inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-31 17:39:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

New implementation of doclibrary fine grained permissions dialog.

Browse Source 
- Updated to Linton's new design and visuals
 - Removal of obsolete actions
 - SiteManager group permissions can no longer be modified
 - Removal of unnecessary and naughty runAs(systemuser) code patterns in Site permission modification code
 - Setting and Resetting of permissions now working correctly
 - Addition of missing permission checks to doclib actions (fixes issue with apparent ability of a Consumer user able to edit document meta-data - infact they could not, no permission check was performed before rendering the action and cached data was displayed when subsequently clicked)
 - Various other fixes and improvements to related webscripts.
Addition of the SiteContributor role.
Fix to missing json encoding in json.status.ftl
Minor improvements to url encoder/decoder classes and removal of flush() call from RemoteClient that was not required but occasionally caused issues for Flash apps.

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@10579 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Kevin Roast
2008-08-29 13:45:34 +00:00
parent 179093d240
commit 636693bd05
4 changed files with 87 additions and 191 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
source/java/org/alfresco/repo/site/SiteModel.java
View File

@@ -48,6 +48,6 @@ public interface SiteModel
/** Site Permission */
public static final String SITE_MANAGER = "SiteManager";
public static final String SITE_COLLABORATOR = "SiteCollaborator";
public static final String SITE_CONTRIBUTOR = "SiteContributor";
public static final String SITE_CONSUMER = "SiteConsumer";
}
}

244
source/java/org/alfresco/repo/site/script/Site.java
View File

@@ -33,12 +33,12 @@ import org.alfresco.repo.jscript.ScriptNode;
import org.alfresco.repo.jscript.ScriptableHashMap;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
import org.alfresco.repo.security.permissions.AccessDeniedException;
import org.alfresco.repo.site.SiteInfo;
import org.alfresco.repo.site.SiteModel;
import org.alfresco.repo.site.SiteService;
import org.alfresco.service.ServiceRegistry;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.service.namespace.QName;
import org.mozilla.javascript.Scriptable;
@@ -451,6 +451,62 @@ public class Site implements Serializable
return hasContainer;
}
/**
* Apply a set of permissions to the node.
*
* @param nodeRef node reference
*/
public void setPermissions(final ScriptNode node, final Object permissions)
{
final NodeRef nodeRef = node.getNodeRef();
if (permissions != null && permissions instanceof ScriptableObject)
{
// Get the permission service
final PermissionService permissionService = this.serviceRegistry.getPermissionService();
if (!permissionService.getInheritParentPermissions(nodeRef))
{
// remove existing permissions
permissionService.deletePermissions(nodeRef);
}
// Assign the correct permissions
ScriptableObject scriptable = (ScriptableObject)permissions;
Object[] propIds = scriptable.getIds();
for (int i = 0; i < propIds.length; i++)
{
// Work on each key in turn
Object propId = propIds[i];
// Only interested in keys that are formed of Strings
if (propId instanceof String)
{
// Get the value out for the specified key - it must be String
final String key = (String)propId;
final Object value = scriptable.get(key, scriptable);
if (value instanceof String)
{
// Set the permission on the node
permissionService.setPermission(nodeRef, key, (String)value, true);
}
}
}
// always add the site managers group with SiteManager permission
String managers = this.siteService.getSiteRoleGroup(getShortName(), SiteModel.SITE_MANAGER);
permissionService.setPermission(nodeRef, managers, SiteModel.SITE_MANAGER, true);
// now turn off inherit to finalize our permission changes
permissionService.setInheritParentPermissions(nodeRef, false);
}
else
{
// No permissions passed-in
this.resetAllPermissions(node);
}
}
/**
* Reset any permissions that have been set on the node.
* <p>
@@ -462,187 +518,19 @@ public class Site implements Serializable
{
final NodeRef nodeRef = node.getNodeRef();
// TODO Check that the node is indeed a child of the site
// Check that the user has permissions to change permissions on the node
if (AccessStatus.ALLOWED.equals(this.serviceRegistry.getPermissionService().hasPermission(nodeRef, PermissionService.CHANGE_PERMISSIONS)) == true)
{
// Do the work as system as we are messing about with permissions
AuthenticationUtil.runAs(
new AuthenticationUtil.RunAsWork<Object>()
{
public Object doWork() throws Exception
{
// Reset all the permissions on the node
PermissionService permissionService = serviceRegistry.getPermissionService();
// Ensure node isn't inheriting permissions from an ancestor
if (!permissionService.getInheritParentPermissions(nodeRef))
{
permissionService.deletePermissions(nodeRef);
permissionService.setInheritParentPermissions(nodeRef, true);
}
return null;
}
}, AuthenticationUtil.getSystemUserName());
}
else
PermissionService permissionService = serviceRegistry.getPermissionService();
try
{
throw new AlfrescoRuntimeException("You do not have permissions to reset permissions on this node.");
}
}
/**
* Allows all members of the site collaboration rights on the node.
*
* @param nodeRef node reference
*/
public void allowAllMembersCollaborate(ScriptNode node)
{
final NodeRef nodeRef = node.getNodeRef();
// TODO Check that the node is indeed a child of the site
// Get the permission service
final PermissionService permissionService = this.serviceRegistry.getPermissionService();
// Check that the user has permissions to change permissions on the node
if (AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, PermissionService.CHANGE_PERMISSIONS)) == true)
{
// Do the work as system as we are messing about with permissions
AuthenticationUtil.runAs(
new AuthenticationUtil.RunAsWork<Object>()
{
public Object doWork() throws Exception
{
// Get the site groups
String siteGroup = siteService.getSiteGroup(siteInfo.getShortName());
String managerGroup = siteService.getSiteRoleGroup(siteInfo.getShortName(), SiteModel.SITE_MANAGER);
// Assign the correct permissions
permissionService.setInheritParentPermissions(nodeRef, false);
permissionService.deletePermissions(nodeRef);
permissionService.setPermission(nodeRef, siteGroup, SiteModel.SITE_COLLABORATOR, true);
permissionService.setPermission(nodeRef, managerGroup, SiteModel.SITE_MANAGER, true);
return null;
}
}, AuthenticationUtil.getSystemUserName());
}
else
{
throw new AlfrescoRuntimeException("You do not have permissions to all memebers contribute permissions on this node.");
}
}
/**
* Deny access to all members of the site to the node.
* <p>
* Note, site managers will stil have appropriate permissions on the node.
*
* @param nodeRef node reference
*/
public void denyAllAccess(ScriptNode node)
{
final NodeRef nodeRef = node.getNodeRef();
// TODO Check that the node is indeed a child of the site
// Get the permission service
final PermissionService permissionService = this.serviceRegistry.getPermissionService();
// Check that the user has permissions to change permissions on the node
if (AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, PermissionService.CHANGE_PERMISSIONS)) == true)
{
// Do the work as system as we are messing about with permissions
AuthenticationUtil.runAs(
new AuthenticationUtil.RunAsWork<Object>()
{
public Object doWork() throws Exception
{
// Get the site groups
String managerGroup = siteService.getSiteRoleGroup(siteInfo.getShortName(), SiteModel.SITE_MANAGER);
// Assign the correct permissions
permissionService.setInheritParentPermissions(nodeRef, false);
permissionService.deletePermissions(nodeRef);
permissionService.setPermission(nodeRef, managerGroup, SiteModel.SITE_MANAGER, true);
return null;
}
}, AuthenticationUtil.getSystemUserName());
}
else
{
throw new AlfrescoRuntimeException("You do not have permissions to all memebers contribute permissions on this node.");
}
}
/**
* Apply a set of permissions to the node.
*
* @param nodeRef node reference
*/
public void setPermissions(final ScriptNode node, final Object permissions)
{
final NodeRef nodeRef = node.getNodeRef();
// TODO Check that the node is indeed a child of the site
if (permissions != null && permissions instanceof ScriptableObject)
{
// Get the permission service
final PermissionService permissionService = this.serviceRegistry.getPermissionService();
// Check that the user has permissions to change permissions on the node
if (AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, PermissionService.CHANGE_PERMISSIONS)) == true)
{
// Do the work as system as we are messing about with permissions
AuthenticationUtil.runAs(
new AuthenticationUtil.RunAsWork<Object>()
{
public Object doWork() throws Exception
{
// Assign the correct permissions
Site.this.serviceRegistry.getPermissionService().setInheritParentPermissions(nodeRef, false);
permissionService.deletePermissions(nodeRef);
ScriptableObject scriptable = (ScriptableObject)permissions;
Object[] propIds = scriptable.getIds();
for (int i = 0; i < propIds.length; i++)
{
// Work on each key in turn
Object propId = propIds[i];
// Only interested in keys that are formed of Strings
if (propId instanceof String)
{
// Get the value out for the specified key - it must be String
final String key = (String)propId;
final Object value = scriptable.get(key, scriptable);
if (value instanceof String)
{
// Set the permission on the node
permissionService.setPermission(nodeRef, key, (String)value, true);
}
}
}
return null;
}
}, AuthenticationUtil.getSystemUserName());
}
else
// Ensure node isn't inheriting permissions from an ancestor before deleting
if (!permissionService.getInheritParentPermissions(nodeRef))
{
throw new AlfrescoRuntimeException("You do not have the authority to update permissions on this node.");
permissionService.deletePermissions(nodeRef);
permissionService.setInheritParentPermissions(nodeRef, true);
}
}
else
catch (AccessDeniedException e)
{
// No permissions passed-in
this.resetAllPermissions(node);
throw new AlfrescoRuntimeException("You do not have the authority to update permissions on this node.", e);
}
}
}
}

22
source/java/org/alfresco/repo/template/BasePermissionsNode.java
View File

@@ -30,6 +30,7 @@ import java.util.Set;
import org.alfresco.service.cmr.security.AccessPermission;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.PermissionService;
/**
* Base class for Template API objects that support permissions.
@@ -54,16 +55,19 @@ public abstract class BasePermissionsNode extends BaseContentNode implements Tem
{
String userName = this.services.getAuthenticationService().getCurrentUserName();
this.permissions = new ArrayList<String>(4);
Set<AccessPermission> acls = this.services.getPermissionService().getAllSetPermissions(getNodeRef());
for (AccessPermission permission : acls)
if (hasPermission(PermissionService.READ_PERMISSIONS))
{
StringBuilder buf = new StringBuilder(64);
buf.append(permission.getAccessStatus())
.append(';')
.append(permission.getAuthority())
.append(';')
.append(permission.getPermission());
this.permissions.add(buf.toString());
Set<AccessPermission> acls = this.services.getPermissionService().getAllSetPermissions(getNodeRef());
for (AccessPermission permission : acls)
{
StringBuilder buf = new StringBuilder(64);
buf.append(permission.getAccessStatus())
.append(';')
.append(permission.getAuthority())
.append(';')
.append(permission.getPermission());
this.permissions.add(buf.toString());
}
}
}
return this.permissions;