From 655a8d8a5d65a96449c4910fb395faa36a481c01 Mon Sep 17 00:00:00 2001 From: Tom Page Date: Fri, 22 May 2015 13:20:00 +0000 Subject: [PATCH] RM-2123 Ensure user has clearance to classify content. Also add clearance check method into security profile. +review RM-58 git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@104750 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../classified-content-context.xml | 1 + .../ContentClassificationServiceImpl.java | 8 +++++--- ...tentClassificationServiceImplUnitTest.java | 20 +++++++++++++++++++ 3 files changed, 26 insertions(+), 3 deletions(-) diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/classified-content-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/classified-content-context.xml index 90d67f742f..c07153d8e1 100644 --- a/rm-server/config/alfresco/module/org_alfresco_module_rm/classified-content-context.xml +++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/classified-content-context.xml @@ -140,6 +140,7 @@ org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.getUserSecurityClearance=ACL_ALLOW org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.getUsersSecurityClearance=ACL_ALLOW + org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.isCurrentUserClearedForClassification=ACL_ALLOW org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.setUserSecurityClearance=ACL_ALLOW org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.getClearanceLevels=ACL_ALLOW org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.*=ACL_DENY diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/ContentClassificationServiceImpl.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/ContentClassificationServiceImpl.java index f1ae0659cb..001ec25192 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/ContentClassificationServiceImpl.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/ContentClassificationServiceImpl.java @@ -29,6 +29,7 @@ import java.util.Set; import org.alfresco.model.ContentModel; import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceException.InvalidNode; +import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceException.LevelIdNotFound; import org.alfresco.module.org_alfresco_module_rm.classification.model.ClassifiedContentModel; import org.alfresco.module.org_alfresco_module_rm.util.ServiceBaseImpl; import org.alfresco.service.cmr.dictionary.DictionaryService; @@ -97,11 +98,12 @@ public class ContentClassificationServiceImpl extends ServiceBaseImpl implements throw new UnsupportedOperationException( "The content has already been classified. Reclassification is currently not supported."); } + if (!securityClearanceService.isCurrentUserClearedForClassification(classificationLevelId)) + { + throw new LevelIdNotFound(classificationLevelId); + } Map properties = new HashMap(); - // Check the classification level id - an exception will be thrown if the id cannot be found - levelManager.findLevelById(classificationLevelId); - // Initial classification id if (nodeService.getProperty(content, PROP_INITIAL_CLASSIFICATION) == null) { diff --git a/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/classification/ContentClassificationServiceImplUnitTest.java b/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/classification/ContentClassificationServiceImplUnitTest.java index 5c0cc10859..4823ebfe4c 100644 --- a/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/classification/ContentClassificationServiceImplUnitTest.java +++ b/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/classification/ContentClassificationServiceImplUnitTest.java @@ -40,6 +40,7 @@ import com.google.common.collect.ImmutableList; import com.google.common.collect.Sets; import org.alfresco.model.ContentModel; import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceException.InvalidNode; +import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceException.LevelIdNotFound; import org.alfresco.module.org_alfresco_module_rm.classification.model.ClassifiedContentModel; import org.alfresco.service.cmr.dictionary.DictionaryService; import org.alfresco.service.cmr.repository.NodeRef; @@ -92,6 +93,7 @@ public class ContentClassificationServiceImplUnitTest implements ClassifiedConte NodeRef content = new NodeRef("fake://content/"); when(mockDictionaryService.isSubClass(mockNodeService.getType(content), ContentModel.TYPE_CONTENT)).thenReturn(true); when(mockNodeService.hasAspect(content, ClassifiedContentModel.ASPECT_CLASSIFIED)).thenReturn(false); + when(mockSecurityClearanceService.isCurrentUserClearedForClassification("levelId1")).thenReturn(true); // Call the method under test. contentClassificationServiceImpl.classifyContent("levelId1", "classificationAuthority", @@ -140,6 +142,24 @@ public class ContentClassificationServiceImplUnitTest implements ClassifiedConte Sets.newHashSet("reasonId1", "reasonId2"), classifiedContent); } + /** + * Check that a user can't classify content with a level that either (a) doesn't exist, or (b) they don't have + * clearance for. (Both cases are covered by the same flow through the code). + */ + @Test(expected = LevelIdNotFound.class) + public void classifyContent_notFound() + { + // Create a classified piece of content. + NodeRef classifiedContent = new NodeRef("classified://content/"); + when(mockDictionaryService.isSubClass(mockNodeService.getType(classifiedContent), ContentModel.TYPE_CONTENT)).thenReturn(true); + when(mockNodeService.hasAspect(classifiedContent, ClassifiedContentModel.ASPECT_CLASSIFIED)).thenReturn(false); + when(mockSecurityClearanceService.isCurrentUserClearedForClassification("levelId1")).thenReturn(false); + + // Call the method under test. + contentClassificationServiceImpl.classifyContent("levelId1", "classificationAuthority", + Sets.newHashSet("reasonId1", "reasonId2"), classifiedContent); + } + /** * Given that a node does not have the classify aspect applied * When I ask for the nodes classification