; + } + }); + } + + /** + * Helper to delete permission + */ + private void deletePermission(final NodeRef nodeRef, final String userName, final String permission) + { + doTestInTransaction(new Test() + { + @Override + public Void run() + { + filePlanPermissionService.deletePermission(nodeRef, userName, permission); + return null; + } + }); + } + + /** + * test set/delete permissions on file plan + */ + public void testSetDeletePermissionFilePlan() throws Exception + { + String userName = createTestUser(); + + assertPermissions(userName, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + + setPermission(filePlan, userName, RMPermissionModel.FILING); + + assertPermissions(userName, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.ALLOWED, // fileplan file + AccessStatus.ALLOWED, // category read + AccessStatus.ALLOWED, // category file + AccessStatus.ALLOWED, // record folder read + AccessStatus.ALLOWED, // record folder file + AccessStatus.ALLOWED, // record read + AccessStatus.ALLOWED); // record file + + deletePermission(filePlan, userName, RMPermissionModel.FILING); + + assertPermissions(userName, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + + //what happens if we try and remove READ for a normal user on the file plan ??? + deletePermission(filePlan, userName, RMPermissionModel.READ_RECORDS); + + // nothing .. user still has read on file plan .. only removing the user from all roles will remove read on file plan + assertPermissions(userName, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + } + + /** + * Test set/delete permission on record categorty + */ + public void testSetDeletePermissionRecordCategory() throws Exception + { + String userName = createTestUser(); + + assertPermissions(userName, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + + setPermission(rmContainer, userName, RMPermissionModel.FILING); + + assertPermissions(userName, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // category read + AccessStatus.ALLOWED, // category file + AccessStatus.ALLOWED, // record folder read + AccessStatus.ALLOWED, // record folder file + AccessStatus.ALLOWED, // record read + AccessStatus.ALLOWED); // record file + + deletePermission(rmContainer, userName, RMPermissionModel.FILING); + + assertPermissions(userName, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + } + + /** + * Test set/delete permission on record folder + */ + public void testSetDeletePermissionRecordFolder() throws Exception + { + String userName = createTestUser(); + + assertPermissions(userName, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + + setPermission(rmFolder, userName, RMPermissionModel.FILING); + + assertPermissions(userName, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // category read + AccessStatus.DENIED, // category file + AccessStatus.ALLOWED, // record folder read + AccessStatus.ALLOWED, // record folder file + AccessStatus.ALLOWED, // record read + AccessStatus.ALLOWED); // record file + + deletePermission(rmFolder, userName, RMPermissionModel.FILING); + + assertPermissions(userName, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + } + + /** + * Test set/delete permission on record + */ + public void testSetDeletePermissionRecord() throws Exception + { + String userName = createTestUser(); + + assertPermissions(userName, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + + setPermission(recordOne, userName, RMPermissionModel.FILING); + + assertPermissions(userName, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // category read + AccessStatus.DENIED, // category file + AccessStatus.ALLOWED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.ALLOWED, // record read + AccessStatus.ALLOWED); // record file + + deletePermission(recordOne, userName, RMPermissionModel.FILING); + + assertPermissions(userName, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // category read + AccessStatus.DENIED, // category file + AccessStatus.ALLOWED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + } + + public void testMoveRecord() throws Exception + { + String userOne = createTestUser(); + String userTwo = createTestUser(); + String userThree = createTestUser(); + + final NodeRef otherFolder = doTestInTransaction(new Test() + { + @Override + public NodeRef run() + { + return rmService.createRecordFolder(rmContainer, "otherFolder"); + } + }); + + assertPermissions(userOne, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(otherFolder, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(otherFolder, RMPermissionModel.FILING)); + return null; + } + }, userOne); + assertPermissions(userTwo, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(otherFolder, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(otherFolder, RMPermissionModel.FILING)); + return null; + } + }, userTwo); + assertPermissions(userThree, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(otherFolder, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(otherFolder, RMPermissionModel.FILING)); + return null; + } + }, userThree); + + setPermission(rmFolder, userOne, RMPermissionModel.FILING); + setPermission(otherFolder, userTwo, RMPermissionModel.FILING); + setPermission(recordOne, userThree, RMPermissionModel.FILING); + + assertPermissions(userOne, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // category read + AccessStatus.DENIED, // category file + AccessStatus.ALLOWED, // record folder read + AccessStatus.ALLOWED, // record folder file + AccessStatus.ALLOWED, // record read + AccessStatus.ALLOWED); // record file + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(otherFolder, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(otherFolder, RMPermissionModel.FILING)); + return null; + } + }, userOne); + assertPermissions(userTwo, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(otherFolder, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(otherFolder, RMPermissionModel.FILING)); + return null; + } + }, userTwo); + assertPermissions(userThree, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // category read + AccessStatus.DENIED, // category file + AccessStatus.ALLOWED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.ALLOWED, // record read + AccessStatus.ALLOWED); // record file + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(otherFolder, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(otherFolder, RMPermissionModel.FILING)); + return null; + } + }, userThree); + + // move the record! + doTestInTransaction(new Test() + { + @Override + public Void run() throws Exception + { + fileFolderService.move(recordOne, otherFolder, "movedRecord.txt"); + return null; + } + }); + + assertPermissions(userOne, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // category read + AccessStatus.DENIED, // category file + AccessStatus.ALLOWED, // record folder read + AccessStatus.ALLOWED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(otherFolder, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(otherFolder, RMPermissionModel.FILING)); + return null; + } + }, userOne); + assertPermissions(userTwo, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.ALLOWED, // record read + AccessStatus.ALLOWED); // record file + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(otherFolder, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(otherFolder, RMPermissionModel.FILING)); + return null; + } + }, userTwo); + assertPermissions(userThree, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // category read + AccessStatus.DENIED, // category file + AccessStatus.ALLOWED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.ALLOWED, // record read + AccessStatus.ALLOWED); // record file + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(otherFolder, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(otherFolder, RMPermissionModel.FILING)); + return null; + } + }, userThree); + + } + + + /** + * Helper to assert permissions for passed user + */ + private void assertPermissions(final String userName, final AccessStatus ... accessStatus) + { + assertEquals(8, accessStatus.length); + + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals("Everyone who has a role has read permissions on the file plan", + accessStatus[0], permissionService.hasPermission(filePlan, RMPermissionModel.READ_RECORDS)); + assertEquals(accessStatus[1], permissionService.hasPermission(filePlan, RMPermissionModel.FILING)); + + assertEquals(accessStatus[2], permissionService.hasPermission(rmContainer, RMPermissionModel.READ_RECORDS)); + assertEquals(accessStatus[3], permissionService.hasPermission(rmContainer, RMPermissionModel.FILING)); + + assertEquals(accessStatus[4], permissionService.hasPermission(rmFolder, RMPermissionModel.READ_RECORDS)); + assertEquals(accessStatus[5], permissionService.hasPermission(rmFolder, RMPermissionModel.FILING)); + + assertEquals(accessStatus[6], permissionService.hasPermission(recordOne, RMPermissionModel.READ_RECORDS)); + assertEquals(accessStatus[7], permissionService.hasPermission(recordOne, RMPermissionModel.FILING)); + + return null; + } + }, userName); + } + +}