inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-31 17:39:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

New implementation of doclibrary fine grained permissions dialog.

Browse Source 
- Updated to Linton's new design and visuals
 - Removal of obsolete actions
 - SiteManager group permissions can no longer be modified
 - Removal of unnecessary and naughty runAs(systemuser) code patterns in Site permission modification code
 - Setting and Resetting of permissions now working correctly
 - Addition of missing permission checks to doclib actions (fixes issue with apparent ability of a Consumer user able to edit document meta-data - infact they could not, no permission check was performed before rendering the action and cached data was displayed when subsequently clicked)
 - Various other fixes and improvements to related webscripts.
Addition of the SiteContributor role.
Fix to missing json encoding in json.status.ftl
Minor improvements to url encoder/decoder classes and removal of flush() call from RemoteClient that was not required but occasionally caused issues for Flash apps.

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@10579 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Kevin Roast
2008-08-29 13:45:34 +00:00
parent 179093d240
commit 636693bd05
4 changed files with 87 additions and 191 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
config/alfresco/model/sitePermissionDefinitions.xml
View File

@@ -23,6 +23,10 @@
<includePermissionGroup permissionGroup="Collaborator" type="cm:cmobject" /> <includePermissionGroup permissionGroup="Collaborator" type="cm:cmobject" />
</permissionGroup> </permissionGroup>
<permissionGroup name="SiteContributor" allowFullControl="false" expose="true">
<includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" />
</permissionGroup>
<permissionGroup name="SiteConsumer" allowFullControl="false" expose="true"> <permissionGroup name="SiteConsumer" allowFullControl="false" expose="true">
<includePermissionGroup permissionGroup="Consumer" type="cm:cmobject" /> <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject" />
</permissionGroup> </permissionGroup>

2
source/java/org/alfresco/repo/site/SiteModel.java
View File

@@ -48,6 +48,6 @@ public interface SiteModel
/** Site Permission */ /** Site Permission */
public static final String SITE_MANAGER = "SiteManager"; public static final String SITE_MANAGER = "SiteManager";
public static final String SITE_COLLABORATOR = "SiteCollaborator"; public static final String SITE_COLLABORATOR = "SiteCollaborator";
public static final String SITE_CONTRIBUTOR = "SiteContributor";
public static final String SITE_CONSUMER = "SiteConsumer"; public static final String SITE_CONSUMER = "SiteConsumer";
} }

242
source/java/org/alfresco/repo/site/script/Site.java
View File

@@ -33,12 +33,12 @@ import org.alfresco.repo.jscript.ScriptNode;
import org.alfresco.repo.jscript.ScriptableHashMap; import org.alfresco.repo.jscript.ScriptableHashMap;
import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork; import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
import org.alfresco.repo.security.permissions.AccessDeniedException;
import org.alfresco.repo.site.SiteInfo; import org.alfresco.repo.site.SiteInfo;
import org.alfresco.repo.site.SiteModel; import org.alfresco.repo.site.SiteModel;
import org.alfresco.repo.site.SiteService; import org.alfresco.repo.site.SiteService;
import org.alfresco.service.ServiceRegistry; import org.alfresco.service.ServiceRegistry;
import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.PermissionService; import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.service.namespace.QName; import org.alfresco.service.namespace.QName;
import org.mozilla.javascript.Scriptable; import org.mozilla.javascript.Scriptable;
@@ -451,6 +451,62 @@ public class Site implements Serializable
return hasContainer; return hasContainer;
} }
/**
* Apply a set of permissions to the node.
*
* @param nodeRef node reference
*/
public void setPermissions(final ScriptNode node, final Object permissions)
{
final NodeRef nodeRef = node.getNodeRef();
if (permissions != null && permissions instanceof ScriptableObject)
{
// Get the permission service
final PermissionService permissionService = this.serviceRegistry.getPermissionService();
if (!permissionService.getInheritParentPermissions(nodeRef))
{
// remove existing permissions
permissionService.deletePermissions(nodeRef);
}
// Assign the correct permissions
ScriptableObject scriptable = (ScriptableObject)permissions;
Object[] propIds = scriptable.getIds();
for (int i = 0; i < propIds.length; i++)
{
// Work on each key in turn
Object propId = propIds[i];
// Only interested in keys that are formed of Strings
if (propId instanceof String)
{
// Get the value out for the specified key - it must be String
final String key = (String)propId;
final Object value = scriptable.get(key, scriptable);
if (value instanceof String)
{
// Set the permission on the node
permissionService.setPermission(nodeRef, key, (String)value, true);
}
}
}
// always add the site managers group with SiteManager permission
String managers = this.siteService.getSiteRoleGroup(getShortName(), SiteModel.SITE_MANAGER);
permissionService.setPermission(nodeRef, managers, SiteModel.SITE_MANAGER, true);
// now turn off inherit to finalize our permission changes
permissionService.setInheritParentPermissions(nodeRef, false);
}
else
{
// No permissions passed-in
this.resetAllPermissions(node);
}
}
/** /**
* Reset any permissions that have been set on the node. * Reset any permissions that have been set on the node.
* <p> * <p>
@@ -462,187 +518,19 @@ public class Site implements Serializable
{ {
final NodeRef nodeRef = node.getNodeRef(); final NodeRef nodeRef = node.getNodeRef();
// TODO Check that the node is indeed a child of the site PermissionService permissionService = serviceRegistry.getPermissionService();
try
// Check that the user has permissions to change permissions on the node
if (AccessStatus.ALLOWED.equals(this.serviceRegistry.getPermissionService().hasPermission(nodeRef, PermissionService.CHANGE_PERMISSIONS)) == true)
{ {
// Do the work as system as we are messing about with permissions // Ensure node isn't inheriting permissions from an ancestor before deleting
AuthenticationUtil.runAs( if (!permissionService.getInheritParentPermissions(nodeRef))
new AuthenticationUtil.RunAsWork<Object>()
{
public Object doWork() throws Exception
{
// Reset all the permissions on the node
PermissionService permissionService = serviceRegistry.getPermissionService();
// Ensure node isn't inheriting permissions from an ancestor
if (!permissionService.getInheritParentPermissions(nodeRef))
{
permissionService.deletePermissions(nodeRef);
permissionService.setInheritParentPermissions(nodeRef, true);
}
return null;
}
}, AuthenticationUtil.getSystemUserName());
}
else
{
throw new AlfrescoRuntimeException("You do not have permissions to reset permissions on this node.");
}
}
/**
* Allows all members of the site collaboration rights on the node.
*
* @param nodeRef node reference
*/
public void allowAllMembersCollaborate(ScriptNode node)
{
final NodeRef nodeRef = node.getNodeRef();
// TODO Check that the node is indeed a child of the site
// Get the permission service
final PermissionService permissionService = this.serviceRegistry.getPermissionService();
// Check that the user has permissions to change permissions on the node
if (AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, PermissionService.CHANGE_PERMISSIONS)) == true)
{
// Do the work as system as we are messing about with permissions
AuthenticationUtil.runAs(
new AuthenticationUtil.RunAsWork<Object>()
{
public Object doWork() throws Exception
{
// Get the site groups
String siteGroup = siteService.getSiteGroup(siteInfo.getShortName());
String managerGroup = siteService.getSiteRoleGroup(siteInfo.getShortName(), SiteModel.SITE_MANAGER);
// Assign the correct permissions
permissionService.setInheritParentPermissions(nodeRef, false);
permissionService.deletePermissions(nodeRef);
permissionService.setPermission(nodeRef, siteGroup, SiteModel.SITE_COLLABORATOR, true);
permissionService.setPermission(nodeRef, managerGroup, SiteModel.SITE_MANAGER, true);
return null;
}
}, AuthenticationUtil.getSystemUserName());
}
else
{
throw new AlfrescoRuntimeException("You do not have permissions to all memebers contribute permissions on this node.");
}
}
/**
* Deny access to all members of the site to the node.
* <p>
* Note, site managers will stil have appropriate permissions on the node.
*
* @param nodeRef node reference
*/
public void denyAllAccess(ScriptNode node)
{
final NodeRef nodeRef = node.getNodeRef();
// TODO Check that the node is indeed a child of the site
// Get the permission service
final PermissionService permissionService = this.serviceRegistry.getPermissionService();
// Check that the user has permissions to change permissions on the node
if (AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, PermissionService.CHANGE_PERMISSIONS)) == true)
{
// Do the work as system as we are messing about with permissions
AuthenticationUtil.runAs(
new AuthenticationUtil.RunAsWork<Object>()
{
public Object doWork() throws Exception
{
// Get the site groups
String managerGroup = siteService.getSiteRoleGroup(siteInfo.getShortName(), SiteModel.SITE_MANAGER);
// Assign the correct permissions
permissionService.setInheritParentPermissions(nodeRef, false);
permissionService.deletePermissions(nodeRef);
permissionService.setPermission(nodeRef, managerGroup, SiteModel.SITE_MANAGER, true);
return null;
}
}, AuthenticationUtil.getSystemUserName());
}
else
{
throw new AlfrescoRuntimeException("You do not have permissions to all memebers contribute permissions on this node.");
}
}
/**
* Apply a set of permissions to the node.
*
* @param nodeRef node reference
*/
public void setPermissions(final ScriptNode node, final Object permissions)
{
final NodeRef nodeRef = node.getNodeRef();
// TODO Check that the node is indeed a child of the site
if (permissions != null && permissions instanceof ScriptableObject)
{
// Get the permission service
final PermissionService permissionService = this.serviceRegistry.getPermissionService();
// Check that the user has permissions to change permissions on the node
if (AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, PermissionService.CHANGE_PERMISSIONS)) == true)
{ {
// Do the work as system as we are messing about with permissions permissionService.deletePermissions(nodeRef);
AuthenticationUtil.runAs( permissionService.setInheritParentPermissions(nodeRef, true);
new AuthenticationUtil.RunAsWork<Object>()
{
public Object doWork() throws Exception
{
// Assign the correct permissions
Site.this.serviceRegistry.getPermissionService().setInheritParentPermissions(nodeRef, false);
permissionService.deletePermissions(nodeRef);
ScriptableObject scriptable = (ScriptableObject)permissions;
Object[] propIds = scriptable.getIds();
for (int i = 0; i < propIds.length; i++)
{
// Work on each key in turn
Object propId = propIds[i];
// Only interested in keys that are formed of Strings
if (propId instanceof String)
{
// Get the value out for the specified key - it must be String
final String key = (String)propId;
final Object value = scriptable.get(key, scriptable);
if (value instanceof String)
{
// Set the permission on the node
permissionService.setPermission(nodeRef, key, (String)value, true);
}
}
}
return null;
}
}, AuthenticationUtil.getSystemUserName());
}
else
{
throw new AlfrescoRuntimeException("You do not have the authority to update permissions on this node.");
} }
} }
else catch (AccessDeniedException e)
{ {
// No permissions passed-in throw new AlfrescoRuntimeException("You do not have the authority to update permissions on this node.", e);
this.resetAllPermissions(node);
} }
} }
} }

22
source/java/org/alfresco/repo/template/BasePermissionsNode.java
View File

@@ -30,6 +30,7 @@ import java.util.Set;
import org.alfresco.service.cmr.security.AccessPermission; import org.alfresco.service.cmr.security.AccessPermission;
import org.alfresco.service.cmr.security.AccessStatus; import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.PermissionService;
/** /**
* Base class for Template API objects that support permissions. * Base class for Template API objects that support permissions.
@@ -54,16 +55,19 @@ public abstract class BasePermissionsNode extends BaseContentNode implements Tem
{ {
String userName = this.services.getAuthenticationService().getCurrentUserName(); String userName = this.services.getAuthenticationService().getCurrentUserName();
this.permissions = new ArrayList<String>(4); this.permissions = new ArrayList<String>(4);
Set<AccessPermission> acls = this.services.getPermissionService().getAllSetPermissions(getNodeRef()); if (hasPermission(PermissionService.READ_PERMISSIONS))
for (AccessPermission permission : acls)
{ {
StringBuilder buf = new StringBuilder(64); Set<AccessPermission> acls = this.services.getPermissionService().getAllSetPermissions(getNodeRef());
buf.append(permission.getAccessStatus()) for (AccessPermission permission : acls)
.append(';') {
.append(permission.getAuthority()) StringBuilder buf = new StringBuilder(64);
.append(';') buf.append(permission.getAccessStatus())
.append(permission.getPermission()); .append(';')
this.permissions.add(buf.toString()); .append(permission.getAuthority())
.append(';')
.append(permission.getPermission());
this.permissions.add(buf.toString());
}
} }
} }
return this.permissions; return this.permissions;