RM-2123 Ensure user has clearance to classify content.

Also add clearance check method into security profile. +review RM-58 git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@104750 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-07-31 17:39:05 +00:00 · 2015-05-22 13:20:00 +00:00
parent eafaad25ea
commit 655a8d8a5d
3 changed files with 26 additions and 3 deletions
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/classified-content-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/classified-content-context.xml
@@ -140,6 +140,7 @@
         <value>
            org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.getUserSecurityClearance=ACL_ALLOW
            org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.getUsersSecurityClearance=ACL_ALLOW
+            org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.isCurrentUserClearedForClassification=ACL_ALLOW
            org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.setUserSecurityClearance=ACL_ALLOW
            org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.getClearanceLevels=ACL_ALLOW
            org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.*=ACL_DENY
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/ContentClassificationServiceImpl.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/ContentClassificationServiceImpl.java
@@ -29,6 +29,7 @@ import java.util.Set;

 import org.alfresco.model.ContentModel;
 import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceException.InvalidNode;
+import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceException.LevelIdNotFound;
 import org.alfresco.module.org_alfresco_module_rm.classification.model.ClassifiedContentModel;
 import org.alfresco.module.org_alfresco_module_rm.util.ServiceBaseImpl;
 import org.alfresco.service.cmr.dictionary.DictionaryService;
@@ -97,11 +98,12 @@ public class ContentClassificationServiceImpl extends ServiceBaseImpl implements
            throw new UnsupportedOperationException(
                        "The content has already been classified. Reclassification is currently not supported.");
        }
+        if (!securityClearanceService.isCurrentUserClearedForClassification(classificationLevelId))
+        {
+            throw new LevelIdNotFound(classificationLevelId);
+        }

        Map<QName, Serializable> properties = new HashMap<QName, Serializable>();
-        // Check the classification level id - an exception will be thrown if the id cannot be found
-        levelManager.findLevelById(classificationLevelId);
-
        // Initial classification id
        if (nodeService.getProperty(content, PROP_INITIAL_CLASSIFICATION) == null)
        {
--- a/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/classification/ContentClassificationServiceImplUnitTest.java
+++ b/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/classification/ContentClassificationServiceImplUnitTest.java
@@ -40,6 +40,7 @@ import com.google.common.collect.ImmutableList;
 import com.google.common.collect.Sets;
 import org.alfresco.model.ContentModel;
 import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceException.InvalidNode;
+import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceException.LevelIdNotFound;
 import org.alfresco.module.org_alfresco_module_rm.classification.model.ClassifiedContentModel;
 import org.alfresco.service.cmr.dictionary.DictionaryService;
 import org.alfresco.service.cmr.repository.NodeRef;
@@ -92,6 +93,7 @@ public class ContentClassificationServiceImplUnitTest implements ClassifiedConte
        NodeRef content = new NodeRef("fake://content/");
        when(mockDictionaryService.isSubClass(mockNodeService.getType(content), ContentModel.TYPE_CONTENT)).thenReturn(true);
        when(mockNodeService.hasAspect(content, ClassifiedContentModel.ASPECT_CLASSIFIED)).thenReturn(false);
+        when(mockSecurityClearanceService.isCurrentUserClearedForClassification("levelId1")).thenReturn(true);

        // Call the method under test.
        contentClassificationServiceImpl.classifyContent("levelId1", "classificationAuthority",
@@ -140,6 +142,24 @@ public class ContentClassificationServiceImplUnitTest implements ClassifiedConte
                    Sets.newHashSet("reasonId1", "reasonId2"), classifiedContent);
    }

+    /**
+     * Check that a user can't classify content with a level that either (a) doesn't exist, or (b) they don't have
+     * clearance for.  (Both cases are covered by the same flow through the code).
+     */
+    @Test(expected = LevelIdNotFound.class)
+    public void classifyContent_notFound()
+    {
+        // Create a classified piece of content.
+        NodeRef classifiedContent = new NodeRef("classified://content/");
+        when(mockDictionaryService.isSubClass(mockNodeService.getType(classifiedContent), ContentModel.TYPE_CONTENT)).thenReturn(true);
+        when(mockNodeService.hasAspect(classifiedContent, ClassifiedContentModel.ASPECT_CLASSIFIED)).thenReturn(false);
+        when(mockSecurityClearanceService.isCurrentUserClearedForClassification("levelId1")).thenReturn(false);
+
+        // Call the method under test.
+        contentClassificationServiceImpl.classifyContent("levelId1", "classificationAuthority",
+                    Sets.newHashSet("reasonId1", "reasonId2"), classifiedContent);
+    }
+
    /**
     * Given that a node does not have the classify aspect applied
     * When I ask for the nodes classification