New implementation of doclibrary fine grained permissions dialog.

- Updated to Linton's new design and visuals - Removal of obsolete actions - SiteManager group permissions can no longer be modified - Removal of unnecessary and naughty runAs(systemuser) code patterns in Site permission modification code - Setting and Resetting of permissions now working correctly - Addition of missing permission checks to doclib actions (fixes issue with apparent ability of a Consumer user able to edit document meta-data - infact they could not, no permission check was performed before rendering the action and cached data was displayed when subsequently clicked) - Various other fixes and improvements to related webscripts. Addition of the SiteContributor role. Fix to missing json encoding in json.status.ftl Minor improvements to url encoder/decoder classes and removal of flush() call from RemoteClient that was not required but occasionally caused issues for Flash apps. git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@10579 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-07-31 17:39:05 +00:00 · 2008-08-29 13:45:34 +00:00
parent 179093d240
commit 636693bd05
4 changed files with 87 additions and 191 deletions
--- a/config/alfresco/model/sitePermissionDefinitions.xml
+++ b/config/alfresco/model/sitePermissionDefinitions.xml
@@ -23,6 +23,10 @@
         <includePermissionGroup permissionGroup="Collaborator" type="cm:cmobject" />
      </permissionGroup>
      <permissionGroup name="SiteContributor" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" />
      </permissionGroup>
      <permissionGroup name="SiteConsumer" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject" />
      </permissionGroup>
--- a/source/java/org/alfresco/repo/site/SiteModel.java
+++ b/source/java/org/alfresco/repo/site/SiteModel.java
@@ -48,6 +48,6 @@ public interface SiteModel
    /** Site Permission */
    public static final String SITE_MANAGER = "SiteManager";
    public static final String SITE_COLLABORATOR = "SiteCollaborator";
    public static final String SITE_CONTRIBUTOR = "SiteContributor";
    public static final String SITE_CONSUMER = "SiteConsumer";
 }
--- a/source/java/org/alfresco/repo/site/script/Site.java
+++ b/source/java/org/alfresco/repo/site/script/Site.java
@@ -33,12 +33,12 @@ import org.alfresco.repo.jscript.ScriptNode;
 import org.alfresco.repo.jscript.ScriptableHashMap;
 import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
 import org.alfresco.repo.security.permissions.AccessDeniedException;
 import org.alfresco.repo.site.SiteInfo;
 import org.alfresco.repo.site.SiteModel;
 import org.alfresco.repo.site.SiteService;
 import org.alfresco.service.ServiceRegistry;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.security.AccessStatus;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.namespace.QName;
 import org.mozilla.javascript.Scriptable;
@@ -451,135 +451,6 @@ public class Site implements Serializable
    	return hasContainer;
    }
    /**
     * Reset any permissions that have been set on the node.  
     * <p>
     * All permissions will be deleted and the node set to inherit permissions.
     * 
     * @param nodeRef   node reference
     */
    public void resetAllPermissions(ScriptNode node)
    {
        final NodeRef nodeRef = node.getNodeRef();
        // TODO Check that the node is indeed a child of the site
        // Check that the user has permissions to change permissions on the node
        if (AccessStatus.ALLOWED.equals(this.serviceRegistry.getPermissionService().hasPermission(nodeRef, PermissionService.CHANGE_PERMISSIONS)) == true)
        {       
            // Do the work as system as we are messing about with permissions
            AuthenticationUtil.runAs(
                new AuthenticationUtil.RunAsWork<Object>()
                {
                    public Object doWork() throws Exception
                    {
                        // Reset all the permissions on the node
                    	PermissionService permissionService = serviceRegistry.getPermissionService();
                    	// Ensure node isn't inheriting permissions from an ancestor
                    	if (!permissionService.getInheritParentPermissions(nodeRef))
                    	{
                            permissionService.deletePermissions(nodeRef);
                            permissionService.setInheritParentPermissions(nodeRef, true);
                    	}
                        return null;
                    }
                }, AuthenticationUtil.getSystemUserName());
        }
        else
        {
            throw new AlfrescoRuntimeException("You do not have permissions to reset permissions on this node.");
        }
    }
    /**
     * Allows all members of the site collaboration rights on the node.
     * 
     * @param nodeRef   node reference
     */
    public void allowAllMembersCollaborate(ScriptNode node)
    {
        final NodeRef nodeRef = node.getNodeRef();
        // TODO Check that the node is indeed a child of the site
        // Get the permission service
        final PermissionService permissionService = this.serviceRegistry.getPermissionService();
        // Check that the user has permissions to change permissions on the node
        if (AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, PermissionService.CHANGE_PERMISSIONS)) == true)
        {       
            // Do the work as system as we are messing about with permissions
            AuthenticationUtil.runAs(
                new AuthenticationUtil.RunAsWork<Object>()
                {
                    public Object doWork() throws Exception
                    {        
                        // Get the site groups
                        String siteGroup = siteService.getSiteGroup(siteInfo.getShortName());
                        String managerGroup = siteService.getSiteRoleGroup(siteInfo.getShortName(), SiteModel.SITE_MANAGER);
                        // Assign the correct permissions
                        permissionService.setInheritParentPermissions(nodeRef, false);
                        permissionService.deletePermissions(nodeRef);
                        permissionService.setPermission(nodeRef, siteGroup, SiteModel.SITE_COLLABORATOR, true);
                        permissionService.setPermission(nodeRef, managerGroup, SiteModel.SITE_MANAGER, true);
                        return null;
                    }
                }, AuthenticationUtil.getSystemUserName());
        }
        else
        {
            throw new AlfrescoRuntimeException("You do not have permissions to all memebers contribute permissions on this node.");
        }
    }
    /**
     * Deny access to all members of the site to the node.
     * <p>
     * Note, site managers will stil have appropriate permissions on the node. 
     * 
     * @param nodeRef   node reference
     */
    public void denyAllAccess(ScriptNode node)
    {
        final NodeRef nodeRef = node.getNodeRef();
        // TODO Check that the node is indeed a child of the site
        // Get the permission service
        final PermissionService permissionService = this.serviceRegistry.getPermissionService();
        // Check that the user has permissions to change permissions on the node
        if (AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, PermissionService.CHANGE_PERMISSIONS)) == true)
        {       
            // Do the work as system as we are messing about with permissions
            AuthenticationUtil.runAs(
                new AuthenticationUtil.RunAsWork<Object>()
                {
                    public Object doWork() throws Exception
                    {        
                        // Get the site groups
                        String managerGroup = siteService.getSiteRoleGroup(siteInfo.getShortName(), SiteModel.SITE_MANAGER);
                        // Assign the correct permissions
                        permissionService.setInheritParentPermissions(nodeRef, false);
                        permissionService.deletePermissions(nodeRef);
                        permissionService.setPermission(nodeRef, managerGroup, SiteModel.SITE_MANAGER, true);
                        return null;
                     }
                }, AuthenticationUtil.getSystemUserName());
        }
        else
        {
            throw new AlfrescoRuntimeException("You do not have permissions to all memebers contribute permissions on this node.");
        }
    }    
    /**
     * Apply a set of permissions to the node.
     * 
@@ -589,26 +460,18 @@ public class Site implements Serializable
    {
        final NodeRef nodeRef = node.getNodeRef();
        // TODO Check that the node is indeed a child of the site
        if (permissions != null && permissions instanceof ScriptableObject)
        {
            // Get the permission service
            final PermissionService permissionService = this.serviceRegistry.getPermissionService();
-            // Check that the user has permissions to change permissions on the node
+            if (!permissionService.getInheritParentPermissions(nodeRef))
            if (AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, PermissionService.CHANGE_PERMISSIONS)) == true)
            {
-                // Do the work as system as we are messing about with permissions
+                // remove existing permissions
                AuthenticationUtil.runAs(
                    new AuthenticationUtil.RunAsWork<Object>()
                    {
                        public Object doWork() throws Exception
                        {
                            // Assign the correct permissions
                            Site.this.serviceRegistry.getPermissionService().setInheritParentPermissions(nodeRef, false);
                permissionService.deletePermissions(nodeRef);
            }
            // Assign the correct permissions
            ScriptableObject scriptable = (ScriptableObject)permissions;
            Object[] propIds = scriptable.getIds();
            for (int i = 0; i < propIds.length; i++)
@@ -630,14 +493,12 @@ public class Site implements Serializable
                }
            }
-                            return null;
+            // always add the site managers group with SiteManager permission
-                         }
+            String managers = this.siteService.getSiteRoleGroup(getShortName(), SiteModel.SITE_MANAGER);
-                    }, AuthenticationUtil.getSystemUserName());
+            permissionService.setPermission(nodeRef, managers, SiteModel.SITE_MANAGER, true);
-            }
+            
-            else
+            // now turn off inherit to finalize our permission changes
-            {
+            permissionService.setInheritParentPermissions(nodeRef, false);
                throw new AlfrescoRuntimeException("You do not have the authority to update permissions on this node.");
            }
        }
        else
        {
@@ -645,4 +506,31 @@ public class Site implements Serializable
        	this.resetAllPermissions(node);
        }
    }
    /**
     * Reset any permissions that have been set on the node.  
     * <p>
     * All permissions will be deleted and the node set to inherit permissions.
     * 
     * @param nodeRef   node reference
     */
    public void resetAllPermissions(ScriptNode node)
    {
        final NodeRef nodeRef = node.getNodeRef();
        PermissionService permissionService = serviceRegistry.getPermissionService();
        try
        {
            // Ensure node isn't inheriting permissions from an ancestor before deleting
            if (!permissionService.getInheritParentPermissions(nodeRef))
            {
                permissionService.deletePermissions(nodeRef);
                permissionService.setInheritParentPermissions(nodeRef, true);
            }
        }
        catch (AccessDeniedException e)
        {
            throw new AlfrescoRuntimeException("You do not have the authority to update permissions on this node.", e);
        }
    }
 }
--- a/source/java/org/alfresco/repo/template/BasePermissionsNode.java
+++ b/source/java/org/alfresco/repo/template/BasePermissionsNode.java
@@ -30,6 +30,7 @@ import java.util.Set;
 import org.alfresco.service.cmr.security.AccessPermission;
 import org.alfresco.service.cmr.security.AccessStatus;
 import org.alfresco.service.cmr.security.PermissionService;
 /**
 * Base class for Template API objects that support permissions.
@@ -54,6 +55,8 @@ public abstract class BasePermissionsNode extends BaseContentNode implements Tem
        {
            String userName = this.services.getAuthenticationService().getCurrentUserName();
            this.permissions = new ArrayList<String>(4);
            if (hasPermission(PermissionService.READ_PERMISSIONS))
            {
                Set<AccessPermission> acls = this.services.getPermissionService().getAllSetPermissions(getNodeRef());
                for (AccessPermission permission : acls)
                {
@@ -66,6 +69,7 @@ public abstract class BasePermissionsNode extends BaseContentNode implements Tem
                    this.permissions.add(buf.toString());
                }
            }
        }
        return this.permissions;
    }