diff --git a/config/alfresco/model/sitePermissionDefinitions.xml b/config/alfresco/model/sitePermissionDefinitions.xml index 839bc43bf3..f9f195f0d8 100644 --- a/config/alfresco/model/sitePermissionDefinitions.xml +++ b/config/alfresco/model/sitePermissionDefinitions.xml @@ -16,17 +16,21 @@ - + + + + + - + \ No newline at end of file diff --git a/source/java/org/alfresco/repo/site/SiteModel.java b/source/java/org/alfresco/repo/site/SiteModel.java index f93eaa1ed3..00e12b0613 100644 --- a/source/java/org/alfresco/repo/site/SiteModel.java +++ b/source/java/org/alfresco/repo/site/SiteModel.java @@ -48,6 +48,6 @@ public interface SiteModel /** Site Permission */ public static final String SITE_MANAGER = "SiteManager"; public static final String SITE_COLLABORATOR = "SiteCollaborator"; + public static final String SITE_CONTRIBUTOR = "SiteContributor"; public static final String SITE_CONSUMER = "SiteConsumer"; -} - +} \ No newline at end of file diff --git a/source/java/org/alfresco/repo/site/script/Site.java b/source/java/org/alfresco/repo/site/script/Site.java index b0438e6f85..934dc8c925 100644 --- a/source/java/org/alfresco/repo/site/script/Site.java +++ b/source/java/org/alfresco/repo/site/script/Site.java @@ -33,12 +33,12 @@ import org.alfresco.repo.jscript.ScriptNode; import org.alfresco.repo.jscript.ScriptableHashMap; import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork; +import org.alfresco.repo.security.permissions.AccessDeniedException; import org.alfresco.repo.site.SiteInfo; import org.alfresco.repo.site.SiteModel; import org.alfresco.repo.site.SiteService; import org.alfresco.service.ServiceRegistry; import org.alfresco.service.cmr.repository.NodeRef; -import org.alfresco.service.cmr.security.AccessStatus; import org.alfresco.service.cmr.security.PermissionService; import org.alfresco.service.namespace.QName; import org.mozilla.javascript.Scriptable; @@ -451,6 +451,62 @@ public class Site implements Serializable return hasContainer; } + /** + * Apply a set of permissions to the node. + * + * @param nodeRef node reference + */ + public void setPermissions(final ScriptNode node, final Object permissions) + { + final NodeRef nodeRef = node.getNodeRef(); + + if (permissions != null && permissions instanceof ScriptableObject) + { + // Get the permission service + final PermissionService permissionService = this.serviceRegistry.getPermissionService(); + + if (!permissionService.getInheritParentPermissions(nodeRef)) + { + // remove existing permissions + permissionService.deletePermissions(nodeRef); + } + + // Assign the correct permissions + ScriptableObject scriptable = (ScriptableObject)permissions; + Object[] propIds = scriptable.getIds(); + for (int i = 0; i < propIds.length; i++) + { + // Work on each key in turn + Object propId = propIds[i]; + + // Only interested in keys that are formed of Strings + if (propId instanceof String) + { + // Get the value out for the specified key - it must be String + final String key = (String)propId; + final Object value = scriptable.get(key, scriptable); + if (value instanceof String) + { + // Set the permission on the node + permissionService.setPermission(nodeRef, key, (String)value, true); + } + } + } + + // always add the site managers group with SiteManager permission + String managers = this.siteService.getSiteRoleGroup(getShortName(), SiteModel.SITE_MANAGER); + permissionService.setPermission(nodeRef, managers, SiteModel.SITE_MANAGER, true); + + // now turn off inherit to finalize our permission changes + permissionService.setInheritParentPermissions(nodeRef, false); + } + else + { + // No permissions passed-in + this.resetAllPermissions(node); + } + } + /** * Reset any permissions that have been set on the node. *

@@ -462,187 +518,19 @@ public class Site implements Serializable { final NodeRef nodeRef = node.getNodeRef(); - // TODO Check that the node is indeed a child of the site - - // Check that the user has permissions to change permissions on the node - if (AccessStatus.ALLOWED.equals(this.serviceRegistry.getPermissionService().hasPermission(nodeRef, PermissionService.CHANGE_PERMISSIONS)) == true) - { - // Do the work as system as we are messing about with permissions - AuthenticationUtil.runAs( - new AuthenticationUtil.RunAsWork() - { - public Object doWork() throws Exception - { - // Reset all the permissions on the node - PermissionService permissionService = serviceRegistry.getPermissionService(); - // Ensure node isn't inheriting permissions from an ancestor - if (!permissionService.getInheritParentPermissions(nodeRef)) - { - permissionService.deletePermissions(nodeRef); - permissionService.setInheritParentPermissions(nodeRef, true); - } - return null; - } - - }, AuthenticationUtil.getSystemUserName()); - - - } - else + PermissionService permissionService = serviceRegistry.getPermissionService(); + try { - throw new AlfrescoRuntimeException("You do not have permissions to reset permissions on this node."); - } - } - - /** - * Allows all members of the site collaboration rights on the node. - * - * @param nodeRef node reference - */ - public void allowAllMembersCollaborate(ScriptNode node) - { - final NodeRef nodeRef = node.getNodeRef(); - - // TODO Check that the node is indeed a child of the site - - // Get the permission service - final PermissionService permissionService = this.serviceRegistry.getPermissionService(); - - // Check that the user has permissions to change permissions on the node - if (AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, PermissionService.CHANGE_PERMISSIONS)) == true) - { - // Do the work as system as we are messing about with permissions - AuthenticationUtil.runAs( - new AuthenticationUtil.RunAsWork() - { - public Object doWork() throws Exception - { - // Get the site groups - String siteGroup = siteService.getSiteGroup(siteInfo.getShortName()); - String managerGroup = siteService.getSiteRoleGroup(siteInfo.getShortName(), SiteModel.SITE_MANAGER); - - // Assign the correct permissions - permissionService.setInheritParentPermissions(nodeRef, false); - permissionService.deletePermissions(nodeRef); - permissionService.setPermission(nodeRef, siteGroup, SiteModel.SITE_COLLABORATOR, true); - permissionService.setPermission(nodeRef, managerGroup, SiteModel.SITE_MANAGER, true); - - return null; - } - }, AuthenticationUtil.getSystemUserName()); - } - else - { - throw new AlfrescoRuntimeException("You do not have permissions to all memebers contribute permissions on this node."); - } - } - - /** - * Deny access to all members of the site to the node. - *

- * Note, site managers will stil have appropriate permissions on the node. - * - * @param nodeRef node reference - */ - public void denyAllAccess(ScriptNode node) - { - final NodeRef nodeRef = node.getNodeRef(); - - // TODO Check that the node is indeed a child of the site - - // Get the permission service - final PermissionService permissionService = this.serviceRegistry.getPermissionService(); - - // Check that the user has permissions to change permissions on the node - if (AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, PermissionService.CHANGE_PERMISSIONS)) == true) - { - // Do the work as system as we are messing about with permissions - AuthenticationUtil.runAs( - new AuthenticationUtil.RunAsWork() - { - public Object doWork() throws Exception - { - // Get the site groups - String managerGroup = siteService.getSiteRoleGroup(siteInfo.getShortName(), SiteModel.SITE_MANAGER); - - // Assign the correct permissions - permissionService.setInheritParentPermissions(nodeRef, false); - permissionService.deletePermissions(nodeRef); - permissionService.setPermission(nodeRef, managerGroup, SiteModel.SITE_MANAGER, true); - - return null; - } - }, AuthenticationUtil.getSystemUserName()); - } - else - { - throw new AlfrescoRuntimeException("You do not have permissions to all memebers contribute permissions on this node."); - } - } - - /** - * Apply a set of permissions to the node. - * - * @param nodeRef node reference - */ - public void setPermissions(final ScriptNode node, final Object permissions) - { - final NodeRef nodeRef = node.getNodeRef(); - - // TODO Check that the node is indeed a child of the site - - if (permissions != null && permissions instanceof ScriptableObject) - { - // Get the permission service - final PermissionService permissionService = this.serviceRegistry.getPermissionService(); - - // Check that the user has permissions to change permissions on the node - if (AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, PermissionService.CHANGE_PERMISSIONS)) == true) - { - // Do the work as system as we are messing about with permissions - AuthenticationUtil.runAs( - new AuthenticationUtil.RunAsWork() - { - public Object doWork() throws Exception - { - // Assign the correct permissions - Site.this.serviceRegistry.getPermissionService().setInheritParentPermissions(nodeRef, false); - permissionService.deletePermissions(nodeRef); - - ScriptableObject scriptable = (ScriptableObject)permissions; - Object[] propIds = scriptable.getIds(); - for (int i = 0; i < propIds.length; i++) - { - // Work on each key in turn - Object propId = propIds[i]; - - // Only interested in keys that are formed of Strings - if (propId instanceof String) - { - // Get the value out for the specified key - it must be String - final String key = (String)propId; - final Object value = scriptable.get(key, scriptable); - if (value instanceof String) - { - // Set the permission on the node - permissionService.setPermission(nodeRef, key, (String)value, true); - } - } - } - - return null; - } - }, AuthenticationUtil.getSystemUserName()); - } - else + // Ensure node isn't inheriting permissions from an ancestor before deleting + if (!permissionService.getInheritParentPermissions(nodeRef)) { - throw new AlfrescoRuntimeException("You do not have the authority to update permissions on this node."); + permissionService.deletePermissions(nodeRef); + permissionService.setInheritParentPermissions(nodeRef, true); } } - else + catch (AccessDeniedException e) { - // No permissions passed-in - this.resetAllPermissions(node); + throw new AlfrescoRuntimeException("You do not have the authority to update permissions on this node.", e); } - } + } } diff --git a/source/java/org/alfresco/repo/template/BasePermissionsNode.java b/source/java/org/alfresco/repo/template/BasePermissionsNode.java index 1ac5f5ea93..2ab93b1e4e 100644 --- a/source/java/org/alfresco/repo/template/BasePermissionsNode.java +++ b/source/java/org/alfresco/repo/template/BasePermissionsNode.java @@ -30,6 +30,7 @@ import java.util.Set; import org.alfresco.service.cmr.security.AccessPermission; import org.alfresco.service.cmr.security.AccessStatus; +import org.alfresco.service.cmr.security.PermissionService; /** * Base class for Template API objects that support permissions. @@ -54,16 +55,19 @@ public abstract class BasePermissionsNode extends BaseContentNode implements Tem { String userName = this.services.getAuthenticationService().getCurrentUserName(); this.permissions = new ArrayList(4); - Set acls = this.services.getPermissionService().getAllSetPermissions(getNodeRef()); - for (AccessPermission permission : acls) + if (hasPermission(PermissionService.READ_PERMISSIONS)) { - StringBuilder buf = new StringBuilder(64); - buf.append(permission.getAccessStatus()) - .append(';') - .append(permission.getAuthority()) - .append(';') - .append(permission.getPermission()); - this.permissions.add(buf.toString()); + Set acls = this.services.getPermissionService().getAllSetPermissions(getNodeRef()); + for (AccessPermission permission : acls) + { + StringBuilder buf = new StringBuilder(64); + buf.append(permission.getAccessStatus()) + .append(';') + .append(permission.getAuthority()) + .append(';') + .append(permission.getPermission()); + this.permissions.add(buf.toString()); + } } } return this.permissions;