RM-2123 Ensure user has clearance to classify content.

Also add clearance check method into security profile.

+review RM-58

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@104750 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

rm-server/config/alfresco/module/org_alfresco_module_rm/classified-content-context.xml

@@ -140,6 +140,7 @@
          <value>
             org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.getUserSecurityClearance=ACL_ALLOW
             org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.getUsersSecurityClearance=ACL_ALLOW
+            org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.isCurrentUserClearedForClassification=ACL_ALLOW
             org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.setUserSecurityClearance=ACL_ALLOW
             org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.getClearanceLevels=ACL_ALLOW
             org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.*=ACL_DENY

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/ContentClassificationServiceImpl.java

@@ -29,6 +29,7 @@ import java.util.Set;
 
 import org.alfresco.model.ContentModel;
 import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceException.InvalidNode;
+import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceException.LevelIdNotFound;
 import org.alfresco.module.org_alfresco_module_rm.classification.model.ClassifiedContentModel;
 import org.alfresco.module.org_alfresco_module_rm.util.ServiceBaseImpl;
 import org.alfresco.service.cmr.dictionary.DictionaryService;
@@ -97,11 +98,12 @@ public class ContentClassificationServiceImpl extends ServiceBaseImpl implements
             throw new UnsupportedOperationException(
                         "The content has already been classified. Reclassification is currently not supported.");
         }
+        if (!securityClearanceService.isCurrentUserClearedForClassification(classificationLevelId))
+        {
+            throw new LevelIdNotFound(classificationLevelId);
+        }
 
         Map<QName, Serializable> properties = new HashMap<QName, Serializable>();
-        // Check the classification level id - an exception will be thrown if the id cannot be found
-        levelManager.findLevelById(classificationLevelId);
-
         // Initial classification id
         if (nodeService.getProperty(content, PROP_INITIAL_CLASSIFICATION) == null)
         {

rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/classification/ContentClassificationServiceImplUnitTest.java

@@ -40,6 +40,7 @@ import com.google.common.collect.ImmutableList;
 import com.google.common.collect.Sets;
 import org.alfresco.model.ContentModel;
 import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceException.InvalidNode;
+import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceException.LevelIdNotFound;
 import org.alfresco.module.org_alfresco_module_rm.classification.model.ClassifiedContentModel;
 import org.alfresco.service.cmr.dictionary.DictionaryService;
 import org.alfresco.service.cmr.repository.NodeRef;
@@ -92,6 +93,7 @@ public class ContentClassificationServiceImplUnitTest implements ClassifiedConte
         NodeRef content = new NodeRef("fake://content/");
         when(mockDictionaryService.isSubClass(mockNodeService.getType(content), ContentModel.TYPE_CONTENT)).thenReturn(true);
         when(mockNodeService.hasAspect(content, ClassifiedContentModel.ASPECT_CLASSIFIED)).thenReturn(false);
+        when(mockSecurityClearanceService.isCurrentUserClearedForClassification("levelId1")).thenReturn(true);
 
         // Call the method under test.
         contentClassificationServiceImpl.classifyContent("levelId1", "classificationAuthority",
@@ -140,6 +142,24 @@ public class ContentClassificationServiceImplUnitTest implements ClassifiedConte
                     Sets.newHashSet("reasonId1", "reasonId2"), classifiedContent);
     }
 
+    /**
+     * Check that a user can't classify content with a level that either (a) doesn't exist, or (b) they don't have
+     * clearance for.  (Both cases are covered by the same flow through the code).
+     */
+    @Test(expected = LevelIdNotFound.class)
+    public void classifyContent_notFound()
+    {
+        // Create a classified piece of content.
+        NodeRef classifiedContent = new NodeRef("classified://content/");
+        when(mockDictionaryService.isSubClass(mockNodeService.getType(classifiedContent), ContentModel.TYPE_CONTENT)).thenReturn(true);
+        when(mockNodeService.hasAspect(classifiedContent, ClassifiedContentModel.ASPECT_CLASSIFIED)).thenReturn(false);
+        when(mockSecurityClearanceService.isCurrentUserClearedForClassification("levelId1")).thenReturn(false);
+
+        // Call the method under test.
+        contentClassificationServiceImpl.classifyContent("levelId1", "classificationAuthority",
+                    Sets.newHashSet("reasonId1", "reasonId2"), classifiedContent);
+    }
+
     /**
      * Given that a node does not have the classify aspect applied
      * When I ask for the nodes classification