Merged 5.2.0 (5.2.0) to HEAD (5.2)

133746 cturlica: REPO-1758: 5.2 (merge): ACE-5706: Users are denied access to content they should be able to see in v1 REST API
      Merged 5.2.N (5.2.1) to 5.2.0 (5.2.0)
         133619 jvonka: REPO-1709: V1 REST API -  fix download content (fails unexpectedly with 403)
            - introduced by REPO-265


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@134178 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

source/java/org/alfresco/rest/api/impl/NodesImpl.java

@@ -1978,7 +1978,7 @@ public class NodesImpl implements Nodes
     }
 
     /**
-     * Posts activites based on the activity_type.
+     * Posts activities based on the activity_type.
      * If the method is called with aSync=true then a TransactionListener is used post the activity
      * afterCommit.  Otherwise the activity posting is done synchronously.
      * @param activity_type
@@ -2009,9 +2009,19 @@ public class NodesImpl implements Nodes
         }
     }
 
+    // note: see also org.alfresco.opencmis.ActivityPosterImpl
     protected ActivityInfo getActivityInfo(NodeRef parentNodeRef, NodeRef nodeRef)
     {
-        SiteInfo siteInfo = siteService.getSite(nodeRef);
+        // runAs system, eg. user may not have permission see one or more parents (irrespective of whether in a site context of not)
+        SiteInfo siteInfo = AuthenticationUtil.runAs(new RunAsWork<SiteInfo>()
+        {
+            @Override
+            public SiteInfo doWork() throws Exception
+            {
+                return siteService.getSite(nodeRef);
+            }
+        }, AuthenticationUtil.getSystemUserName());
+
         String siteId = (siteInfo != null ? siteInfo.getShortName() : null);
         if(siteId != null && !siteId.equals(""))
         {

source/test-java/org/alfresco/rest/api/tests/NodeApiTest.java

@@ -3366,7 +3366,7 @@ public class NodeApiTest extends AbstractSingleNetworkSiteTest
     public void testDownloadFileContent() throws Exception
     {
         setRequestContext(user1);
-        
+
         //
         // Test plain text
         //
@@ -3391,7 +3391,7 @@ public class NodeApiTest extends AbstractSingleNetworkSiteTest
         assertEquals(MimetypeMap.MIMETYPE_TEXT_PLAIN, contentInfo.getMimeType());
 
         // Download text content - by default with Content-Disposition header
-        response = getSingle(NodesEntityResource.class, contentNodeId+"/content", null, 200);
+        response = getSingle(NodesEntityResource.class, contentNodeId + "/content", null, 200);
 
         String textContent = response.getResponse();
         assertEquals("The quick brown fox jumps over the lazy dog", textContent);
@@ -3473,6 +3473,69 @@ public class NodeApiTest extends AbstractSingleNetworkSiteTest
         getSingle(getNodeContentUrl(contentNodeId), null, null, headers, 304);
     }
 
+    /**
+     * Tests download of file/content - basic read permission
+     * <p>GET:</p>
+     * {@literal <host>:<port>/alfresco/api/-default-/public/alfresco/versions/1/nodes/<nodeId>/content}
+     */
+    @Test
+    public void testDownloadFileContentReadPermission() throws Exception
+    {
+        setRequestContext(user1);
+
+        String fileName = "quick-1.txt";
+        File file = getResourceFile(fileName);
+
+        MultiPartBuilder multiPartBuilder = MultiPartBuilder.create()
+                .setFileData(new FileData(fileName, file));
+        MultiPartRequest reqBody = multiPartBuilder.build();
+
+        // Upload text content
+        HttpResponse response = post(getNodeChildrenUrl(Nodes.PATH_MY), reqBody.getBody(), null, reqBody.getContentType(), 201);
+        Document document = RestApiUtil.parseRestApiEntry(response.getJsonResponse(), Document.class);
+        String contentNodeId = document.getId();
+
+        // Download text content
+        response = getSingle(NodesEntityResource.class, contentNodeId+"/content", null, 200);
+        String textContent = response.getResponse();
+        assertEquals("The quick brown fox jumps over the lazy dog", textContent);
+
+        // Also test versions endpoint (1.0 in this case)
+        response = getSingle(NodesEntityResource.class, contentNodeId+"/versions/1.0/content", null, 200);
+        textContent = response.getResponse();
+        assertEquals("The quick brown fox jumps over the lazy dog", textContent);
+
+        // -ve test: user2 does not have read permission
+        setRequestContext(user2);
+        getSingle(NodesEntityResource.class, contentNodeId+"/content", null, 403);
+        getSingle(NodesEntityResource.class, contentNodeId+"/versions/1.0/content", null, 403);
+
+        // add Consumer (~ Read) permission
+        setRequestContext(user1);
+
+        Document dUpdate = new Document();
+        NodePermissions nodePermissions = new NodePermissions();
+        List<NodePermissions.NodePermission> locallySetPermissions = new ArrayList<>();
+        locallySetPermissions.add(new NodePermissions.NodePermission(user2, PermissionService.CONSUMER, AccessStatus.ALLOWED.toString()));
+        nodePermissions.setLocallySet(locallySetPermissions);
+        dUpdate.setPermissions(nodePermissions);
+
+        // update node
+        response = put(URL_NODES, contentNodeId, toJsonAsStringNonNull(dUpdate), null, 200);
+
+        setRequestContext(user2);
+
+        // Download text content
+        response = getSingle(NodesEntityResource.class, contentNodeId+"/content", null, 200);
+        textContent = response.getResponse();
+        assertEquals("The quick brown fox jumps over the lazy dog", textContent);
+
+        // Also test versions endpoint (1.0 in this case)
+        response = getSingle(NodesEntityResource.class, contentNodeId+"/versions/1.0/content", null, 200);
+        textContent = response.getResponse();
+        assertEquals("The quick brown fox jumps over the lazy dog", textContent);
+    }
+
     /**
      * Tests optional lookup of Allowable Operations (eg. when getting node info, listing node children, ...)
      *