From 66e1047e6e8b13dfd557d4be665b01150d5994b0 Mon Sep 17 00:00:00 2001
From: Dave Ward <left@alfresco.com>
Date: Fri, 20 Apr 2012 16:51:08 +0000
Subject: [PATCH] 1Merged V4.0-BUG-FIX to HEAD    35438: Merged
 BRANCHES/DEV/THOR0 to BRANCHES/DEV/V4.0-BUG-FIX:        - fix merge issue
 (THOR-4 / ALF-13756)    35446: Merged BRANCHES/DEV/THOR0 to
 BRANCHES/DEV/V4.0-BUG-FIX:       29422: record-only       29453: build/test
 fix (AspectTest, PolicyTest, WebScriptTestSuite)    35448: ALF-13770: Merged
 V3.4-BUG-FIX (3.4.10) to V4.0-BUG-FIX (4.0.2)       35447: ALF-13769: Merged
 V3.4.8 (3.4.8.7) to V3.4-BUG-FIX (3.4.10)          35435: ALF-11535 Home
 Folder Synchronizer fails when destination folder already exists            
 - HomeFolderProviderSynchronizerTest was broken on build m/c because
 PersonTest (in the same suite) created               its own
 UserNameMatcherImpl and left it attached to the personServiceImpl.         
 35413: ALF-11535 Home Folder Synchronizer (HFS) fails when destination folder
 already exists             - HomeFolderManager no longer returns an existing
 folder (unless the provider is an ExistingPathBasedHomeFolderProvider*),     
          but will append -N (where N is an integer) so that a new folder is
 always created.               This fixes an unreported bug (when case
 sensitive user names are in use) that users created in Share that only differ
               in case would have shared the same home folder.             -
 Modified HFS to log more 'info' rather than 'debug' messages so it is
 possible for administrators to understand the moves               and errors
 better.             - Modified HFS to understand that Alfresco does not allow
 duplicate folders/content when case is ignored.             - Added unit test
 for case insensitive user names.             - Modified HFS to allows folder
 structure to change case on re-sync    35451: Fix for ALF-13503 Add SOLR
 client API tests to the SystemBuildTest project    - missed keystore from
 checkin    35454: Improved solution for ALF-13286 - after changes to
 "SiteService" ProxyFactoryBean definition from Andy.     - now checks user
 ability to execute the SiteService.createSite() method based on ACLs defined
 - avoiding AccessDeniedException.    35462: Merged BRANCHES/DEV/THOR1 to
 BRANCHES/DEV/V4.0-BUG-FIX:    - minor manual merge (to avoid future conflict)
    35465: Fix for ALF-13454 - Advanced search date picker missing the
 additional pop up    35475: ALF-12780 - CIFS and TextEdit shuffle    35495:
 ALF-13753: Prevent users from editing the name of locked documents in Share
 via the insitu editor

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@35499 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../repository/site/sites.post.json.js        |  7 ++
 .../repo/web/scripts/BaseWebScriptTest.java   | 12 ++-
 .../LocalTestRunAsAuthenticatorFactory.java   | 87 +++++++++++++++++++
 3 files changed, 104 insertions(+), 2 deletions(-)
 create mode 100644 source/java/org/alfresco/repo/web/scripts/servlet/LocalTestRunAsAuthenticatorFactory.java

diff --git a/config/alfresco/templates/webscripts/org/alfresco/repository/site/sites.post.json.js b/config/alfresco/templates/webscripts/org/alfresco/repository/site/sites.post.json.js
index d91cb0ba28..22dd25e352 100644
--- a/config/alfresco/templates/webscripts/org/alfresco/repository/site/sites.post.json.js
+++ b/config/alfresco/templates/webscripts/org/alfresco/repository/site/sites.post.json.js
@@ -1,5 +1,12 @@
 function main()
 {
+   // Ensure the user has Create Site capability
+   if (!siteService.hasCreateSitePermissions())
+   {
+      status.setCode(status.STATUS_FORBIDDEN, "error.noPermissions");
+      return;
+   }
+   
    // Get the details of the site
    if (json.has("shortName") == false || json.get("shortName").length == 0)
    {
diff --git a/source/java/org/alfresco/repo/web/scripts/BaseWebScriptTest.java b/source/java/org/alfresco/repo/web/scripts/BaseWebScriptTest.java
index 59228ba7fe..29c0847c75 100644
--- a/source/java/org/alfresco/repo/web/scripts/BaseWebScriptTest.java
+++ b/source/java/org/alfresco/repo/web/scripts/BaseWebScriptTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2010 Alfresco Software Limited.
+ * Copyright (C) 2005-2012 Alfresco Software Limited.
  *
  * This file is part of Alfresco
  *
@@ -32,6 +32,7 @@ import junit.textui.ResultPrinter;
 import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
+import org.alfresco.repo.web.scripts.servlet.LocalTestRunAsAuthenticatorFactory;
 import org.apache.commons.httpclient.Header;
 import org.apache.commons.httpclient.HttpClient;
 import org.apache.commons.httpclient.HttpMethod;
@@ -338,6 +339,14 @@ public abstract class BaseWebScriptTest extends TestCase
         throws IOException
     {
         asUser = (asUser == null) ? defaultRunAs : asUser;
+        
+        TestWebScriptServer tws = getServer();
+        if (AuthenticationUtil.isMtEnabled())
+        {
+            // MT repository container requires non-none authentication (ie. guest or higher)
+            tws.setServletAuthenticatorFactory(new LocalTestRunAsAuthenticatorFactory());
+        }
+        
         if (asUser == null)
         {
             return getServer().submitRequest(req.getMethod(), req.getFullUri(), req.getHeaders(), req.getBody(), req.getEncoding(), req.getType());
@@ -345,7 +354,6 @@ public abstract class BaseWebScriptTest extends TestCase
         else
         {
             // send request in context of specified user
-            getServer();
             return AuthenticationUtil.runAs(new RunAsWork<Response>()
             {
                 @SuppressWarnings("synthetic-access")
diff --git a/source/java/org/alfresco/repo/web/scripts/servlet/LocalTestRunAsAuthenticatorFactory.java b/source/java/org/alfresco/repo/web/scripts/servlet/LocalTestRunAsAuthenticatorFactory.java
new file mode 100644
index 0000000000..4c6d5a0bf8
--- /dev/null
+++ b/source/java/org/alfresco/repo/web/scripts/servlet/LocalTestRunAsAuthenticatorFactory.java
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2005-2011 Alfresco Software Limited.
+ *
+ * This file is part of Alfresco
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.alfresco.repo.web.scripts.servlet;
+
+import javax.servlet.ServletContext;
+
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
+import org.springframework.extensions.webscripts.Authenticator;
+import org.springframework.extensions.webscripts.Description.RequiredAuthentication;
+import org.springframework.extensions.webscripts.servlet.ServletAuthenticatorFactory;
+import org.springframework.extensions.webscripts.servlet.WebScriptServletRequest;
+import org.springframework.extensions.webscripts.servlet.WebScriptServletResponse;
+import org.springframework.web.context.ServletContextAware;
+
+
+/**
+ * Used for local web script tests when MT is enabled - eg. WebScriptTestSuite, BaseCMISTest (AspectTest, PolicyTest), etc.
+ * 
+ * When MT is enabled the repository container required authentication must be "guest" or higher (ie. not "none") to determine the tenant domain.
+ * 
+ * This dummy authenticator will effectively pass-through the runAs user ... note: it needs to set the runAs user since it will be cleared first (by RepositoryContainer.authenticate).
+ *
+ * @author janv
+ * @since 4.0 (thor)
+ */
+public class LocalTestRunAsAuthenticatorFactory implements ServletAuthenticatorFactory, ServletContextAware
+{
+    @Override
+    public void setServletContext(ServletContext context)
+    {
+    }
+    
+    @Override
+    public Authenticator create(WebScriptServletRequest req, WebScriptServletResponse res)
+    {
+        String runAsUser = AuthenticationUtil.getRunAsUser();
+        if (runAsUser == null)
+        {
+            runAsUser = AuthenticationUtil.getSystemUserName();
+        }
+        return new LocalTestRunAsAuthenticator(runAsUser);
+    }
+    
+    public class LocalTestRunAsAuthenticator implements Authenticator
+    {
+        private String userName;
+        
+        public LocalTestRunAsAuthenticator(String userName)
+        {
+            this.userName = userName;
+        }
+        
+        @Override
+        public boolean authenticate(RequiredAuthentication required, boolean isGuest)
+        {
+            if (! emptyCredentials())
+            {
+                AuthenticationUtil.setRunAsUser(userName);
+                return true;
+            }
+            return false;
+        }
+        
+        @Override
+        public boolean emptyCredentials()
+        {
+            return (userName == null || userName.length() == 0);
+        }
+    }
+
+}
\ No newline at end of file