From 60ab1304bd97a6d59be6c1b6a867d8f00a10bcbf Mon Sep 17 00:00:00 2001 From: Roy Wetherall Date: Thu, 17 Jul 2014 04:44:34 +0000 Subject: [PATCH 01/29] Root container cache to improve unfiled record browse performance * relates to RM-1594 and RM-1595 git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@76673 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../rm-service-context.xml | 3 ++ .../fileplan/FilePlanServiceImpl.java | 42 ++++++++++++++----- 2 files changed, 35 insertions(+), 10 deletions(-) diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml index 98829ee9df..ee194522f7 100644 --- a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml +++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml @@ -438,6 +438,8 @@ + + @@ -446,6 +448,7 @@ + diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/fileplan/FilePlanServiceImpl.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/fileplan/FilePlanServiceImpl.java index d62a21da56..80514a902f 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/fileplan/FilePlanServiceImpl.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/fileplan/FilePlanServiceImpl.java @@ -39,6 +39,7 @@ import org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService; import org.alfresco.module.org_alfresco_module_rm.security.ExtendedReaderDynamicAuthority; import org.alfresco.module.org_alfresco_module_rm.security.ExtendedWriterDynamicAuthority; import org.alfresco.module.org_alfresco_module_rm.util.ServiceBaseImpl; +import org.alfresco.repo.cache.SimpleCache; import org.alfresco.repo.domain.node.NodeDAO; import org.alfresco.service.cmr.repository.ChildAssociationRef; import org.alfresco.service.cmr.repository.NodeRef; @@ -82,6 +83,9 @@ public class FilePlanServiceImpl extends ServiceBaseImpl /** RM site file plan container */ private static final String FILE_PLAN_CONTAINER = "documentLibrary"; + /** root container cache */ + private SimpleCache, NodeRef> rootContainerCache; + /** * NOTE: for some reason spring couldn't cope with the circular references between these two * beans so we need to grab this one manually. @@ -166,6 +170,14 @@ public class FilePlanServiceImpl extends ServiceBaseImpl return getFilePlans(StoreRef.STORE_REF_WORKSPACE_SPACESSTORE); } + /** + * @param rootContainerCache root container cache + */ + public void setRootContainerCache(SimpleCache, NodeRef> rootContainerCache) + { + this.rootContainerCache = rootContainerCache; + } + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#getFilePlans(org.alfresco.service.cmr.repository.StoreRef) */ @@ -255,10 +267,11 @@ public class FilePlanServiceImpl extends ServiceBaseImpl } /** + * Get the file root container for the given type. * - * @param filePlan - * @param containerName - * @return + * @param filePlan file plan + * @param containerName container type + * @return {@link NodeRef} file plan container */ private NodeRef getFilePlanRootContainer(NodeRef filePlan, String containerName) { @@ -269,16 +282,25 @@ public class FilePlanServiceImpl extends ServiceBaseImpl } NodeRef result = null; - - // try and get the unfiled record container - List assocs = nodeService.getChildAssocs(filePlan, ContentModel.ASSOC_CONTAINS, QName.createQName(RM_URI, containerName)); - if (assocs.size() > 1) + Pair key = new Pair(filePlan, containerName); + + if (!rootContainerCache.contains(key)) { - throw new AlfrescoRuntimeException("Unable to get unfiled conatiner " + containerName + "."); + // try and get the unfiled record container + List assocs = nodeService.getChildAssocs(filePlan, ContentModel.ASSOC_CONTAINS, QName.createQName(RM_URI, containerName)); + if (assocs.size() > 1) + { + throw new AlfrescoRuntimeException("Unable to get unfiled conatiner " + containerName + "."); + } + else if (assocs.size() == 1) + { + result = assocs.get(0).getChildRef(); + rootContainerCache.put(key, result); + } } - else if (assocs.size() == 1) + else { - result = assocs.get(0).getChildRef(); + result = rootContainerCache.get(key); } return result; From 0431f2586590407a9eeb96870b34038fb1c6cf47 Mon Sep 17 00:00:00 2001 From: Roy Wetherall Date: Fri, 18 Jul 2014 04:17:45 +0000 Subject: [PATCH 02/29] RM performance enhancements * serach improvements * in-place record browse improvements * saved search via file plan browse improvements git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@76850 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../capability/RMSecurityCommon.java | 116 ++++++++++++------ .../script/slingshot/RMSearchGet.java | 33 ++--- .../RecordsManagementSearchService.java | 7 +- .../RecordsManagementSearchServiceImpl.java | 13 +- .../ExtendedReaderDynamicAuthority.java | 9 ++ .../ExtendedSecurityBaseDynamicAuthority.java | 84 ++++++------- .../ExtendedWriterDynamicAuthority.java | 11 +- .../util/ServiceBaseImpl.java | 45 ++++--- .../test/service/RecordServiceImplTest.java | 13 +- ...ecordsManagementSearchServiceImplTest.java | 3 +- 10 files changed, 198 insertions(+), 136 deletions(-) diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMSecurityCommon.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMSecurityCommon.java index 51c70b7bfc..ec1181efb5 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMSecurityCommon.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMSecurityCommon.java @@ -18,6 +18,8 @@ */ package org.alfresco.module.org_alfresco_module_rm.capability; +import java.util.Map; + import net.sf.acegisecurity.vote.AccessDecisionVoter; import org.alfresco.error.AlfrescoRuntimeException; @@ -27,6 +29,7 @@ import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService; import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel; import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.transaction.AlfrescoTransactionSupport; +import org.alfresco.repo.transaction.TransactionalResourceHelper; import org.alfresco.service.cmr.repository.AssociationRef; import org.alfresco.service.cmr.repository.ChildAssociationRef; import org.alfresco.service.cmr.repository.NodeRef; @@ -34,6 +37,7 @@ import org.alfresco.service.cmr.repository.NodeService; import org.alfresco.service.cmr.repository.StoreRef; import org.alfresco.service.cmr.security.AccessStatus; import org.alfresco.service.cmr.security.PermissionService; +import org.alfresco.util.Pair; import org.aopalliance.intercept.MethodInvocation; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -192,48 +196,82 @@ public class RMSecurityCommon } /** + * Core RM read check * - * @param nodeRef - * @return + * @param nodeRef node reference + * @return int see {@link AccessDecisionVoter} */ public int checkRmRead(NodeRef nodeRef) - { - int result = getTransactionCache("checkRmRead", nodeRef); - if (result != NOSET_VALUE) - { - return result; - } - - if (permissionService.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS) == AccessStatus.DENIED) - { - if (logger.isDebugEnabled()) - { - logger.debug("\t\tUser does not have read record permission on node, access denied. (nodeRef=" + nodeRef.toString() + ", user=" + AuthenticationUtil.getRunAsUser() + ")"); - } - return setTransactionCache("checkRmRead", nodeRef, AccessDecisionVoter.ACCESS_DENIED); - } - - // Get the file plan for the node - NodeRef filePlan = filePlanService.getFilePlan(nodeRef); - - if (permissionService.hasPermission(filePlan, RMPermissionModel.VIEW_RECORDS) == AccessStatus.DENIED) - { - if (logger.isDebugEnabled()) - { - logger.debug("\t\tUser does not have view records capability permission on node, access denied. (filePlan=" + filePlan.toString() + ", user=" + AuthenticationUtil.getRunAsUser() + ")"); - } - return setTransactionCache("checkRmRead", nodeRef, AccessDecisionVoter.ACCESS_DENIED); - } - - if (caveatConfigComponent.hasAccess(nodeRef)) - { - return setTransactionCache("checkRmRead", nodeRef, AccessDecisionVoter.ACCESS_GRANTED); - } - else - { - return setTransactionCache("checkRmRead", nodeRef, AccessDecisionVoter.ACCESS_DENIED); - } - + { + int result = AccessDecisionVoter.ACCESS_ABSTAIN; + + Map, Integer> transactionCache = TransactionalResourceHelper.getMap("rm.security.checkRMRead"); + Pair key = new Pair(AuthenticationUtil.getRunAsUser(), nodeRef); + + if (transactionCache.containsKey(key)) + { + result = transactionCache.get(key); + } + else + { + if (permissionService.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS) == AccessStatus.DENIED) + { + if (logger.isDebugEnabled()) + { + logger.debug("\t\tUser does not have read record permission on node, access denied. (nodeRef=" + nodeRef.toString() + ", user=" + AuthenticationUtil.getRunAsUser() + ")"); + } + result = AccessDecisionVoter.ACCESS_DENIED; + } + else + { + // Get the file plan for the node + NodeRef filePlan = filePlanService.getFilePlan(nodeRef); + if (hasViewCapability(filePlan) == AccessStatus.DENIED) + { + if (logger.isDebugEnabled()) + { + logger.debug("\t\tUser does not have view records capability permission on node, access denied. (filePlan=" + filePlan.toString() + ", user=" + AuthenticationUtil.getRunAsUser() + ")"); + } + result = AccessDecisionVoter.ACCESS_DENIED; + } + else if (!caveatConfigComponent.hasAccess(nodeRef)) + { + result = AccessDecisionVoter.ACCESS_DENIED; + } + else + { + result = AccessDecisionVoter.ACCESS_GRANTED; + } + } + + // cache result + transactionCache.put(key, result); + } + + return result; + } + + /** + * Helper method to determine whether the current user has view capability on the file plan + * + * @param filePlan file plan + * @return {@link AccessStatus} + */ + private AccessStatus hasViewCapability(NodeRef filePlan) + { + Map, AccessStatus> transactionCache = TransactionalResourceHelper.getMap("rm.security.hasViewCapability"); + Pair key = new Pair(AuthenticationUtil.getRunAsUser(), filePlan); + + if (transactionCache.containsKey(key)) + { + return transactionCache.get(key); + } + else + { + AccessStatus result = permissionService.hasPermission(filePlan, RMPermissionModel.VIEW_RECORDS); + transactionCache.put(key, result); + return result; + } } @SuppressWarnings("rawtypes") diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/script/slingshot/RMSearchGet.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/script/slingshot/RMSearchGet.java index eb46eb54fb..117289965f 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/script/slingshot/RMSearchGet.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/script/slingshot/RMSearchGet.java @@ -33,9 +33,7 @@ import org.alfresco.module.org_alfresco_module_rm.search.RecordsManagementSearch import org.alfresco.module.org_alfresco_module_rm.search.RecordsManagementSearchService; import org.alfresco.module.org_alfresco_module_rm.search.SavedSearchDetailsCompatibility; import org.alfresco.service.cmr.dictionary.DictionaryService; -import org.alfresco.service.cmr.repository.ChildAssociationRef; import org.alfresco.service.cmr.repository.ContentData; -import org.alfresco.service.cmr.repository.ContentReader; import org.alfresco.service.cmr.repository.ContentService; import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeService; @@ -44,6 +42,7 @@ import org.alfresco.service.cmr.security.PersonService; import org.alfresco.service.cmr.site.SiteService; import org.alfresco.service.namespace.NamespaceService; import org.alfresco.service.namespace.QName; +import org.alfresco.util.Pair; import org.apache.commons.lang.ArrayUtils; import org.apache.commons.lang.StringUtils; import org.springframework.extensions.webscripts.Cache; @@ -199,20 +198,20 @@ public class RMSearchGet extends DeclarativeWebScript } // Execute search - List results = recordsManagementSearchService.search(siteId, query, searchParameters); + List> results = recordsManagementSearchService.search(siteId, query, searchParameters); // Reset person data cache personDataCache = new HashMap(57); // Process the result items List items = new ArrayList(results.size()); - for (NodeRef nodeRef : results) + for (Pair pair : results) { // FIXME: This is a workaround for DOD Recert // TC 3-3 Create User Groups try { - Item item = new Item(nodeRef); + Item item = new Item(pair.getFirst(), pair.getSecond()); items.add(item); } catch(Exception e) {} @@ -245,7 +244,7 @@ public class RMSearchGet extends DeclarativeWebScript private Map nodeProperties; private Map properties; - public Item(NodeRef nodeRef) + public Item(NodeRef parent, NodeRef nodeRef) { // Set node ref this.nodeRef = nodeRef; @@ -265,12 +264,12 @@ public class RMSearchGet extends DeclarativeWebScript } // Get parent node reference - NodeRef parent = null; - ChildAssociationRef assoc = nodeService.getPrimaryParent(nodeRef); - if (assoc != null) - { - parent = assoc.getParentRef(); - } +// NodeRef parent = null; +// ChildAssociationRef assoc = nodeService.getPrimaryParent(nodeRef); +// if (assoc != null) +// { +// parent = assoc.getParentRef(); +// } if (isContainer == true) { @@ -334,16 +333,6 @@ public class RMSearchGet extends DeclarativeWebScript if (NamespaceService.SYSTEM_MODEL_1_0_URI.equals(qName.getNamespaceURI()) == false) { String prefixName = qName.getPrefixString().replace(":", "_"); - Serializable value = entry.getValue(); - if (value instanceof NodeRef) - { - value = value.toString(); - } - else if (value instanceof ContentData) - { - ContentReader contentReader = contentService.getReader(nodeRef, qName); - value = contentReader.getContentString(); - } properties.put(prefixName, entry.getValue()); } } diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/search/RecordsManagementSearchService.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/search/RecordsManagementSearchService.java index b4e971bae5..76ece11e65 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/search/RecordsManagementSearchService.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/search/RecordsManagementSearchService.java @@ -21,6 +21,7 @@ package org.alfresco.module.org_alfresco_module_rm.search; import java.util.List; import org.alfresco.service.cmr.repository.NodeRef; +import org.alfresco.util.Pair; /** * Records management search service. @@ -33,10 +34,10 @@ public interface RecordsManagementSearchService * Execute a records management search * @param siteId the id of the rm site to query * @param query search query string - * @param searchParameters search parameters - * @return {@link List}<{@link NodeRef}> search results + * @param searchParameters search parameters + * @return {@link List}<{@link Pair}<{@link NodeRef}, {@link NodeRef}> search results as pairs for parent and child nodes */ - List search(String siteId, String query, RecordsManagementSearchParameters searchParameters); + List> search(String siteId, String query, RecordsManagementSearchParameters searchParameters); /** * Get all the searches saved on the given records management site. diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/search/RecordsManagementSearchServiceImpl.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/search/RecordsManagementSearchServiceImpl.java index 6383d99598..96a1b995d1 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/search/RecordsManagementSearchServiceImpl.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/search/RecordsManagementSearchServiceImpl.java @@ -30,6 +30,7 @@ import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork; import org.alfresco.service.cmr.model.FileFolderService; import org.alfresco.service.cmr.model.FileInfo; +import org.alfresco.service.cmr.repository.ChildAssociationRef; import org.alfresco.service.cmr.repository.ContentReader; import org.alfresco.service.cmr.repository.ContentWriter; import org.alfresco.service.cmr.repository.NodeRef; @@ -41,6 +42,7 @@ import org.alfresco.service.cmr.site.SiteService; import org.alfresco.service.namespace.NamespaceService; import org.alfresco.service.namespace.QName; import org.alfresco.util.ISO9075; +import org.alfresco.util.Pair; import org.alfresco.util.ParameterCheck; import org.json.JSONArray; import org.json.JSONException; @@ -173,7 +175,7 @@ public class RecordsManagementSearchServiceImpl implements RecordsManagementSear * @see org.alfresco.module.org_alfresco_module_rm.search.RecordsManagementSearchService#search(java.lang.String, java.lang.String, org.alfresco.module.org_alfresco_module_rm.search.RecordsManagementSearchParameters) */ @Override - public List search(String siteId, String query, RecordsManagementSearchParameters rmSearchParameters) + public List> search(String siteId, String query, RecordsManagementSearchParameters rmSearchParameters) { // build the full RM query StringBuilder fullQuery = new StringBuilder(1024); @@ -206,9 +208,16 @@ public class RecordsManagementSearchServiceImpl implements RecordsManagementSear // execute query ResultSet resultSet = searchService.query(searchParameters); + + // process results + List> result = new ArrayList>(resultSet.length()); + for (ChildAssociationRef childAssoc : resultSet.getChildAssocRefs()) + { + result.add(new Pair(childAssoc.getParentRef(), childAssoc.getChildRef())); + } // return results - return resultSet.getNodeRefs(); + return result; } /** diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedReaderDynamicAuthority.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedReaderDynamicAuthority.java index 4673d5256b..f3d4a8b6a6 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedReaderDynamicAuthority.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedReaderDynamicAuthority.java @@ -49,4 +49,13 @@ public class ExtendedReaderDynamicAuthority extends ExtendedSecurityBaseDynamicA { return getExtendedSecurityService().getExtendedReaders(nodeRef); } + + /** + * @see org.alfresco.module.org_alfresco_module_rm.security.ExtendedSecurityBaseDynamicAuthority#getTransactionCacheName() + */ + @Override + protected String getTransactionCacheName() + { + return "rm.extendedreaderdynamicauthority"; + } } diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedSecurityBaseDynamicAuthority.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedSecurityBaseDynamicAuthority.java index 2c439c3519..c1627476a8 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedSecurityBaseDynamicAuthority.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedSecurityBaseDynamicAuthority.java @@ -28,6 +28,7 @@ import org.alfresco.repo.transaction.TransactionalResourceHelper; import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeService; import org.alfresco.service.cmr.security.AuthorityService; +import org.alfresco.util.Pair; import org.springframework.beans.BeansException; import org.springframework.context.ApplicationContext; import org.springframework.context.ApplicationContextAware; @@ -42,9 +43,6 @@ public abstract class ExtendedSecurityBaseDynamicAuthority implements DynamicAut RecordsManagementModel, ApplicationContextAware { - /** transaction cache key */ - private static final String KEY_HAS_AUTHORITY_CACHE = "rm.transaction.hasAuthority"; - /** Authority service */ private AuthorityService authorityService; @@ -95,6 +93,11 @@ public abstract class ExtendedSecurityBaseDynamicAuthority implements DynamicAut } return nodeService; } + + /** + * @return String transaction cache name + */ + protected abstract String getTransactionCacheName(); /** * @see org.springframework.context.ApplicationContextAware#setApplicationContext(org.springframework.context.ApplicationContext) @@ -122,51 +125,38 @@ public abstract class ExtendedSecurityBaseDynamicAuthority implements DynamicAut { boolean result = false; - if (getNodeService().hasAspect(nodeRef, ASPECT_EXTENDED_SECURITY) == true) + Map, Boolean> transactionCache = TransactionalResourceHelper.getMap(getTransactionCacheName()); + Pair key = new Pair(nodeRef, userName); + + if (transactionCache.containsKey(key)) { - Set authorities = getAuthorites(nodeRef); - if (authorities != null) - { - for (String authority : authorities) - { - if ("GROUP_EVERYONE".equals(authority) == true) - { - // 'eveyone' is there so break - result = true; - break; - } - else if (authority.startsWith("GROUP_") == true) - { - Map transactionCache = TransactionalResourceHelper.getMap(KEY_HAS_AUTHORITY_CACHE); - String key = authority + "|" + userName; - if (transactionCache.containsKey(key)) - - { - result = transactionCache.get(key); - break; - } - else - { - Set contained = getAuthorityService().getAuthoritiesForUser(userName); - if (contained.contains(authority)) - { - result = true; - transactionCache.put(key, result); - break; - } - } - } - else - { - // presume we have a user - if (authority.equals(userName) == true) - { - result = true; - break; - } - } - } - } + result = transactionCache.get(key); + } + else + { + if (getNodeService().hasAspect(nodeRef, ASPECT_EXTENDED_SECURITY) == true) + { + Set authorities = getAuthorites(nodeRef); + if (authorities != null) + { + // check for everyone or the user + if (authorities.contains("GROUP_EVEYONE") || + authorities.contains(userName)) + { + result = true; + } + else + { + // determine whether any of the users groups are in the extended security + Set contained = getAuthorityService().getAuthoritiesForUser(userName); + authorities.retainAll(contained); + result = (authorities.size() != 0); + } + } + } + + // cache result + transactionCache.put(key, result); } return result; diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedWriterDynamicAuthority.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedWriterDynamicAuthority.java index 24ff81ed13..af4eb53ad7 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedWriterDynamicAuthority.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedWriterDynamicAuthority.java @@ -48,5 +48,14 @@ public class ExtendedWriterDynamicAuthority extends ExtendedSecurityBaseDynamicA protected Set getAuthorites(NodeRef nodeRef) { return getExtendedSecurityService().getExtendedWriters(nodeRef); - } + } + + /** + * @see org.alfresco.module.org_alfresco_module_rm.security.ExtendedSecurityBaseDynamicAuthority#getTransactionCacheName() + */ + @Override + protected String getTransactionCacheName() + { + return "rm.extendedwriterdynamicauthority"; + } } diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/util/ServiceBaseImpl.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/util/ServiceBaseImpl.java index 1dfe8d7010..21e1e349c6 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/util/ServiceBaseImpl.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/util/ServiceBaseImpl.java @@ -338,24 +338,35 @@ public class ServiceBaseImpl implements RecordsManagementModel, ApplicationConte public NodeRef getFilePlan(final NodeRef nodeRef) { NodeRef result = null; - if (nodeRef != null) + if (nodeRef != null) { - result = (NodeRef)getInternalNodeService().getProperty(nodeRef, PROP_ROOT_NODEREF); - if (result == null || !instanceOf(result, TYPE_FILE_PLAN)) - { - if (instanceOf(nodeRef, TYPE_FILE_PLAN)) - { - result = nodeRef; - } - else - { - ChildAssociationRef parentAssocRef = getInternalNodeService().getPrimaryParent(nodeRef); - if (parentAssocRef != null) - { - result = getFilePlan(parentAssocRef.getParentRef()); - } - } - } + Map transactionCache = TransactionalResourceHelper.getMap("rm.servicebase.getFilePlan"); + if (transactionCache.containsKey(nodeRef)) + { + result = transactionCache.get(nodeRef); + } + else + { + result = (NodeRef)getInternalNodeService().getProperty(nodeRef, PROP_ROOT_NODEREF); + if (result == null || !instanceOf(result, TYPE_FILE_PLAN)) + { + if (instanceOf(nodeRef, TYPE_FILE_PLAN)) + { + result = nodeRef; + } + else + { + ChildAssociationRef parentAssocRef = getInternalNodeService().getPrimaryParent(nodeRef); + if (parentAssocRef != null) + { + result = getFilePlan(parentAssocRef.getParentRef()); + } + } + } + + // cache result in transaction + transactionCache.put(nodeRef, result); + } } return result; diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/RecordServiceImplTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/RecordServiceImplTest.java index d964e145f9..2b4d918d26 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/RecordServiceImplTest.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/RecordServiceImplTest.java @@ -294,10 +294,12 @@ public class RecordServiceImplTest extends BaseRMTestCase // create record from document doTestInTransaction(new Test() { + private NodeRef originalLocation; + @Override public Void run() { - NodeRef originalLocation = nodeService.getPrimaryParent(dmDocument).getParentRef(); + originalLocation = nodeService.getPrimaryParent(dmDocument).getParentRef(); assertFalse(recordService.isRecord(dmDocument)); assertFalse(extendedSecurityService.hasExtendedSecurity(dmDocument)); @@ -318,7 +320,12 @@ public class RecordServiceImplTest extends BaseRMTestCase AccessStatus.DENIED); // doc/record recordService.createRecord(filePlan, dmDocument); - + + return null; + } + + public void test(Void result) + { checkPermissions(READ_RECORDS, AccessStatus.ALLOWED, // file // plan AccessStatus.ALLOWED, // unfiled container @@ -367,8 +374,6 @@ public class RecordServiceImplTest extends BaseRMTestCase Capability updateProperties = capabilityService.getCapability("UpdateProperties"); assertEquals(AccessStatus.ALLOWED, updateProperties.hasPermission(dmDocument)); - - return null; } }, dmCollaborator); diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/RecordsManagementSearchServiceImplTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/RecordsManagementSearchServiceImplTest.java index 0917fadb3e..8fbafad26e 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/RecordsManagementSearchServiceImplTest.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/RecordsManagementSearchServiceImplTest.java @@ -26,6 +26,7 @@ import org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase; import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.security.MutableAuthenticationService; +import org.alfresco.util.Pair; import org.alfresco.util.TestWithUserUtils; /** @@ -151,7 +152,7 @@ public class RecordsManagementSearchServiceImplTest extends BaseRMTestCase String query = "keywords:\"elephant\""; RecordsManagementSearchParameters params = new RecordsManagementSearchParameters(); params.setIncludeUndeclaredRecords(true); - List results = rmSearchService.search(siteId, query, params); + List> results = rmSearchService.search(siteId, query, params); assertNotNull(results); assertEquals(2, results.size()); From 5f542bf61950e8b5a85858c6afeeafbce626392e Mon Sep 17 00:00:00 2001 From: Roy Wetherall Date: Fri, 18 Jul 2014 04:55:59 +0000 Subject: [PATCH 03/29] Additional unit test to check extended security with cache is working as expected. git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@76851 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../alfresco-global.properties | 5 +- .../ExtendedSecurityServiceImplTest.java | 117 ++++++++++++++++++ 2 files changed, 121 insertions(+), 1 deletion(-) diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/alfresco-global.properties b/rm-server/config/alfresco/module/org_alfresco_module_rm/alfresco-global.properties index 70676c0e4d..8864f56b1c 100644 --- a/rm-server/config/alfresco/module/org_alfresco_module_rm/alfresco-global.properties +++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/alfresco-global.properties @@ -34,4 +34,7 @@ bootstrap.rmadmin.name=rmadmin # # Indicates whether RM rules will be run as RM Admin or not by default # -rm.rule.runasrmadmin=true \ No newline at end of file +rm.rule.runasrmadmin=true + +activities.feed.generator.cronExpression=0 30 3 * * ? +activities.feed.generator.maxItemsPerCycle=1 \ No newline at end of file diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/ExtendedSecurityServiceImplTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/ExtendedSecurityServiceImplTest.java index 1407ced003..7b399c1d09 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/ExtendedSecurityServiceImplTest.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/ExtendedSecurityServiceImplTest.java @@ -23,10 +23,16 @@ import java.util.HashSet; import java.util.Map; import java.util.Set; +import org.alfresco.model.ContentModel; import org.alfresco.module.org_alfresco_module_rm.security.ExtendedSecurityService; import org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase; import org.alfresco.repo.security.authentication.AuthenticationUtil; +import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork; +import org.alfresco.repo.site.SiteModel; import org.alfresco.service.cmr.repository.NodeRef; +import org.alfresco.service.cmr.security.AccessStatus; +import org.alfresco.service.cmr.site.SiteService; +import org.alfresco.service.cmr.site.SiteVisibility; import org.alfresco.util.GUID; /** @@ -248,4 +254,115 @@ public class ExtendedSecurityServiceImplTest extends BaseRMTestCase assertNotNull(readers); assertEquals(testMap.size(), readers.size()); } + + public void testDifferentUsersDifferentPermissions() + { + final String userNone = createTestUser(); + final String userRead = createTestUser(); + final String userWrite = createTestUser(); + final String siteShortName = GUID.generate(); + + doTestInTransaction(new Test() + { + public Void run() throws Exception + { + siteService.createSite(null, siteShortName, "test", "test", SiteVisibility.PRIVATE); + return null; + } + }); + + final NodeRef documentLibrary = doTestInTransaction(new Test() + { + public NodeRef run() throws Exception + { + siteService.setMembership(siteShortName, userRead, SiteModel.SITE_CONSUMER); + siteService.setMembership(siteShortName, userWrite, SiteModel.SITE_COLLABORATOR); + return siteService.createContainer(siteShortName, SiteService.DOCUMENT_LIBRARY, null, null); + } + }); + + final NodeRef record = doTestInTransaction(new Test() + { + public NodeRef run() throws Exception + { + NodeRef record = fileFolderService.create(documentLibrary, GUID.generate(), ContentModel.TYPE_CONTENT).getNodeRef(); + recordService.createRecord(filePlan, record); + return record; + } + }); + + doTestInTransaction(new Test() + { + public Void run() throws Exception + { + AuthenticationUtil.runAs(new RunAsWork() + { + public Void doWork() throws Exception + { + // check permissions + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(record, READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(record, FILING)); + return null; + } + }, userNone); + + AuthenticationUtil.runAs(new RunAsWork() + { + public Void doWork() throws Exception + { + // check permissions + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(record, READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(record, FILING)); + return null; + } + }, userRead); + + AuthenticationUtil.runAs(new RunAsWork() + { + public Void doWork() throws Exception + { + // check permissions + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(record, READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(record, FILING)); + return null; + } + }, userWrite); + + AuthenticationUtil.runAs(new RunAsWork() + { + public Void doWork() throws Exception + { + // check permissions + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(record, READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(record, FILING)); + return null; + } + }, userNone); + + AuthenticationUtil.runAs(new RunAsWork() + { + public Void doWork() throws Exception + { + // check permissions + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(record, READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(record, FILING)); + return null; + } + }, userRead); + + AuthenticationUtil.runAs(new RunAsWork() + { + public Void doWork() throws Exception + { + // check permissions + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(record, READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(record, FILING)); + return null; + } + }, userWrite); + + return null; + } + }); + } } From 10294cc7e9f276f51ea57bcac953d69047166151 Mon Sep 17 00:00:00 2001 From: Roy Wetherall Date: Fri, 18 Jul 2014 04:57:11 +0000 Subject: [PATCH 04/29] Rollback checked in config git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@76852 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../module/org_alfresco_module_rm/alfresco-global.properties | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/alfresco-global.properties b/rm-server/config/alfresco/module/org_alfresco_module_rm/alfresco-global.properties index 8864f56b1c..70676c0e4d 100644 --- a/rm-server/config/alfresco/module/org_alfresco_module_rm/alfresco-global.properties +++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/alfresco-global.properties @@ -34,7 +34,4 @@ bootstrap.rmadmin.name=rmadmin # # Indicates whether RM rules will be run as RM Admin or not by default # -rm.rule.runasrmadmin=true - -activities.feed.generator.cronExpression=0 30 3 * * ? -activities.feed.generator.maxItemsPerCycle=1 \ No newline at end of file +rm.rule.runasrmadmin=true \ No newline at end of file From 4215b0bae9869b35b420c2474ac7f875f4ac2f2e Mon Sep 17 00:00:00 2001 From: Roy Wetherall Date: Wed, 23 Jul 2014 00:58:52 +0000 Subject: [PATCH 05/29] RM-1630: Error on manage references page * regression caused by performance improvements git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@77709 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../admin/RecordsManagementAdminServiceImpl.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/admin/RecordsManagementAdminServiceImpl.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/admin/RecordsManagementAdminServiceImpl.java index b18894b196..79a9aaf7c7 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/admin/RecordsManagementAdminServiceImpl.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/admin/RecordsManagementAdminServiceImpl.java @@ -80,6 +80,7 @@ import org.alfresco.service.cmr.repository.NodeService; import org.alfresco.service.cmr.repository.StoreRef; import org.alfresco.service.namespace.NamespaceService; import org.alfresco.service.namespace.QName; +import org.alfresco.service.namespace.RegexQNamePattern; import org.alfresco.util.GUID; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -1154,7 +1155,7 @@ public class RecordsManagementAdminServiceImpl implements RecordsManagementAdmin */ public List getCustomReferencesFrom(NodeRef node) { - return nodeService.getTargetAssocs(node, null); + return nodeService.getTargetAssocs(node, RegexQNamePattern.MATCH_ALL); } /** @@ -1171,7 +1172,7 @@ public class RecordsManagementAdminServiceImpl implements RecordsManagementAdmin */ public List getCustomReferencesTo(NodeRef node) { - return nodeService.getSourceAssocs(node, null); + return nodeService.getSourceAssocs(node, RegexQNamePattern.MATCH_ALL); } /** From 4d61f4772ea8117535fe516ed3d96394eae88bea Mon Sep 17 00:00:00 2001 From: Roy Wetherall Date: Tue, 16 Sep 2014 23:33:19 +0000 Subject: [PATCH 06/29] Update version to 2.1.0.3 git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@84337 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- gradle.properties | 2 +- .../alfresco/module/org_alfresco_module_rm/module.properties | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/gradle.properties b/gradle.properties index bb286aadbb..80b921ea30 100644 --- a/gradle.properties +++ b/gradle.properties @@ -1,7 +1,7 @@ # build details groupid=alfresco packageName=rm -version=2.1.0.2 +version=2.1.0.3 build=dev # maven urls's diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/module.properties b/rm-server/config/alfresco/module/org_alfresco_module_rm/module.properties index 00c3401827..775fe113f8 100644 --- a/rm-server/config/alfresco/module/org_alfresco_module_rm/module.properties +++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/module.properties @@ -6,6 +6,6 @@ module.aliases=org_alfresco_module_dod5015 module.title=Records Management module.description=Alfresco Record Management Extension -module.version=2.1.0.2 +module.version=2.1.0.3 module.repo.version.min=4.2 \ No newline at end of file From 375f1ca5578dd078505ea36477f12e3058c43378 Mon Sep 17 00:00:00 2001 From: Roy Wetherall Date: Thu, 18 Sep 2014 06:27:51 +0000 Subject: [PATCH 07/29] Transaction level cahcing of declarative capability evaluation git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@84421 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../declarative/DeclarativeCapability.java | 55 ++++++++++++------- 1 file changed, 35 insertions(+), 20 deletions(-) diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/DeclarativeCapability.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/DeclarativeCapability.java index cfb35470e2..bb9cfc393c 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/DeclarativeCapability.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/DeclarativeCapability.java @@ -29,6 +29,8 @@ import org.alfresco.error.AlfrescoRuntimeException; import org.alfresco.module.org_alfresco_module_rm.capability.AbstractCapability; import org.alfresco.module.org_alfresco_module_rm.capability.Capability; import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanComponentKind; +import org.alfresco.repo.security.authentication.AuthenticationUtil; +import org.alfresco.repo.transaction.TransactionalResourceHelper; import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.security.AccessStatus; import org.apache.commons.logging.Log; @@ -297,29 +299,42 @@ public class DeclarativeCapability extends AbstractCapability { int result = AccessDecisionVoter.ACCESS_ABSTAIN; - // Check we are dealing with a file plan component - if (filePlanService.isFilePlanComponent(nodeRef) == true) + // check transaction cache + Map map = TransactionalResourceHelper.getMap("rm.declarativeCapability"); + String key = getName() + "|" + nodeRef.toString() + "|" + AuthenticationUtil.getRunAsUser(); + if (map.containsKey(key)) { - // Check the kind of the object, the permissions and the conditions - if (checkKinds(nodeRef) == true && checkPermissions(nodeRef) == true && checkConditions(nodeRef) == true) - { - // Opportunity for child implementations to extend - result = evaluateImpl(nodeRef); - } - else - { - result = AccessDecisionVoter.ACCESS_DENIED; - } + result = map.get(key); } - - // Last chance for child implementations to veto/change the result - result = onEvaluate(nodeRef, result); - - // log access denied to help with debug - if (logger.isDebugEnabled() == true && AccessDecisionVoter.ACCESS_DENIED == result) + else { - logger.debug("Capability " + getName() + " returned an Access Denied result during evaluation of node " + nodeRef.toString()); - } + // Check we are dealing with a file plan component + if (filePlanService.isFilePlanComponent(nodeRef) == true) + { + // Check the kind of the object, the permissions and the conditions + if (checkKinds(nodeRef) == true && checkPermissions(nodeRef) == true && checkConditions(nodeRef) == true) + { + // Opportunity for child implementations to extend + result = evaluateImpl(nodeRef); + } + else + { + result = AccessDecisionVoter.ACCESS_DENIED; + } + } + + // Last chance for child implementations to veto/change the result + result = onEvaluate(nodeRef, result); + + // log access denied to help with debug + if (logger.isDebugEnabled() == true && AccessDecisionVoter.ACCESS_DENIED == result) + { + logger.debug("Capability " + getName() + " returned an Access Denied result during evaluation of node " + nodeRef.toString()); + } + + result = evaluateImpl(nodeRef); + map.put(key, result); + } return result; } From 82696a3d660d0391dd0e9b39030285b6fb6e906a Mon Sep 17 00:00:00 2001 From: Roy Wetherall Date: Thu, 18 Sep 2014 23:47:53 +0000 Subject: [PATCH 08/29] Fix build git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@84676 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../capability/declarative/DeclarativeCapability.java | 1 - 1 file changed, 1 deletion(-) diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/DeclarativeCapability.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/DeclarativeCapability.java index bb9cfc393c..c7f51fd952 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/DeclarativeCapability.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/DeclarativeCapability.java @@ -332,7 +332,6 @@ public class DeclarativeCapability extends AbstractCapability logger.debug("Capability " + getName() + " returned an Access Denied result during evaluation of node " + nodeRef.toString()); } - result = evaluateImpl(nodeRef); map.put(key, result); } From 2de55cb0e911f0121d0f863f2a65612f4dacfd51 Mon Sep 17 00:00:00 2001 From: Roy Wetherall Date: Thu, 18 Sep 2014 23:51:19 +0000 Subject: [PATCH 09/29] Prevent unnessary repeated creation of QName git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@84677 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../declarative/condition/IsPropertySetCondition.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/condition/IsPropertySetCondition.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/condition/IsPropertySetCondition.java index 7ced7736d3..39aa640187 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/condition/IsPropertySetCondition.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/condition/IsPropertySetCondition.java @@ -34,6 +34,7 @@ public class IsPropertySetCondition extends AbstractCapabilityCondition { /** property name (eg: rma:location) */ private String propertyName; + private QName propertyQName; /** namespace service */ private NamespaceService namespaceService; @@ -59,7 +60,11 @@ public class IsPropertySetCondition extends AbstractCapabilityCondition */ protected QName getPropertyQName() { - return QName.createQName(propertyName, namespaceService); + if (propertyQName == null) + { + propertyQName = QName.createQName(propertyName, namespaceService); + } + return propertyQName; } /** From 8f6d6328f2f35f05306dc048fdc6de22fcfef097 Mon Sep 17 00:00:00 2001 From: Roy Wetherall Date: Thu, 18 Sep 2014 23:57:43 +0000 Subject: [PATCH 10/29] Improvements to extended dynamic authorities * requiredFor set * direct access to extended permission information, not via service git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@84678 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../rm-public-services-security-context.xml | 2 +- .../ExtendedReaderDynamicAuthority.java | 31 +++++++++++++++-- .../ExtendedSecurityBaseDynamicAuthority.java | 34 ++++++++++++------- .../ExtendedWriterDynamicAuthority.java | 31 +++++++++++++++-- 4 files changed, 80 insertions(+), 18 deletions(-) diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-public-services-security-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-public-services-security-context.xml index b219f60cf6..0fc7572862 100644 --- a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-public-services-security-context.xml +++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-public-services-security-context.xml @@ -45,7 +45,7 @@ - + diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedReaderDynamicAuthority.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedReaderDynamicAuthority.java index f3d4a8b6a6..469b8bd6d4 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedReaderDynamicAuthority.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedReaderDynamicAuthority.java @@ -18,8 +18,12 @@ */ package org.alfresco.module.org_alfresco_module_rm.security; +import java.util.Collections; +import java.util.Map; import java.util.Set; +import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel; +import org.alfresco.repo.security.permissions.PermissionReference; import org.alfresco.service.cmr.repository.NodeRef; /** @@ -40,14 +44,37 @@ public class ExtendedReaderDynamicAuthority extends ExtendedSecurityBaseDynamicA public String getAuthority() { return EXTENDED_READER; + } + + /** + * @see org.alfresco.repo.security.permissions.DynamicAuthority#requiredFor() + */ + @Override + public Set requiredFor() + { + if (requiredFor == null) + { + requiredFor = Collections.singleton(getModelDAO().getPermissionReference(null, RMPermissionModel.READ_RECORDS)); + } + + return requiredFor; } /** * @see org.alfresco.module.org_alfresco_module_rm.security.ExtendedSecurityBaseDynamicAuthority#getAuthorites(org.alfresco.service.cmr.repository.NodeRef) */ - protected Set getAuthorites(NodeRef nodeRef) + @SuppressWarnings("unchecked") + protected Set getAuthorites(NodeRef nodeRef) { - return getExtendedSecurityService().getExtendedReaders(nodeRef); + Set result = null; + + Map readerMap = (Map)getNodeService().getProperty(nodeRef, PROP_READERS); + if (readerMap != null) + { + result = readerMap.keySet(); + } + + return result; } /** diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedSecurityBaseDynamicAuthority.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedSecurityBaseDynamicAuthority.java index c1627476a8..b8a6f89136 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedSecurityBaseDynamicAuthority.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedSecurityBaseDynamicAuthority.java @@ -24,6 +24,7 @@ import java.util.Set; import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel; import org.alfresco.repo.security.permissions.DynamicAuthority; import org.alfresco.repo.security.permissions.PermissionReference; +import org.alfresco.repo.security.permissions.impl.ModelDAO; import org.alfresco.repo.transaction.TransactionalResourceHelper; import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeService; @@ -55,6 +56,12 @@ public abstract class ExtendedSecurityBaseDynamicAuthority implements DynamicAut /** Application context */ protected ApplicationContext applicationContext; + /** model DAO */ + protected ModelDAO modelDAO; + + /** permission reference */ + protected Set requiredFor; + // NOTE: we get the services directly from the application context in this way to avoid // cyclic relationships and issues when loading the application context @@ -89,11 +96,23 @@ public abstract class ExtendedSecurityBaseDynamicAuthority implements DynamicAut { if (nodeService == null) { - nodeService = (NodeService)applicationContext.getBean("nodeService"); + nodeService = (NodeService)applicationContext.getBean("dbNodeService"); } return nodeService; } + /** + * @return model DAO + */ + protected ModelDAO getModelDAO() + { + if (modelDAO == null) + { + modelDAO = (ModelDAO)applicationContext.getBean("permissionsModelDAO"); + } + return modelDAO; + } + /** * @return String transaction cache name */ @@ -160,16 +179,5 @@ public abstract class ExtendedSecurityBaseDynamicAuthority implements DynamicAut } return result; - } - - /** - * Base implementation - * - * @see org.alfresco.repo.security.permissions.DynamicAuthority#requiredFor() - */ - @Override - public Set requiredFor() - { - return null; - } + } } diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedWriterDynamicAuthority.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedWriterDynamicAuthority.java index af4eb53ad7..f53c3ffe41 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedWriterDynamicAuthority.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedWriterDynamicAuthority.java @@ -18,8 +18,12 @@ */ package org.alfresco.module.org_alfresco_module_rm.security; +import java.util.Collections; +import java.util.Map; import java.util.Set; +import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel; +import org.alfresco.repo.security.permissions.PermissionReference; import org.alfresco.service.cmr.repository.NodeRef; /** @@ -41,13 +45,36 @@ public class ExtendedWriterDynamicAuthority extends ExtendedSecurityBaseDynamicA { return EXTENDED_WRITER; } + + /** + * @see org.alfresco.repo.security.permissions.DynamicAuthority#requiredFor() + */ + @Override + public Set requiredFor() + { + if (requiredFor == null) + { + requiredFor = Collections.singleton(getModelDAO().getPermissionReference(null, RMPermissionModel.FILE_RECORDS)); + } + + return requiredFor; + } /** * @see org.alfresco.module.org_alfresco_module_rm.security.ExtendedSecurityBaseDynamicAuthority#getAuthorites(org.alfresco.service.cmr.repository.NodeRef) */ - protected Set getAuthorites(NodeRef nodeRef) + @SuppressWarnings("unchecked") + protected Set getAuthorites(NodeRef nodeRef) { - return getExtendedSecurityService().getExtendedWriters(nodeRef); + Set result = null; + + Map map = (Map)getNodeService().getProperty(nodeRef, PROP_WRITERS); + if (map != null) + { + result = map.keySet(); + } + + return result; } /** From 9f41c216a154e44d19a6dcb598a24f6cfeb50624 Mon Sep 17 00:00:00 2001 From: Roy Wetherall Date: Fri, 19 Sep 2014 00:39:45 +0000 Subject: [PATCH 11/29] Correct requiredFor value git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@84679 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../security/ExtendedWriterDynamicAuthority.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedWriterDynamicAuthority.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedWriterDynamicAuthority.java index f53c3ffe41..986eab4750 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedWriterDynamicAuthority.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/ExtendedWriterDynamicAuthority.java @@ -19,6 +19,7 @@ package org.alfresco.module.org_alfresco_module_rm.security; import java.util.Collections; +import java.util.HashSet; import java.util.Map; import java.util.Set; @@ -54,7 +55,11 @@ public class ExtendedWriterDynamicAuthority extends ExtendedSecurityBaseDynamicA { if (requiredFor == null) { - requiredFor = Collections.singleton(getModelDAO().getPermissionReference(null, RMPermissionModel.FILE_RECORDS)); + requiredFor = new HashSet(3); + Collections.addAll(requiredFor, + getModelDAO().getPermissionReference(null, RMPermissionModel.READ_RECORDS), + getModelDAO().getPermissionReference(null, RMPermissionModel.FILING), + getModelDAO().getPermissionReference(null, RMPermissionModel.FILE_RECORDS)); } return requiredFor; From fca7079135384d8db051f6b20c6ce5c53f490902 Mon Sep 17 00:00:00 2001 From: Tuna Aksoy Date: Tue, 14 Oct 2014 19:28:09 +0000 Subject: [PATCH 12/29] RM-1661 (Performance on setting permissions at a high category level) git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@88087 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../rm-ui-evaluators-context.xml | 3 +- .../fileplan/FilePlanServiceImpl.java | 171 +++++----- .../FilePlanPermissionServiceImpl.java | 293 ++++++++---------- .../FilePlanPermissionServiceImplTest.java | 168 +++++----- 4 files changed, 304 insertions(+), 331 deletions(-) diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-ui-evaluators-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-ui-evaluators-context.xml index e7cf19c2dd..9892172cee 100644 --- a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-ui-evaluators-context.xml +++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-ui-evaluators-context.xml @@ -341,6 +341,7 @@ FILE_PLAN + RECORD RECORD_CATEGORY RECORD_FOLDER UNFILED_RECORD_CONTAINER @@ -758,7 +759,7 @@ - + diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/fileplan/FilePlanServiceImpl.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/fileplan/FilePlanServiceImpl.java index 80514a902f..89fed24298 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/fileplan/FilePlanServiceImpl.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/fileplan/FilePlanServiceImpl.java @@ -57,12 +57,12 @@ import org.springframework.extensions.surf.util.I18NUtil; /** * File plan service implementation. - * + * * @author Roy Wetherall * @since 2.1 */ public class FilePlanServiceImpl extends ServiceBaseImpl - implements FilePlanService, + implements FilePlanService, RecordsManagementModel { /** I18N */ @@ -74,61 +74,61 @@ public class FilePlanServiceImpl extends ServiceBaseImpl private final static String MSG_CONTAINER_PARENT_TYPE= "rm.service.container-parent-type"; private final static String MSG_CONTAINER_TYPE = "rm.service.container-type"; private final static String MSG_CONTAINER_EXPECTED = "rm.service.container-expected"; - + /** File plan containers */ private static final String NAME_UNFILED_CONTAINER = "Unfiled Records"; private static final String NAME_HOLD_CONTAINER = "Holds"; private static final String NAME_TRANSFER_CONTAINER = "Transfers"; - + /** RM site file plan container */ private static final String FILE_PLAN_CONTAINER = "documentLibrary"; - + /** root container cache */ private SimpleCache, NodeRef> rootContainerCache; - + /** - * NOTE: for some reason spring couldn't cope with the circular references between these two + * NOTE: for some reason spring couldn't cope with the circular references between these two * beans so we need to grab this one manually. - * + * * @return file plan role service */ protected FilePlanRoleService getFilePlanRoleService() { - return (FilePlanRoleService)applicationContext.getBean("FilePlanRoleService"); + return (FilePlanRoleService)applicationContext.getBean("FilePlanRoleService"); } - + /** * @return permission service */ protected PermissionService getPermissionService() { - return (PermissionService)applicationContext.getBean("permissionService"); + return (PermissionService)applicationContext.getBean("permissionService"); } - + /** * @return node DAO */ protected NodeDAO getNodeDAO() { - return (NodeDAO)applicationContext.getBean("nodeDAO"); + return (NodeDAO)applicationContext.getBean("nodeDAO"); } - + /** * @return internal node service */ protected NodeService getInternalNodeService() { - return (NodeService)applicationContext.getBean("nodeService"); + return (NodeService)applicationContext.getBean("nodeService"); } - + /** * @return site service */ protected SiteService getSiteService() { - return (SiteService)applicationContext.getBean("SiteService"); + return (SiteService)applicationContext.getBean("SiteService"); } - + /** * @return record service */ @@ -136,7 +136,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return (RecordService)applicationContext.getBean("RecordService"); } - + /** * @return record folder service */ @@ -144,7 +144,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return (RecordFolderService)applicationContext.getBean("RecordFolderService"); } - + /** * @return freeze service */ @@ -152,7 +152,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return (FreezeService)applicationContext.getBean("FreezeService"); } - + /** * @return records management service */ @@ -160,7 +160,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return (RecordsManagementService)applicationContext.getBean("RecordsManagementService"); } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#getFilePlans() */ @@ -169,15 +169,15 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return getFilePlans(StoreRef.STORE_REF_WORKSPACE_SPACESSTORE); } - + /** * @param rootContainerCache root container cache */ - public void setRootContainerCache(SimpleCache, NodeRef> rootContainerCache) + public void setRootContainerCache(SimpleCache, NodeRef> rootContainerCache) { this.rootContainerCache = rootContainerCache; } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#getFilePlans(org.alfresco.service.cmr.repository.StoreRef) */ @@ -185,35 +185,35 @@ public class FilePlanServiceImpl extends ServiceBaseImpl public Set getFilePlans(final StoreRef storeRef) { ParameterCheck.mandatory("storeRef", storeRef); - + final Set results = new HashSet(); Set aspects = new HashSet(1); aspects.add(ASPECT_RECORDS_MANAGEMENT_ROOT); getNodeDAO().getNodesWithAspects(aspects, Long.MIN_VALUE, Long.MAX_VALUE, new NodeDAO.NodeRefQueryCallback() - { + { @Override public boolean handle(Pair nodePair) { NodeRef nodeRef = nodePair.getSecond(); if (storeRef.equals(nodeRef.getStoreRef()) == true) - { + { results.add(nodeRef); } - + return true; } }); return results; } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#getFilePlanBySiteId(java.lang.String) */ @Override public NodeRef getFilePlanBySiteId(String siteId) { - NodeRef filePlan = null; - + NodeRef filePlan = null; + SiteInfo siteInfo = getSiteService().getSite(siteId); if (siteInfo != null) { @@ -226,10 +226,10 @@ public class FilePlanServiceImpl extends ServiceBaseImpl } } } - + return filePlan; } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#existsUnfiledContainer(org.alfresco.service.cmr.repository.NodeRef) */ @@ -237,8 +237,8 @@ public class FilePlanServiceImpl extends ServiceBaseImpl public boolean existsUnfiledContainer(NodeRef filePlan) { return (getUnfiledContainer(filePlan) != null); - } - + } + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#getUnfiledContainer(org.alfresco.service.cmr.repository.NodeRef) */ @@ -247,7 +247,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return getFilePlanRootContainer(filePlan, NAME_UNFILED_CONTAINER); } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#getHoldContainer(org.alfresco.service.cmr.repository.NodeRef) */ @@ -256,7 +256,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return getFilePlanRootContainer(filePlan, NAME_HOLD_CONTAINER); } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#getTransferContainer(org.alfresco.service.cmr.repository.NodeRef) */ @@ -265,10 +265,10 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return getFilePlanRootContainer(filePlan, NAME_TRANSFER_CONTAINER); } - + /** * Get the file root container for the given type. - * + * * @param filePlan file plan * @param containerName container type * @return {@link NodeRef} file plan container @@ -283,7 +283,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl NodeRef result = null; Pair key = new Pair(filePlan, containerName); - + if (!rootContainerCache.contains(key)) { // try and get the unfiled record container @@ -302,18 +302,18 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { result = rootContainerCache.get(key); } - + return result; } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#createUnfiledContainer(org.alfresco.service.cmr.repository.NodeRef) */ public NodeRef createUnfiledContainer(NodeRef filePlan) - { + { return createFilePlanRootContainer(filePlan, TYPE_UNFILED_RECORD_CONTAINER, NAME_UNFILED_CONTAINER); } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#createHoldContainer(org.alfresco.service.cmr.repository.NodeRef) */ @@ -322,7 +322,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return createFilePlanRootContainer(filePlan, TYPE_HOLD_CONTAINER, NAME_HOLD_CONTAINER); } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#createTransferContainer(org.alfresco.service.cmr.repository.NodeRef) */ @@ -331,9 +331,9 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return createFilePlanRootContainer(filePlan, TYPE_TRANSFER_CONTAINER, NAME_TRANSFER_CONTAINER); } - + /** - * + * * @param filePlan * @param containerType * @param containerName @@ -347,9 +347,9 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { throw new AlfrescoRuntimeException("Unable to create file plan root container, because passed node is not a file plan."); } - + String allRoles = getFilePlanRoleService().getAllRolesContainerGroup(filePlan); - + // create the properties map Map properties = new HashMap(1); properties.put(ContentModel.PROP_NAME, containerName); @@ -362,7 +362,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl containerType, properties).getChildRef(); - + // if (inheritPermissions == false) // { // set inheritance to false @@ -370,8 +370,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl getPermissionService().setPermission(container, allRoles, RMPermissionModel.READ_RECORDS, true); getPermissionService().setPermission(container, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.READ_RECORDS, true); getPermissionService().setPermission(container, ExtendedWriterDynamicAuthority.EXTENDED_WRITER, RMPermissionModel.FILING, true); - getPermissionService().setPermission(container, "Administrator", RMPermissionModel.FILING, true); - + // TODO set the admin users to have filing permissions on the unfiled container!!! // TODO we will need to be able to get a list of the admin roles from the service // } @@ -384,7 +383,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl return container; } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#createFilePlan(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, org.alfresco.service.namespace.QName, java.util.Map) */ @@ -393,21 +392,21 @@ public class FilePlanServiceImpl extends ServiceBaseImpl ParameterCheck.mandatory("parent", parent); ParameterCheck.mandatory("name", name); ParameterCheck.mandatory("type", type); - + // Check the parent is not already an RM component node // ie: you can't create a rm root in an existing rm hierarchy if (isFilePlanComponent(parent) == true) { throw new AlfrescoRuntimeException(I18NUtil.getMessage(MSG_DUP_ROOT)); } - + // Check that the passed type is a sub-type of rma:filePlan if (TYPE_FILE_PLAN.equals(type) == false && dictionaryService.isSubClass(type, TYPE_FILE_PLAN) == false) { throw new AlfrescoRuntimeException(I18NUtil.getMessage(MSG_ROOT_TYPE, type.toString())); } - + // Build map of properties Map rmRootProps = new HashMap(1); if (properties != null && properties.size() != 0) @@ -415,7 +414,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl rmRootProps.putAll(properties); } rmRootProps.put(ContentModel.PROP_NAME, name); - + // Create the root ChildAssociationRef assocRef = nodeService.createNode( parent, @@ -423,12 +422,12 @@ public class FilePlanServiceImpl extends ServiceBaseImpl QName.createQName(NamespaceService.CONTENT_MODEL_1_0_URI, name), type, rmRootProps); - + // TODO do we need to create role and security groups or is this done automatically? - + return assocRef.getChildRef(); } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#createFilePlan(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.util.Map) */ @@ -436,7 +435,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return createFilePlan(parent, name, TYPE_FILE_PLAN, properties); } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#createFilePlan(org.alfresco.service.cmr.repository.NodeRef, java.lang.String) */ @@ -444,7 +443,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return createFilePlan(parent, name, TYPE_FILE_PLAN, null); } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#createFilePlan(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, org.alfresco.service.namespace.QName) */ @@ -453,7 +452,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return createFilePlan(parent, name, type, null); } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#getNodeRefPath(org.alfresco.service.cmr.repository.NodeRef) */ @@ -470,7 +469,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl } return nodeRefPath; } - + /** * Helper method to build a NodeRef path from the node to the RM root */ @@ -500,7 +499,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl getNodeRefPathRecursive(nodeRef, nodeRefPath); } } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#createRecordCategory(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, org.alfresco.service.namespace.QName, java.util.Map) */ @@ -509,7 +508,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl ParameterCheck.mandatory("parent", parent); ParameterCheck.mandatory("name", name); ParameterCheck.mandatory("type", type); - + // Check that the parent is a container QName parentType = nodeService.getType(parent); if (TYPE_RECORDS_MANAGEMENT_CONTAINER.equals(parentType) == false && @@ -517,14 +516,14 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { throw new AlfrescoRuntimeException(I18NUtil.getMessage(MSG_CONTAINER_PARENT_TYPE, parentType.toString())); } - + // Check that the the provided type is a sub-type of rm:recordCategory if (TYPE_RECORD_CATEGORY.equals(type) == false && dictionaryService.isSubClass(type, TYPE_RECORD_CATEGORY) == false) { throw new AlfrescoRuntimeException(I18NUtil.getMessage(MSG_CONTAINER_TYPE, type.toString())); } - + // Set the properties for the record category Map props = new HashMap(1); if (properties != null && properties.size() != 0) @@ -532,7 +531,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl props.putAll(properties); } props.put(ContentModel.PROP_NAME, name); - + return nodeService.createNode( parent, ContentModel.ASSOC_CONTAINS, @@ -540,7 +539,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl type, props).getChildRef(); } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#createRecordCategory(org.alfresco.service.cmr.repository.NodeRef, java.lang.String) */ @@ -548,7 +547,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return createRecordCategory(parent, name, TYPE_RECORD_CATEGORY); } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#createRecordCategory(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.util.Map) */ @@ -556,7 +555,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return createRecordCategory(parent, name, TYPE_RECORD_CATEGORY, properties); } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#createRecordCategory(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, org.alfresco.service.namespace.QName) */ @@ -564,7 +563,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return createRecordCategory(parent, name, type, null); } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#getAllContained(org.alfresco.service.cmr.repository.NodeRef) */ @@ -573,7 +572,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return getAllContained(container, false); } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#getAllContained(org.alfresco.service.cmr.repository.NodeRef, boolean) */ @@ -582,25 +581,25 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return getContained(container, null, deep); } - + /** * Get contained nodes of a particular type. If null return all. - * + * * @param container container node reference * @param typeFilter type filter, null if none * @return {@link List}<{@link NodeRef> list of contained node references */ private List getContained(NodeRef container, QName typeFilter, boolean deep) - { + { // Parameter check ParameterCheck.mandatory("container", container); - + // Check we have a container in our hands if (isRecordCategory(container) == false) { throw new AlfrescoRuntimeException(I18NUtil.getMessage(MSG_CONTAINER_EXPECTED)); } - + List result = new ArrayList(1); List assocs = this.nodeService.getChildAssocs(container, ContentModel.ASSOC_CONTAINS, RegexQNamePattern.MATCH_ALL); for (ChildAssociationRef assoc : assocs) @@ -613,7 +612,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { result.add(child); } - + // Inspect the containers and add children if deep if (deep == true && (TYPE_RECORD_CATEGORY.equals(childType) == true || @@ -622,10 +621,10 @@ public class FilePlanServiceImpl extends ServiceBaseImpl result.addAll(getContained(child, typeFilter, deep)); } } - + return result; } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#getContainedRecordCategories(org.alfresco.service.cmr.repository.NodeRef) */ @@ -634,7 +633,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return getContainedRecordCategories(container, false); } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#getContainedRecordCategories(org.alfresco.service.cmr.repository.NodeRef, boolean) */ @@ -643,7 +642,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return getContained(container, TYPE_RECORD_CATEGORY, deep); } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#getContainedRecordFolders(org.alfresco.service.cmr.repository.NodeRef) */ @@ -652,7 +651,7 @@ public class FilePlanServiceImpl extends ServiceBaseImpl { return getContainedRecordFolders(container, false); } - + /** * @see org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService#getContainedRecordFolders(org.alfresco.service.cmr.repository.NodeRef, boolean) */ diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java index e821ab5e19..83deaeabcc 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java @@ -18,6 +18,8 @@ */ package org.alfresco.module.org_alfresco_module_rm.security; +import static org.apache.commons.lang.BooleanUtils.isTrue; + import java.util.HashSet; import java.util.List; import java.util.Set; @@ -48,7 +50,7 @@ import org.apache.commons.logging.LogFactory; /** * File plan permission service. - * + * * @author Roy Wetherall * @since 2.1 */ @@ -64,16 +66,16 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl /** Records management service */ protected RecordsManagementService recordsManagementService; - + /** File plan service */ protected FilePlanService filePlanService; - + /** Record service */ protected RecordService recordService; /** Logger */ protected static Log logger = LogFactory.getLog(FilePlanPermissionServiceImpl.class); - + /** * Initialisation method */ @@ -88,23 +90,23 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl TYPE_RECORD_FOLDER, new JavaBehaviour(this, "onCreateRecordFolder", NotificationFrequency.TRANSACTION_COMMIT)); policyComponent.bindClassBehaviour( - NodeServicePolicies.OnAddAspectPolicy.QNAME, - ASPECT_RECORD, + NodeServicePolicies.OnAddAspectPolicy.QNAME, + ASPECT_RECORD, new JavaBehaviour(this, "onAddRecord", NotificationFrequency.TRANSACTION_COMMIT)); policyComponent.bindClassBehaviour( - NodeServicePolicies.OnMoveNodePolicy.QNAME, - ASPECT_RECORD, + NodeServicePolicies.OnMoveNodePolicy.QNAME, + ASPECT_RECORD, new JavaBehaviour(this, "onMoveRecord", NotificationFrequency.TRANSACTION_COMMIT)); policyComponent.bindClassBehaviour( - NodeServicePolicies.OnCreateNodePolicy.QNAME, - TYPE_HOLD, + NodeServicePolicies.OnCreateNodePolicy.QNAME, + TYPE_HOLD, new JavaBehaviour(this, "onCreateHoldTransfer", NotificationFrequency.TRANSACTION_COMMIT)); policyComponent.bindClassBehaviour( - NodeServicePolicies.OnCreateNodePolicy.QNAME, - TYPE_TRANSFER, + NodeServicePolicies.OnCreateNodePolicy.QNAME, + TYPE_TRANSFER, new JavaBehaviour(this, "onCreateHoldTransfer", NotificationFrequency.TRANSACTION_COMMIT)); } - + /** * @param permissionService permission service */ @@ -112,7 +114,7 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl { this.permissionService = permissionService; } - + /** * @param nodeService node service */ @@ -120,7 +122,7 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl { this.nodeService = nodeService; } - + /** * @param policyComponent policy component */ @@ -128,7 +130,7 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl { this.policyComponent = policyComponent; } - + /** * @param recordsManagementService records management service */ @@ -136,7 +138,7 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl { this.recordsManagementService = recordsManagementService; } - + /** * @param filePlanService file plan service */ @@ -144,7 +146,7 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl { this.filePlanService = filePlanService; } - + /** * @param recordService record service */ @@ -156,48 +158,46 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl /** * @param childAssocRef */ - public void onCreateRMContainer(ChildAssociationRef childAssocRef) + public void onCreateRMContainer(final ChildAssociationRef childAssocRef) { - final NodeRef recordCategory = childAssocRef.getChildRef(); - setUpPermissions(recordCategory); - // Pull any permissions found on the parent (ie the record category) final NodeRef parentNodeRef = childAssocRef.getParentRef(); - if (parentNodeRef != null && nodeService.exists(parentNodeRef) == true) + if (parentNodeRef != null && nodeService.exists(parentNodeRef)) { AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork() { public Object doWork() { - boolean fillingOnly = false; - if (filePlanService.isFilePlan(parentNodeRef) == true) - { - fillingOnly = true; - } + NodeRef recordCategory = childAssocRef.getChildRef(); + boolean isParentNodeFilePlan = filePlanService.isFilePlan(parentNodeRef); + setUpPermissions(recordCategory, isParentNodeFilePlan); // since this is not a root category, inherit from parent - Set perms = permissionService.getAllSetPermissions(parentNodeRef); - for (AccessPermission perm : perms) + if (isParentNodeFilePlan) { - if (fillingOnly == false || - RMPermissionModel.FILING.equals(perm.getPermission()) == true) + Set perms = permissionService.getAllSetPermissions(parentNodeRef); + for (AccessPermission perm : perms) { - AccessStatus accessStatus = perm.getAccessStatus(); - boolean allow = false; - if (AccessStatus.ALLOWED.equals(accessStatus) == true) + if (RMPermissionModel.FILING.equals(perm.getPermission())) { - allow = true; + AccessStatus accessStatus = perm.getAccessStatus(); + boolean allow = false; + if (AccessStatus.ALLOWED.equals(accessStatus)) + { + allow = true; + } + permissionService.setPermission( + recordCategory, + perm.getAuthority(), + perm.getPermission(), + allow); } - permissionService.setPermission( - recordCategory, - perm.getAuthority(), - perm.getPermission(), - allow); } } return null; } + }, AuthenticationUtil.getSystemUserName()); } } @@ -208,13 +208,14 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl public void onCreateRecordFolder(ChildAssociationRef childAssocRef) { final NodeRef folderNodeRef = childAssocRef.getChildRef(); - + // initialise the permissions setUpPermissions(folderNodeRef); // Pull any permissions found on the parent (ie the record category) final NodeRef catNodeRef = childAssocRef.getParentRef(); - if (nodeService.exists(catNodeRef) == true) + if (!permissionService.getInheritParentPermissions(folderNodeRef) && + nodeService.exists(catNodeRef)) { AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork() { @@ -223,8 +224,8 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl Set perms = permissionService.getAllSetPermissions(catNodeRef); for (AccessPermission perm : perms) { - if (ExtendedReaderDynamicAuthority.EXTENDED_READER.equals(perm.getAuthority()) == false && - ExtendedWriterDynamicAuthority.EXTENDED_WRITER.equals(perm.getAuthority()) == false) + if (!ExtendedReaderDynamicAuthority.EXTENDED_READER.equals(perm.getAuthority()) && + !ExtendedWriterDynamicAuthority.EXTENDED_WRITER.equals(perm.getAuthority())) { AccessStatus accessStatus = perm.getAccessStatus(); boolean allow = false; @@ -245,12 +246,12 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl }, AuthenticationUtil.getSystemUserName()); } } - + /** * Sets ups records permission when aspect is added. - * + * * @see NodeServicePolicies.OnAddAspectPolicy#onAddAspect(NodeRef, QName) - * + * * @param record * @param aspectTypeQName */ @@ -262,18 +263,18 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl { if (nodeService.exists(record) == true && nodeService.hasAspect(record, aspectTypeQName) == true) { - NodeRef recordFolder = nodeService.getPrimaryParent(record).getParentRef(); + NodeRef recordFolder = nodeService.getPrimaryParent(record).getParentRef(); initialiseRecordPermissions(record, recordFolder); } return null; } - }, AuthenticationUtil.getSystemUserName()); + }, AuthenticationUtil.getSystemUserName()); } - + /** * Sets up permissions for transfer and hold objects - * + * * @param childAssocRef */ public void onCreateHoldTransfer(final ChildAssociationRef childAssocRef) @@ -286,7 +287,7 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl if (nodeService.exists(nodeRef) == true) { setUpPermissions(nodeRef); - + NodeRef parent = childAssocRef.getParentRef(); Set perms = permissionService.getAllSetPermissions(parent); for (AccessPermission perm : perms) @@ -308,49 +309,51 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl } } } - + return null; } }); } - + /** * Initialise the record permissions for the given parent. - * + * * NOTE: method is public so it can be accessed via the associated patch bean. - * - * @param record record + * + * @param record record * @param parent records permission parent */ public void initialiseRecordPermissions(NodeRef record, NodeRef parent) { setUpPermissions(record); - - Set perms = permissionService.getAllSetPermissions(parent); - for (AccessPermission perm : perms) + + if (!permissionService.getInheritParentPermissions(record)) { - if (ExtendedReaderDynamicAuthority.EXTENDED_READER.equals(perm.getAuthority()) == false && - ExtendedWriterDynamicAuthority.EXTENDED_WRITER.equals(perm.getAuthority()) == false) + Set perms = permissionService.getAllSetPermissions(parent); + for (AccessPermission perm : perms) { - AccessStatus accessStatus = perm.getAccessStatus(); - boolean allow = false; - if (AccessStatus.ALLOWED.equals(accessStatus) == true) + if (!ExtendedReaderDynamicAuthority.EXTENDED_READER.equals(perm.getAuthority()) && + !ExtendedWriterDynamicAuthority.EXTENDED_WRITER.equals(perm.getAuthority())) { - allow = true; + AccessStatus accessStatus = perm.getAccessStatus(); + boolean allow = false; + if (AccessStatus.ALLOWED.equals(accessStatus) == true) + { + allow = true; + } + permissionService.setPermission( + record, + perm.getAuthority(), + perm.getPermission(), + allow); } - permissionService.setPermission( - record, - perm.getAuthority(), - perm.getPermission(), - allow); } } - } - + /** * onMoveRecord behaviour - * + * * @param sourceAssocRef source association reference * @param destinationAssocRef destination association reference */ @@ -364,7 +367,7 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl if (nodeService.exists(record) == true && nodeService.hasAspect(record, ASPECT_RECORD) == true) { Set keepPerms = new HashSet(5); - + // record any permissions specifically set on the record (ie any filling or record_file permisions not on the parent) Set origionalParentPerms = permissionService.getAllSetPermissions(sourceAssocRef.getParentRef()); Set origionalRecordPerms= permissionService.getAllSetPermissions(record); @@ -374,7 +377,7 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl ExtendedWriterDynamicAuthority.EXTENDED_WRITER.equals(perm.getAuthority()) == false) { if ((perm.getPermission().equals(RMPermissionModel.FILING) == true || - perm.getPermission().equals(RMPermissionModel.FILE_RECORDS) == true) && + perm.getPermission().equals(RMPermissionModel.FILE_RECORDS) == true) && origionalParentPerms.contains(perm) == false) { // then we can assume this is a permission we want to preserve @@ -382,20 +385,20 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl } } } - + // clear all existing permissions and start again permissionService.deletePermissions(record); - + // re-setup the records permissions initialiseRecordPermissions(record, destinationAssocRef.getParentRef()); - + // re-add keep'er permissions for (AccessPermission keeper : keepPerms) { setPermission(record, keeper.getAuthority(), keeper.getPermission()); } } - + return null; } }, AuthenticationUtil.getSystemUserName()); @@ -407,14 +410,19 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl */ public void setUpPermissions(final NodeRef nodeRef) { - if (nodeService.exists(nodeRef) == true) + setUpPermissions(nodeRef, null); + } + + private void setUpPermissions(final NodeRef nodeRef, final Boolean isParentNodeFilePlan) + { + if (nodeService.exists(nodeRef)) { AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork() { public Object doWork() { // break inheritance - permissionService.setInheritParentPermissions(nodeRef, false); + permissionService.setInheritParentPermissions(nodeRef, isInheritanceAllowed(nodeRef, isParentNodeFilePlan)); // set extended reader permissions permissionService.setPermission(nodeRef, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.READ_RECORDS, true); @@ -424,7 +432,12 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl } }, AuthenticationUtil.getSystemUserName()); } - } + } + + private boolean isInheritanceAllowed(NodeRef nodeRef, Boolean isParentNodeFilePlan) + { + return !(isFilePlan(nodeRef) || isHold(nodeRef) || isTransfer(nodeRef) || (isRecordCategory(nodeRef) && isTrue(isParentNodeFilePlan))); + } /** * @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#setPermission(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.lang.String, boolean) @@ -439,20 +452,16 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl { public Boolean doWork() throws Exception { - if (filePlanService.isFilePlan(nodeRef) == true) + if (filePlanService.isFilePlan(nodeRef) || + filePlanService.isFilePlanContainer(nodeRef) || + recordsManagementService.isRecordFolder(nodeRef) || + recordService.isRecord(nodeRef)) { - setPermissionDown(nodeRef, authority, permission); - } - else if (filePlanService.isFilePlanContainer(nodeRef) == true || - recordsManagementService.isRecordFolder(nodeRef) == true || - recordService.isRecord(nodeRef) == true) - { - setReadPermissionUp(nodeRef, authority); setPermissionDown(nodeRef, authority, permission); } else { - if (logger.isWarnEnabled() == true) + if (logger.isWarnEnabled()) { logger.warn("Setting permissions for this node is not supported. (nodeRef=" + nodeRef + ", authority=" + authority + ", permission=" + permission + ")"); } @@ -463,38 +472,6 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl }, AuthenticationUtil.getSystemUserName()); } - /** - * Helper method to set the read permission up the hierarchy - * - * @param nodeRef node reference - * @param authority authority - */ - private void setReadPermissionUp(NodeRef nodeRef, String authority) - { - NodeRef parent = nodeService.getPrimaryParent(nodeRef).getParentRef(); - if (parent != null && filePlanService.isFilePlanComponent(parent) == true) - { - setReadPermissionUpImpl(parent, authority); - } - } - - /** - * Helper method used to set the read permission up the hierarchy - * - * @param nodeRef node reference - * @param authority authority - */ - private void setReadPermissionUpImpl(NodeRef nodeRef, String authority) - { - setPermissionImpl(nodeRef, authority, RMPermissionModel.READ_RECORDS); - - NodeRef parent = nodeService.getPrimaryParent(nodeRef).getParentRef(); - if (parent != null && filePlanService.isFilePlanComponent(parent) == true) - { - setReadPermissionUpImpl(parent, authority); - } - } - /** * Helper method to set the permission down the hierarchy * @@ -504,27 +481,25 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl */ private void setPermissionDown(NodeRef nodeRef, String authority, String permission) { + // set permissions + setPermissionImpl(nodeRef, authority, permission); + // skip out node's that inherit (for example hold and transfer) - if (permissionService.getInheritParentPermissions(nodeRef) == false) + if (!permissionService.getInheritParentPermissions(nodeRef) && + (filePlanService.isFilePlanContainer(nodeRef) || + recordsManagementService.isRecordFolder(nodeRef))) { - // set permissions - setPermissionImpl(nodeRef, authority, permission); - - if (filePlanService.isFilePlanContainer(nodeRef) == true || - recordsManagementService.isRecordFolder(nodeRef) == true) - { - List assocs = nodeService.getChildAssocs(nodeRef, ContentModel.ASSOC_CONTAINS, RegexQNamePattern.MATCH_ALL); - for (ChildAssociationRef assoc : assocs) + List assocs = nodeService.getChildAssocs(nodeRef, ContentModel.ASSOC_CONTAINS, RegexQNamePattern.MATCH_ALL); + for (ChildAssociationRef assoc : assocs) + { + NodeRef child = assoc.getChildRef(); + if (filePlanService.isFilePlanContainer(child) || + recordsManagementService.isRecordFolder(child) || + recordService.isRecord(child) || + instanceOf(child, TYPE_HOLD) || + instanceOf(child, TYPE_TRANSFER)) { - NodeRef child = assoc.getChildRef(); - if (filePlanService.isFilePlanContainer(child) == true || - recordsManagementService.isRecordFolder(child) == true || - recordService.isRecord(child) == true || - instanceOf(child, TYPE_HOLD) == true || - instanceOf(child, TYPE_TRANSFER) == true) - { - setPermissionDown(child, authority, permission); - } + setPermissionDown(child, authority, permission); } } } @@ -557,27 +532,25 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl { public Boolean doWork() throws Exception { + // Delete permission on this node + permissionService.deletePermission(nodeRef, authority, permission); + // can't delete permissions if inherited (eg hold and transfer containers) - if (permissionService.getInheritParentPermissions(nodeRef) == false) + if (!permissionService.getInheritParentPermissions(nodeRef) && + (filePlanService.isFilePlanContainer(nodeRef) || + recordsManagementService.isRecordFolder(nodeRef))) { - // Delete permission on this node - permissionService.deletePermission(nodeRef, authority, permission); - - if (filePlanService.isFilePlanContainer(nodeRef) == true || - recordsManagementService.isRecordFolder(nodeRef) == true) + List assocs = nodeService.getChildAssocs(nodeRef, ContentModel.ASSOC_CONTAINS, RegexQNamePattern.MATCH_ALL); + for (ChildAssociationRef assoc : assocs) { - List assocs = nodeService.getChildAssocs(nodeRef, ContentModel.ASSOC_CONTAINS, RegexQNamePattern.MATCH_ALL); - for (ChildAssociationRef assoc : assocs) + NodeRef child = assoc.getChildRef(); + if (filePlanService.isFilePlanContainer(child) || + recordsManagementService.isRecordFolder(child) || + recordService.isRecord(child)|| + instanceOf(child, TYPE_HOLD) || + instanceOf(child, TYPE_TRANSFER)) { - NodeRef child = assoc.getChildRef(); - if (filePlanService.isFilePlanContainer(child) == true || - recordsManagementService.isRecordFolder(child) == true || - recordService.isRecord(child) == true|| - instanceOf(child, TYPE_HOLD) == true || - instanceOf(child, TYPE_TRANSFER) == true) - { - deletePermission(child, authority, permission); - } + deletePermission(child, authority, permission); } } } diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java index 72a8e4e268..3510702189 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java @@ -28,7 +28,7 @@ import org.springframework.extensions.webscripts.GUID; /** * File plan permission service unit test - * + * * @author Roy Wetherall * @since 2.1 */ @@ -42,16 +42,16 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase { return true; } - + /** * @see org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase#isRecordTest() */ @Override protected boolean isRecordTest() { - return true; + return true; } - + /** * Helper to create test user */ @@ -69,7 +69,7 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase } }, AuthenticationUtil.getSystemUserName()); } - + /** * Helper to set permission */ @@ -83,9 +83,9 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase filePlanPermissionService.setPermission(nodeRef, userName, permission); return null; } - }); + }); } - + /** * Helper to delete permission */ @@ -99,17 +99,17 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase filePlanPermissionService.deletePermission(nodeRef, userName, permission); return null; } - }); + }); } - + /** * test set/delete permissions on file plan */ public void testSetDeletePermissionFilePlan() throws Exception { String userName = createTestUser(); - - assertPermissions(userName, + + assertPermissions(userName, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file AccessStatus.DENIED, // category read @@ -118,10 +118,10 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase AccessStatus.DENIED, // record folder file AccessStatus.DENIED, // record read AccessStatus.DENIED); // record file - + setPermission(filePlan, userName, RMPermissionModel.FILING); - - assertPermissions(userName, + + assertPermissions(userName, AccessStatus.ALLOWED, // fileplan read AccessStatus.ALLOWED, // fileplan file AccessStatus.ALLOWED, // category read @@ -130,10 +130,10 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase AccessStatus.ALLOWED, // record folder file AccessStatus.ALLOWED, // record read AccessStatus.ALLOWED); // record file - + deletePermission(filePlan, userName, RMPermissionModel.FILING); - - assertPermissions(userName, + + assertPermissions(userName, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file AccessStatus.DENIED, // category read @@ -142,12 +142,12 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase AccessStatus.DENIED, // record folder file AccessStatus.DENIED, // record read AccessStatus.DENIED); // record file - + //what happens if we try and remove READ for a normal user on the file plan ??? deletePermission(filePlan, userName, RMPermissionModel.READ_RECORDS); - + // nothing .. user still has read on file plan .. only removing the user from all roles will remove read on file plan - assertPermissions(userName, + assertPermissions(userName, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file AccessStatus.DENIED, // category read @@ -157,15 +157,15 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase AccessStatus.DENIED, // record read AccessStatus.DENIED); // record file } - + /** * Test set/delete permission on record categorty */ public void testSetDeletePermissionRecordCategory() throws Exception { String userName = createTestUser(); - - assertPermissions(userName, + + assertPermissions(userName, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file AccessStatus.DENIED, // category read @@ -174,10 +174,10 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase AccessStatus.DENIED, // record folder file AccessStatus.DENIED, // record read AccessStatus.DENIED); // record file - + setPermission(rmContainer, userName, RMPermissionModel.FILING); - assertPermissions(userName, + assertPermissions(userName, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file AccessStatus.ALLOWED, // category read @@ -186,10 +186,10 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase AccessStatus.ALLOWED, // record folder file AccessStatus.ALLOWED, // record read AccessStatus.ALLOWED); // record file - + deletePermission(rmContainer, userName, RMPermissionModel.FILING); - - assertPermissions(userName, + + assertPermissions(userName, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file AccessStatus.DENIED, // category read @@ -199,15 +199,15 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase AccessStatus.DENIED, // record read AccessStatus.DENIED); // record file } - + /** * Test set/delete permission on record folder */ public void testSetDeletePermissionRecordFolder() throws Exception { String userName = createTestUser(); - - assertPermissions(userName, + + assertPermissions(userName, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file AccessStatus.DENIED, // category read @@ -216,40 +216,40 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase AccessStatus.DENIED, // record folder file AccessStatus.DENIED, // record read AccessStatus.DENIED); // record file - + setPermission(rmFolder, userName, RMPermissionModel.FILING); - assertPermissions(userName, + assertPermissions(userName, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file - AccessStatus.ALLOWED, // category read + AccessStatus.DENIED, // category read AccessStatus.DENIED, // category file AccessStatus.ALLOWED, // record folder read AccessStatus.ALLOWED, // record folder file AccessStatus.ALLOWED, // record read AccessStatus.ALLOWED); // record file - + deletePermission(rmFolder, userName, RMPermissionModel.FILING); - assertPermissions(userName, + assertPermissions(userName, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file - AccessStatus.ALLOWED, // category read + AccessStatus.DENIED, // category read AccessStatus.DENIED, // category file AccessStatus.DENIED, // record folder read AccessStatus.DENIED, // record folder file AccessStatus.DENIED, // record read AccessStatus.DENIED); // record file } - + /** * Test set/delete permission on record */ public void testSetDeletePermissionRecord() throws Exception { String userName = createTestUser(); - - assertPermissions(userName, + + assertPermissions(userName, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file AccessStatus.DENIED, // category read @@ -258,48 +258,48 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase AccessStatus.DENIED, // record folder file AccessStatus.DENIED, // record read AccessStatus.DENIED); // record file - + setPermission(recordOne, userName, RMPermissionModel.FILING); - assertPermissions(userName, + assertPermissions(userName, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file - AccessStatus.ALLOWED, // category read + AccessStatus.DENIED, // category read AccessStatus.DENIED, // category file - AccessStatus.ALLOWED, // record folder read + AccessStatus.DENIED, // record folder read AccessStatus.DENIED, // record folder file AccessStatus.ALLOWED, // record read AccessStatus.ALLOWED); // record file - + deletePermission(recordOne, userName, RMPermissionModel.FILING); - assertPermissions(userName, + assertPermissions(userName, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file - AccessStatus.ALLOWED, // category read + AccessStatus.DENIED, // category read AccessStatus.DENIED, // category file - AccessStatus.ALLOWED, // record folder read + AccessStatus.DENIED, // record folder read AccessStatus.DENIED, // record folder file AccessStatus.DENIED, // record read AccessStatus.DENIED); // record file } - + public void testMoveRecord() throws Exception { String userOne = createTestUser(); String userTwo = createTestUser(); String userThree = createTestUser(); - + final NodeRef otherFolder = doTestInTransaction(new Test() { @Override public NodeRef run() { - return rmService.createRecordFolder(rmContainer, "otherFolder"); + return rmService.createRecordFolder(rmContainer, "otherFolder"); } }); - - assertPermissions(userOne, + + assertPermissions(userOne, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file AccessStatus.DENIED, // category read @@ -318,7 +318,7 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase return null; } }, userOne); - assertPermissions(userTwo, + assertPermissions(userTwo, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file AccessStatus.DENIED, // category read @@ -337,7 +337,7 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase return null; } }, userTwo); - assertPermissions(userThree, + assertPermissions(userThree, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file AccessStatus.DENIED, // category read @@ -356,15 +356,15 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase return null; } }, userThree); - + setPermission(rmFolder, userOne, RMPermissionModel.FILING); setPermission(otherFolder, userTwo, RMPermissionModel.FILING); setPermission(recordOne, userThree, RMPermissionModel.FILING); - - assertPermissions(userOne, + + assertPermissions(userOne, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file - AccessStatus.ALLOWED, // category read + AccessStatus.DENIED, // category read AccessStatus.DENIED, // category file AccessStatus.ALLOWED, // record folder read AccessStatus.ALLOWED, // record folder file @@ -380,10 +380,10 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase return null; } }, userOne); - assertPermissions(userTwo, + assertPermissions(userTwo, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file - AccessStatus.ALLOWED, // category read + AccessStatus.DENIED, // category read AccessStatus.DENIED, // category file AccessStatus.DENIED, // record folder read AccessStatus.DENIED, // record folder file @@ -399,12 +399,12 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase return null; } }, userTwo); - assertPermissions(userThree, + assertPermissions(userThree, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file - AccessStatus.ALLOWED, // category read + AccessStatus.DENIED, // category read AccessStatus.DENIED, // category file - AccessStatus.ALLOWED, // record folder read + AccessStatus.DENIED, // record folder read AccessStatus.DENIED, // record folder file AccessStatus.ALLOWED, // record read AccessStatus.ALLOWED); // record file @@ -418,7 +418,7 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase return null; } }, userThree); - + // move the record! doTestInTransaction(new Test() { @@ -429,11 +429,11 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase return null; } }); - - assertPermissions(userOne, + + assertPermissions(userOne, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file - AccessStatus.ALLOWED, // category read + AccessStatus.DENIED, // category read AccessStatus.DENIED, // category file AccessStatus.ALLOWED, // record folder read AccessStatus.ALLOWED, // record folder file @@ -449,10 +449,10 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase return null; } }, userOne); - assertPermissions(userTwo, + assertPermissions(userTwo, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file - AccessStatus.ALLOWED, // category read + AccessStatus.DENIED, // category read AccessStatus.DENIED, // category file AccessStatus.DENIED, // record folder read AccessStatus.DENIED, // record folder file @@ -468,12 +468,12 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase return null; } }, userTwo); - assertPermissions(userThree, + assertPermissions(userThree, AccessStatus.ALLOWED, // fileplan read AccessStatus.DENIED, // fileplan file - AccessStatus.ALLOWED, // category read + AccessStatus.DENIED, // category read AccessStatus.DENIED, // category file - AccessStatus.ALLOWED, // record folder read + AccessStatus.DENIED, // record folder read AccessStatus.DENIED, // record folder file AccessStatus.ALLOWED, // record read AccessStatus.ALLOWED); // record file @@ -482,43 +482,43 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase @Override public Void run() { - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(otherFolder, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(otherFolder, RMPermissionModel.READ_RECORDS)); assertEquals(AccessStatus.DENIED, permissionService.hasPermission(otherFolder, RMPermissionModel.FILING)); return null; } }, userThree); - + } - - + + /** * Helper to assert permissions for passed user */ private void assertPermissions(final String userName, final AccessStatus ... accessStatus) { assertEquals(8, accessStatus.length); - + doTestInTransaction(new Test() { @Override public Void run() { - assertEquals("Everyone who has a role has read permissions on the file plan", + assertEquals("Everyone who has a role has read permissions on the file plan", accessStatus[0], permissionService.hasPermission(filePlan, RMPermissionModel.READ_RECORDS)); assertEquals(accessStatus[1], permissionService.hasPermission(filePlan, RMPermissionModel.FILING)); - + assertEquals(accessStatus[2], permissionService.hasPermission(rmContainer, RMPermissionModel.READ_RECORDS)); assertEquals(accessStatus[3], permissionService.hasPermission(rmContainer, RMPermissionModel.FILING)); - + assertEquals(accessStatus[4], permissionService.hasPermission(rmFolder, RMPermissionModel.READ_RECORDS)); assertEquals(accessStatus[5], permissionService.hasPermission(rmFolder, RMPermissionModel.FILING)); - + assertEquals(accessStatus[6], permissionService.hasPermission(recordOne, RMPermissionModel.READ_RECORDS)); assertEquals(accessStatus[7], permissionService.hasPermission(recordOne, RMPermissionModel.FILING)); - + return null; } }, userName); } - + } From e6bceec830edd44d457f5d9f8d0efc5e0422e12b Mon Sep 17 00:00:00 2001 From: Tuna Aksoy Date: Tue, 14 Oct 2014 21:46:05 +0000 Subject: [PATCH 13/29] RM-1661 (Performance on setting permissions at a high category level) * Fixed failing unit tests git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@88092 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../test/capabilities/DeclarativeCapabilityTest.java | 1 + 1 file changed, 1 insertion(+) diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/capabilities/DeclarativeCapabilityTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/capabilities/DeclarativeCapabilityTest.java index 948770e112..98efb778ca 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/capabilities/DeclarativeCapabilityTest.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/capabilities/DeclarativeCapabilityTest.java @@ -135,6 +135,7 @@ public class DeclarativeCapabilityTest extends BaseRMTestCase for (String user : testUsers) { filePlanPermissionService.setPermission(rmFolder, user, RMPermissionModel.FILING); + filePlanPermissionService.setPermission(rmContainer, user, RMPermissionModel.READ_RECORDS); filePlanPermissionService.setPermission(moveToFolder, user, RMPermissionModel.READ_RECORDS); filePlanPermissionService.setPermission(moveToCategory, user, RMPermissionModel.READ_RECORDS); } From 867f22b20e75df565fdbb768f050fb53018219c2 Mon Sep 17 00:00:00 2001 From: Tuna Aksoy Date: Wed, 15 Oct 2014 12:52:16 +0000 Subject: [PATCH 14/29] RM-1661 (Performance on setting permissions at a high category level) git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@88144 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../alfresco/rma/rmpermissions.get.desc.xml | 9 -- .../org/alfresco/rma/rmpermissions.get.js | 86 ------------------- .../alfresco/rma/rmpermissions.get.json.ftl | 22 ----- .../alfresco/rma/rmpermissions.post.json.js | 23 +++-- 4 files changed, 14 insertions(+), 126 deletions(-) delete mode 100644 rm-server/config/alfresco/templates/webscripts/org/alfresco/rma/rmpermissions.get.desc.xml delete mode 100644 rm-server/config/alfresco/templates/webscripts/org/alfresco/rma/rmpermissions.get.js delete mode 100644 rm-server/config/alfresco/templates/webscripts/org/alfresco/rma/rmpermissions.get.json.ftl diff --git a/rm-server/config/alfresco/templates/webscripts/org/alfresco/rma/rmpermissions.get.desc.xml b/rm-server/config/alfresco/templates/webscripts/org/alfresco/rma/rmpermissions.get.desc.xml deleted file mode 100644 index cd90572016..0000000000 --- a/rm-server/config/alfresco/templates/webscripts/org/alfresco/rma/rmpermissions.get.desc.xml +++ /dev/null @@ -1,9 +0,0 @@ - - Records Management Permissions - Retrieve the Permissions set against a Records Management node. - /api/node/{store_type}/{store_id}/{id}/rmpermissions - argument - user - required - internal - \ No newline at end of file diff --git a/rm-server/config/alfresco/templates/webscripts/org/alfresco/rma/rmpermissions.get.js b/rm-server/config/alfresco/templates/webscripts/org/alfresco/rma/rmpermissions.get.js deleted file mode 100644 index 439a2654ac..0000000000 --- a/rm-server/config/alfresco/templates/webscripts/org/alfresco/rma/rmpermissions.get.js +++ /dev/null @@ -1,86 +0,0 @@ -/** - * Entry point for rmpermissions GET data webscript. - * Queries the permissions from an RM node and constructs the data-model for the template. - * - * @method main - */ -function main() -{ - // Get the node from the URL - var pathSegments = url.match.split("/"); - var reference = [ url.templateArgs.store_type, url.templateArgs.store_id ].concat(url.templateArgs.id.split("/")); - var node = search.findNode(pathSegments[2], reference); - - // 404 if the node is not found - if (node == null) - { - status.setCode(status.STATUS_NOT_FOUND, "The node could not be found"); - return; - } - - // retrieve permissions applied to this node - var permissions = node.getFullPermissions(); - - // split tokens - results are in the format: - // [ALLOWED|DENIED];[USERNAME|GROUPNAME];PERMISSION;[INHERITED|DIRECT] - var result = []; - for (var i=0; i -{ - "data": - { - "permissions": - [ - <#list permissions as perm> - { - "id": "${perm.id}", - "authority": - { - "id": "${perm.authority.id}", - "label": "${perm.authority.label}" - }, - "inherited": ${perm.inherited?string} - }<#if perm_has_next>, - - ], - "inherited": ${inherited?string} - } -} - \ No newline at end of file diff --git a/rm-server/config/alfresco/templates/webscripts/org/alfresco/rma/rmpermissions.post.json.js b/rm-server/config/alfresco/templates/webscripts/org/alfresco/rma/rmpermissions.post.json.js index 6aa731567e..a29ec41b13 100644 --- a/rm-server/config/alfresco/templates/webscripts/org/alfresco/rma/rmpermissions.post.json.js +++ b/rm-server/config/alfresco/templates/webscripts/org/alfresco/rma/rmpermissions.post.json.js @@ -1,7 +1,7 @@ /** * Entry point for rmpermissions POST data webscript. * Applies supplied RM permissions to an RM node. - * + * * @method main */ function main() @@ -10,41 +10,46 @@ function main() var pathSegments = url.match.split("/"); var reference = [ url.templateArgs.store_type, url.templateArgs.store_id ].concat(url.templateArgs.id.split("/")); var node = search.findNode(pathSegments[2], reference); - + // 404 if the node is not found if (node == null) { status.setCode(status.STATUS_NOT_FOUND, "The node could not be found"); return; } - + if (json.has("permissions") == false) { status.setCode(status.STATUS_BAD_REQUEST, "Permissions value missing from request."); } - + + if (json.has("isInherited")) + { + node.setInheritsPermissions(json.getBoolean("isInherited")); + } + var permissions = json.getJSONArray("permissions"); for (var i=0; i Date: Wed, 15 Oct 2014 16:28:01 +0000 Subject: [PATCH 15/29] RM-1724 (Inheritance is not off for root categories, unfiled records, holds and transfers) RM-1725 (Inheritance is not working properly) git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@88182 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../FilePlanPermissionServiceImpl.java | 109 ++++-------------- .../util/ServiceBaseImpl.java | 59 ++++++---- 2 files changed, 61 insertions(+), 107 deletions(-) diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java index 83deaeabcc..aa6391f52a 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java @@ -21,10 +21,8 @@ package org.alfresco.module.org_alfresco_module_rm.security; import static org.apache.commons.lang.BooleanUtils.isTrue; import java.util.HashSet; -import java.util.List; import java.util.Set; -import org.alfresco.model.ContentModel; import org.alfresco.module.org_alfresco_module_rm.RecordsManagementService; import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel; import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService; @@ -43,7 +41,6 @@ import org.alfresco.service.cmr.security.AccessPermission; import org.alfresco.service.cmr.security.AccessStatus; import org.alfresco.service.cmr.security.PermissionService; import org.alfresco.service.namespace.QName; -import org.alfresco.service.namespace.RegexQNamePattern; import org.alfresco.util.ParameterCheck; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -404,11 +401,7 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl }, AuthenticationUtil.getSystemUserName()); } - /** - * - * @param nodeRef - */ - public void setUpPermissions(final NodeRef nodeRef) + private void setUpPermissions(final NodeRef nodeRef) { setUpPermissions(nodeRef, null); } @@ -421,7 +414,7 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl { public Object doWork() { - // break inheritance + // set inheritance permissionService.setInheritParentPermissions(nodeRef, isInheritanceAllowed(nodeRef, isParentNodeFilePlan)); // set extended reader permissions @@ -436,7 +429,7 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl private boolean isInheritanceAllowed(NodeRef nodeRef, Boolean isParentNodeFilePlan) { - return !(isFilePlan(nodeRef) || isHold(nodeRef) || isTransfer(nodeRef) || (isRecordCategory(nodeRef) && isTrue(isParentNodeFilePlan))); + return !(isFilePlan(nodeRef) || isTransfer(nodeRef) || isHold(nodeRef) || isUnfiledRecordsContainer(nodeRef) || (isRecordCategory(nodeRef) && isTrue(isParentNodeFilePlan))); } /** @@ -452,12 +445,16 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl { public Boolean doWork() throws Exception { - if (filePlanService.isFilePlan(nodeRef) || - filePlanService.isFilePlanContainer(nodeRef) || - recordsManagementService.isRecordFolder(nodeRef) || - recordService.isRecord(nodeRef)) + if (canPerformPermissionAction(nodeRef)) { - setPermissionDown(nodeRef, authority, permission); + if (RMPermissionModel.FILING.equals(permission)) + { + // Remove record read permission before adding filing permission + permissionService.deletePermission(nodeRef, authority, RMPermissionModel.READ_RECORDS); + } + + // Set the permission on the node + permissionService.setPermission(nodeRef, authority, permission, true); } else { @@ -472,57 +469,6 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl }, AuthenticationUtil.getSystemUserName()); } - /** - * Helper method to set the permission down the hierarchy - * - * @param nodeRef node reference - * @param authority authority - * @param permission permission - */ - private void setPermissionDown(NodeRef nodeRef, String authority, String permission) - { - // set permissions - setPermissionImpl(nodeRef, authority, permission); - - // skip out node's that inherit (for example hold and transfer) - if (!permissionService.getInheritParentPermissions(nodeRef) && - (filePlanService.isFilePlanContainer(nodeRef) || - recordsManagementService.isRecordFolder(nodeRef))) - { - List assocs = nodeService.getChildAssocs(nodeRef, ContentModel.ASSOC_CONTAINS, RegexQNamePattern.MATCH_ALL); - for (ChildAssociationRef assoc : assocs) - { - NodeRef child = assoc.getChildRef(); - if (filePlanService.isFilePlanContainer(child) || - recordsManagementService.isRecordFolder(child) || - recordService.isRecord(child) || - instanceOf(child, TYPE_HOLD) || - instanceOf(child, TYPE_TRANSFER)) - { - setPermissionDown(child, authority, permission); - } - } - } - } - - /** - * Set the permission, taking into account that filing is a superset of read - * - * @param nodeRef - * @param authority - * @param permission - */ - private void setPermissionImpl(NodeRef nodeRef, String authority, String permission) - { - if (RMPermissionModel.FILING.equals(permission) == true) - { - // Remove record read permission before adding filing permission - permissionService.deletePermission(nodeRef, authority, RMPermissionModel.READ_RECORDS); - } - - permissionService.setPermission(nodeRef, authority, permission, true); - } - /** * @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#deletePermission(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.lang.String) */ @@ -532,26 +478,16 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl { public Boolean doWork() throws Exception { - // Delete permission on this node - permissionService.deletePermission(nodeRef, authority, permission); - - // can't delete permissions if inherited (eg hold and transfer containers) - if (!permissionService.getInheritParentPermissions(nodeRef) && - (filePlanService.isFilePlanContainer(nodeRef) || - recordsManagementService.isRecordFolder(nodeRef))) + if (canPerformPermissionAction(nodeRef)) { - List assocs = nodeService.getChildAssocs(nodeRef, ContentModel.ASSOC_CONTAINS, RegexQNamePattern.MATCH_ALL); - for (ChildAssociationRef assoc : assocs) + // Delete permission on this node + permissionService.deletePermission(nodeRef, authority, permission); + } + else + { + if (logger.isWarnEnabled()) { - NodeRef child = assoc.getChildRef(); - if (filePlanService.isFilePlanContainer(child) || - recordsManagementService.isRecordFolder(child) || - recordService.isRecord(child)|| - instanceOf(child, TYPE_HOLD) || - instanceOf(child, TYPE_TRANSFER)) - { - deletePermission(child, authority, permission); - } + logger.warn("Deleting permissions for this node is not supported. (nodeRef=" + nodeRef + ", authority=" + authority + ", permission=" + permission + ")"); } } @@ -559,4 +495,9 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl } }, AuthenticationUtil.getSystemUserName()); } + + private boolean canPerformPermissionAction(NodeRef nodeRef) + { + return filePlanService.isFilePlanContainer(nodeRef) || recordsManagementService.isRecordFolder(nodeRef) || recordService.isRecord(nodeRef); + } } diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/util/ServiceBaseImpl.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/util/ServiceBaseImpl.java index 21e1e349c6..5f05b6331e 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/util/ServiceBaseImpl.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/util/ServiceBaseImpl.java @@ -40,7 +40,7 @@ import org.springframework.context.ApplicationContextAware; /** * Helper base class for service implementations. - * + * * @author Roy Wetherall * @since 2.1 */ @@ -54,7 +54,7 @@ public class ServiceBaseImpl implements RecordsManagementModel, ApplicationConte /** Application context */ protected ApplicationContext applicationContext; - + /** internal node service */ private NodeService internalNodeService; @@ -82,7 +82,7 @@ public class ServiceBaseImpl implements RecordsManagementModel, ApplicationConte { this.dictionaryService = dictionaryService; } - + /** * Helper to get internal node service. *

@@ -94,10 +94,10 @@ public class ServiceBaseImpl implements RecordsManagementModel, ApplicationConte { internalNodeService = (NodeService)applicationContext.getBean("dbNodeService"); } - + return internalNodeService; } - + /** * Gets the file plan component kind from the given node reference * @@ -117,7 +117,7 @@ public class ServiceBaseImpl implements RecordsManagementModel, ApplicationConte if (isFilePlanComponent(nodeRef)) { result = FilePlanComponentKind.FILE_PLAN_COMPONENT; - + if (isFilePlan(nodeRef)) { result = FilePlanComponentKind.FILE_PLAN; @@ -146,12 +146,12 @@ public class ServiceBaseImpl implements RecordsManagementModel, ApplicationConte { result = FilePlanComponentKind.DISPOSITION_SCHEDULE; } - else if (instanceOf(nodeRef, TYPE_UNFILED_RECORD_CONTAINER)) + else if (isUnfiledRecordsContainer(nodeRef)) { result = FilePlanComponentKind.UNFILED_RECORD_CONTAINER; } } - + if (result != null) { map.put(nodeRef, result); @@ -297,7 +297,7 @@ public class ServiceBaseImpl implements RecordsManagementModel, ApplicationConte ParameterCheck.mandatory("nodeRef", nodeRef); boolean isHold = false; - if (getInternalNodeService().exists(nodeRef) && + if (getInternalNodeService().exists(nodeRef) && instanceOf(nodeRef, TYPE_HOLD)) { isHold = true; @@ -316,10 +316,23 @@ public class ServiceBaseImpl implements RecordsManagementModel, ApplicationConte return instanceOf(nodeRef, TYPE_TRANSFER); } - + + /** + * Indicates whether the given node reference is an unfiled records container or not. + * + * @param nodeRef node reference + * @return boolean true if rma:unfiledRecordContainer or sub-type, false otherwise + */ + public boolean isUnfiledRecordsContainer(NodeRef nodeRef) + { + ParameterCheck.mandatory("nodeRef", nodeRef); + + return instanceOf(nodeRef, TYPE_UNFILED_RECORD_CONTAINER); + } + /** * Indicates whether a record is complete or not. - * + * * @see org.alfresco.module.org_alfresco_module_rm.record.RecordService#isDeclared(org.alfresco.service.cmr.repository.NodeRef) */ public boolean isDeclared(NodeRef record) @@ -338,12 +351,12 @@ public class ServiceBaseImpl implements RecordsManagementModel, ApplicationConte public NodeRef getFilePlan(final NodeRef nodeRef) { NodeRef result = null; - if (nodeRef != null) - { + if (nodeRef != null) + { Map transactionCache = TransactionalResourceHelper.getMap("rm.servicebase.getFilePlan"); if (transactionCache.containsKey(nodeRef)) { - result = transactionCache.get(nodeRef); + result = transactionCache.get(nodeRef); } else { @@ -363,7 +376,7 @@ public class ServiceBaseImpl implements RecordsManagementModel, ApplicationConte } } } - + // cache result in transaction transactionCache.put(nodeRef, result); } @@ -381,11 +394,11 @@ public class ServiceBaseImpl implements RecordsManagementModel, ApplicationConte protected boolean instanceOf(NodeRef nodeRef, QName ofClassName) { ParameterCheck.mandatory("nodeRef", nodeRef); - ParameterCheck.mandatory("ofClassName", ofClassName); - QName className = getInternalNodeService().getType(nodeRef); + ParameterCheck.mandatory("ofClassName", ofClassName); + QName className = getInternalNodeService().getType(nodeRef); return instanceOf(className, ofClassName); } - + private static Map instanceOfCache = new HashMap(); /** @@ -399,25 +412,25 @@ public class ServiceBaseImpl implements RecordsManagementModel, ApplicationConte { ParameterCheck.mandatory("className", className); ParameterCheck.mandatory("ofClassName", ofClassName); - + boolean result = false; - + String key = className.toString() + "|" + ofClassName.toString(); if (instanceOfCache.containsKey(key)) { result = instanceOfCache.get(key); } else - { + { if (ofClassName.equals(className) || dictionaryService.isSubClass(className, ofClassName)) { result = true; } - + instanceOfCache.put(key, result); } - + return result; } From d0e5c0207314994da045eac173d5f1b4473af0bc Mon Sep 17 00:00:00 2001 From: Tuna Aksoy Date: Wed, 15 Oct 2014 19:23:51 +0000 Subject: [PATCH 16/29] RM-1661 (Performance on setting permissions at a high category level) * Added unit tests git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@88192 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../FilePlanPermissionServiceImplTest.java | 194 +++++++++++++++++- 1 file changed, 188 insertions(+), 6 deletions(-) diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java index 3510702189..1d48609319 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java @@ -124,12 +124,12 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase assertPermissions(userName, AccessStatus.ALLOWED, // fileplan read AccessStatus.ALLOWED, // fileplan file - AccessStatus.ALLOWED, // category read - AccessStatus.ALLOWED, // category file - AccessStatus.ALLOWED, // record folder read - AccessStatus.ALLOWED, // record folder file - AccessStatus.ALLOWED, // record read - AccessStatus.ALLOWED); // record file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file deletePermission(filePlan, userName, RMPermissionModel.FILING); @@ -521,4 +521,186 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase }, userName); } + public void testFilePlanComponentInheritance() + { + doTestInTransaction(new Test() + { + @Override + public Void run() + { + // Inheritance is turned off for file plan, transfer, holds, unfiled records and root categories + // it is turned on for sub categories, record folders and records + assertFalse(permissionService.getInheritParentPermissions(filePlan)); + assertFalse(permissionService.getInheritParentPermissions(filePlanService.getTransferContainer(filePlan))); + assertFalse(permissionService.getInheritParentPermissions(filePlanService.getHoldContainer(filePlan))); + assertFalse(permissionService.getInheritParentPermissions(unfiledContainer)); + assertFalse(permissionService.getInheritParentPermissions(rmContainer)); + assertTrue(permissionService.getInheritParentPermissions(rmService.createRecordFolder(rmContainer, "subCategory"))); + assertTrue(permissionService.getInheritParentPermissions(rmFolder)); + assertTrue(permissionService.getInheritParentPermissions(recordOne)); + + return null; + } + }, rmAdminName); + } + + public void testRolesSetByDefault() + { + final NodeRef transferContainer = filePlanService.getTransferContainer(filePlan); + final NodeRef holdContainer = filePlanService.getHoldContainer(filePlan); + final NodeRef subCategory = rmService.createRecordFolder(rmContainer, "subCategory"); + + // Admin user has read/filing permissions on file plan, transfer, hold, unfiled records, root categories, sub categories, folders and records + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(transferContainer, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(transferContainer, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(holdContainer, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(holdContainer, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(unfiledContainer, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(unfiledContainer, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(rmContainer, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(rmContainer, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(subCategory, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(subCategory, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(rmFolder, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(rmFolder, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(recordOne, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(recordOne, RMPermissionModel.READ_RECORDS)); + + return null; + } + }, rmAdminName); + + // test user has read permissions on file plan, transfer, hold and unfiled records as the user will be added in the all records management roles + // which has read permissions on those nodes by default + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(filePlan, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(transferContainer, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(transferContainer, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(holdContainer, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(holdContainer, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(unfiledContainer, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(unfiledContainer, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmContainer, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmContainer, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmFolder, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmFolder, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(recordOne, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(recordOne, RMPermissionModel.READ_RECORDS)); + + return null; + } + }, createTestUser()); + } + + public void testAddUserToContainers() + { + final NodeRef transferContainer = filePlanService.getTransferContainer(filePlan); + final NodeRef holdContainer = filePlanService.getHoldContainer(filePlan); + final NodeRef subCategory = rmService.createRecordFolder(rmContainer, "subCategory"); + + String user1 = createTestUser(); + filePlanPermissionService.setPermission(filePlan, user1, RMPermissionModel.FILING); + + // The user1 will just read and filing permissions on the file plan + // and read permissions on transfer, hold and unfiled records as the user will be in the all records management users role + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(transferContainer, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(transferContainer, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(holdContainer, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(holdContainer, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(unfiledContainer, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(unfiledContainer, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmContainer, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmContainer, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmFolder, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmFolder, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(recordOne, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(recordOne, RMPermissionModel.READ_RECORDS)); + + return null; + } + }, user1); + + String user2 = createTestUser(); + filePlanPermissionService.setPermission(unfiledContainer, user2, RMPermissionModel.FILING); + + // The user2 will just read permissions on file plan, transfer, hold + // and read and filing permissions on unfiled records container + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(filePlan, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(transferContainer, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(transferContainer, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(holdContainer, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(holdContainer, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(unfiledContainer, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(unfiledContainer, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmContainer, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmContainer, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmFolder, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmFolder, RMPermissionModel.READ_RECORDS)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(recordOne, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(recordOne, RMPermissionModel.READ_RECORDS)); + + return null; + } + }, user2); + } + } From ab87aa6f54295ae9a5a270d2ee35af914d93c630 Mon Sep 17 00:00:00 2001 From: Tuna Aksoy Date: Wed, 15 Oct 2014 19:57:37 +0000 Subject: [PATCH 17/29] RM-1661 (Performance on setting permissions at a high category level) * Fixed failing unit tests git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@88193 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../test/issue/RM1008Test.java | 152 +++++++++--------- 1 file changed, 77 insertions(+), 75 deletions(-) diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/issue/RM1008Test.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/issue/RM1008Test.java index ed09fba0ac..d1086fc6c9 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/issue/RM1008Test.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/issue/RM1008Test.java @@ -40,44 +40,44 @@ import org.alfresco.util.GUID; /** * System test for RM-1008 - * + * * @author Roy Wetherall * @since 2.1 */ -public class RM1008Test extends BaseRMTestCase -{ +public class RM1008Test extends BaseRMTestCase +{ private String myUser; - + @Override protected void initServices() { super.initServices(); } - + @Override protected boolean isRecordTest() { return true; } - + @Override protected boolean isUserTest() { return true; } - + @Override protected void setupTestUsersImpl(NodeRef filePlan) { super.setupTestUsersImpl(filePlan); - + myUser = GUID.generate(); createPerson(myUser); filePlanRoleService.assignRoleToAuthority(filePlan, FilePlanRoleService.ROLE_USER, myUser); } - + public void testContainers() throws Exception - { + { doTestInTransaction(new Test() { @Override @@ -87,20 +87,20 @@ public class RM1008Test extends BaseRMTestCase assertNotNull(holdContainer); NodeRef transferContainer = filePlanService.getTransferContainer(filePlan); assertNotNull(transferContainer); - + Capability viewRecords = capabilityService.getCapability("ViewRecords"); assertNotNull(viewRecords); - + assertEquals(AccessStatus.ALLOWED, viewRecords.hasPermission(holdContainer)); assertEquals(AccessStatus.ALLOWED, viewRecords.hasPermission(transferContainer)); - + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(holdContainer, RMPermissionModel.FILING)); assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(transferContainer, RMPermissionModel.FILING)); - + return null; } }, rmAdminName); - + doTestInTransaction(new Test() { @Override @@ -110,23 +110,23 @@ public class RM1008Test extends BaseRMTestCase assertNotNull(holdContainer); NodeRef transferContainer = filePlanService.getTransferContainer(filePlan); assertNotNull(transferContainer); - + Capability viewRecords = capabilityService.getCapability("ViewRecords"); assertNotNull(viewRecords); - + assertEquals(AccessStatus.ALLOWED, viewRecords.hasPermission(holdContainer)); assertEquals(AccessStatus.ALLOWED, viewRecords.hasPermission(transferContainer)); - + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(holdContainer, RMPermissionModel.FILING)); assertEquals(AccessStatus.DENIED, permissionService.hasPermission(transferContainer, RMPermissionModel.FILING)); - + return null; } }, myUser); } - + public void testHold() - { + { final NodeRef hold = doTestInTransaction(new Test() { @Override @@ -138,7 +138,7 @@ public class RM1008Test extends BaseRMTestCase return holds.iterator().next(); } }, rmAdminName); - + doTestInTransaction(new Test() { @Override @@ -146,82 +146,83 @@ public class RM1008Test extends BaseRMTestCase { Capability viewRecords = capabilityService.getCapability("ViewRecords"); assertNotNull(viewRecords); - + assertEquals(AccessStatus.ALLOWED, viewRecords.hasPermission(hold)); assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(hold, RMPermissionModel.FILING)); - + return null; } }, rmAdminName); - + doTestInTransaction(new Test() { @Override public Void run() - { + { Capability viewRecords = capabilityService.getCapability("ViewRecords"); assertNotNull(viewRecords); - + assertEquals(AccessStatus.ALLOWED, viewRecords.hasPermission(hold)); assertEquals(AccessStatus.DENIED, permissionService.hasPermission(hold, RMPermissionModel.FILING)); - + return null; } }, myUser); - + doTestInTransaction(new Test() { @Override public Void run() { filePlanPermissionService.setPermission(filePlan, myUser, FILING); - + return null; } }, rmAdminName); - + doTestInTransaction(new Test() { @Override public Void run() - { + { Capability viewRecords = capabilityService.getCapability("ViewRecords"); assertNotNull(viewRecords); - + assertEquals(AccessStatus.ALLOWED, viewRecords.hasPermission(hold)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(hold, RMPermissionModel.FILING)); - + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(hold, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(hold, RMPermissionModel.FILING)); + return null; } }, myUser); - + doTestInTransaction(new Test() { @Override public Void run() { filePlanPermissionService.deletePermission(filePlan, myUser, FILING); - + return null; } }, rmAdminName); - + doTestInTransaction(new Test() { @Override public Void run() - { + { Capability viewRecords = capabilityService.getCapability("ViewRecords"); assertNotNull(viewRecords); - + assertEquals(AccessStatus.ALLOWED, viewRecords.hasPermission(hold)); assertEquals(AccessStatus.DENIED, permissionService.hasPermission(hold, RMPermissionModel.FILING)); - + return null; } }, myUser); } - + public void testTransfer() { final NodeRef transferFolder = doTestInTransaction(new Test() @@ -235,39 +236,39 @@ public class RM1008Test extends BaseRMTestCase dsProps.put(PROP_DISPOSITION_AUTHORITY, "test"); dsProps.put(PROP_DISPOSITION_INSTRUCTIONS, "test"); dsProps.put(PROP_RECORD_LEVEL_DISPOSITION, false); - DispositionSchedule dispositionSchedule = dispositionService.createDispositionSchedule(transferCat, dsProps); - + DispositionSchedule dispositionSchedule = dispositionService.createDispositionSchedule(transferCat, dsProps); + Map adParams = new HashMap(3); adParams.put(PROP_DISPOSITION_ACTION_NAME, "cutoff"); adParams.put(PROP_DISPOSITION_DESCRIPTION, "test"); - adParams.put(PROP_DISPOSITION_PERIOD, "immediately|0"); - + adParams.put(PROP_DISPOSITION_PERIOD, "immediately|0"); + dispositionService.addDispositionActionDefinition(dispositionSchedule, adParams); - + adParams = new HashMap(3); adParams.put(PROP_DISPOSITION_ACTION_NAME, "transfer"); adParams.put(PROP_DISPOSITION_DESCRIPTION, "test"); - adParams.put(PROP_DISPOSITION_PERIOD, "immediately|0"); - + adParams.put(PROP_DISPOSITION_PERIOD, "immediately|0"); + dispositionService.addDispositionActionDefinition(dispositionSchedule, adParams); return rmService.createRecordFolder(transferCat, "transferFolder"); } }); - + final NodeRef transfer = doTestInTransaction(new Test() { @Override public NodeRef run() - { + { actionService.executeRecordsManagementAction(transferFolder, "cutoff"); actionService.executeRecordsManagementAction(transferFolder, "transfer"); - + NodeRef transferContainer = filePlanService.getTransferContainer(filePlan); List childAssocs = nodeService.getChildAssocs(transferContainer, ContentModel.ASSOC_CONTAINS, RegexQNamePattern.MATCH_ALL); - return childAssocs.get(0).getChildRef(); + return childAssocs.get(0).getChildRef(); } - + @Override public void test(NodeRef result) throws Exception { @@ -275,7 +276,7 @@ public class RM1008Test extends BaseRMTestCase assertEquals(TYPE_TRANSFER, nodeService.getType(result)); } }); - + doTestInTransaction(new Test() { @Override @@ -283,82 +284,83 @@ public class RM1008Test extends BaseRMTestCase { Capability viewRecords = capabilityService.getCapability("ViewRecords"); assertNotNull(viewRecords); - + assertEquals(AccessStatus.ALLOWED, viewRecords.hasPermission(transfer)); assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(transfer, RMPermissionModel.FILING)); - + return null; } }, rmAdminName); - + doTestInTransaction(new Test() { @Override public Void run() - { + { Capability viewRecords = capabilityService.getCapability("ViewRecords"); assertNotNull(viewRecords); - + assertEquals(AccessStatus.ALLOWED, viewRecords.hasPermission(transfer)); assertEquals(AccessStatus.DENIED, permissionService.hasPermission(transfer, RMPermissionModel.FILING)); - + return null; } }, myUser); - + doTestInTransaction(new Test() { @Override public Void run() { filePlanPermissionService.setPermission(filePlan, myUser, FILING); - + return null; } }, rmAdminName); - + doTestInTransaction(new Test() { @Override public Void run() - { + { Capability viewRecords = capabilityService.getCapability("ViewRecords"); assertNotNull(viewRecords); - + assertEquals(AccessStatus.ALLOWED, viewRecords.hasPermission(transfer)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(transfer, RMPermissionModel.FILING)); - + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(transfer, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(transfer, RMPermissionModel.FILING)); + return null; } }, myUser); - + doTestInTransaction(new Test() { @Override public Void run() { filePlanPermissionService.deletePermission(filePlan, myUser, FILING); - + return null; } }, rmAdminName); - + doTestInTransaction(new Test() { @Override public Void run() - { + { Capability viewRecords = capabilityService.getCapability("ViewRecords"); assertNotNull(viewRecords); - + assertEquals(AccessStatus.ALLOWED, viewRecords.hasPermission(transfer)); assertEquals(AccessStatus.DENIED, permissionService.hasPermission(transfer, RMPermissionModel.FILING)); - + return null; } }, myUser); - + } } From 5a3c6a0f413cf4aa889e4d2beedd83f84835ab60 Mon Sep 17 00:00:00 2001 From: Tuna Aksoy Date: Thu, 16 Oct 2014 15:09:09 +0000 Subject: [PATCH 18/29] RM-1661 (Performance on setting permissions at a high category level) * Added unit tests git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@88358 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../FilePlanPermissionServiceImplTest.java | 812 +++++++++++------- .../test/util/BaseRMTestCase.java | 20 +- 2 files changed, 536 insertions(+), 296 deletions(-) diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java index 1d48609319..ef8d4398b5 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java @@ -103,21 +103,21 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase } /** - * test set/delete permissions on file plan + * Test set/delete permissions on file plan */ public void testSetDeletePermissionFilePlan() throws Exception { String userName = createTestUser(); assertPermissions(userName, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.DENIED, // category read - AccessStatus.DENIED, // category file - AccessStatus.DENIED, // record folder read - AccessStatus.DENIED, // record folder file - AccessStatus.DENIED, // record read - AccessStatus.DENIED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file setPermission(filePlan, userName, RMPermissionModel.FILING); @@ -134,28 +134,28 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase deletePermission(filePlan, userName, RMPermissionModel.FILING); assertPermissions(userName, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.DENIED, // category read - AccessStatus.DENIED, // category file - AccessStatus.DENIED, // record folder read - AccessStatus.DENIED, // record folder file - AccessStatus.DENIED, // record read - AccessStatus.DENIED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file //what happens if we try and remove READ for a normal user on the file plan ??? deletePermission(filePlan, userName, RMPermissionModel.READ_RECORDS); // nothing .. user still has read on file plan .. only removing the user from all roles will remove read on file plan assertPermissions(userName, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.DENIED, // category read - AccessStatus.DENIED, // category file - AccessStatus.DENIED, // record folder read - AccessStatus.DENIED, // record folder file - AccessStatus.DENIED, // record read - AccessStatus.DENIED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file } /** @@ -166,38 +166,38 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase String userName = createTestUser(); assertPermissions(userName, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.DENIED, // category read - AccessStatus.DENIED, // category file - AccessStatus.DENIED, // record folder read - AccessStatus.DENIED, // record folder file - AccessStatus.DENIED, // record read - AccessStatus.DENIED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file setPermission(rmContainer, userName, RMPermissionModel.FILING); assertPermissions(userName, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.ALLOWED, // category read - AccessStatus.ALLOWED, // category file - AccessStatus.ALLOWED, // record folder read - AccessStatus.ALLOWED, // record folder file - AccessStatus.ALLOWED, // record read - AccessStatus.ALLOWED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // category read + AccessStatus.ALLOWED, // category file + AccessStatus.ALLOWED, // record folder read + AccessStatus.ALLOWED, // record folder file + AccessStatus.ALLOWED, // record read + AccessStatus.ALLOWED); // record file deletePermission(rmContainer, userName, RMPermissionModel.FILING); assertPermissions(userName, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.DENIED, // category read - AccessStatus.DENIED, // category file - AccessStatus.DENIED, // record folder read - AccessStatus.DENIED, // record folder file - AccessStatus.DENIED, // record read - AccessStatus.DENIED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file } /** @@ -208,38 +208,38 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase String userName = createTestUser(); assertPermissions(userName, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.DENIED, // category read - AccessStatus.DENIED, // category file - AccessStatus.DENIED, // record folder read - AccessStatus.DENIED, // record folder file - AccessStatus.DENIED, // record read - AccessStatus.DENIED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file setPermission(rmFolder, userName, RMPermissionModel.FILING); assertPermissions(userName, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.DENIED, // category read - AccessStatus.DENIED, // category file - AccessStatus.ALLOWED, // record folder read - AccessStatus.ALLOWED, // record folder file - AccessStatus.ALLOWED, // record read - AccessStatus.ALLOWED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.ALLOWED, // record folder read + AccessStatus.ALLOWED, // record folder file + AccessStatus.ALLOWED, // record read + AccessStatus.ALLOWED); // record file deletePermission(rmFolder, userName, RMPermissionModel.FILING); assertPermissions(userName, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.DENIED, // category read - AccessStatus.DENIED, // category file - AccessStatus.DENIED, // record folder read - AccessStatus.DENIED, // record folder file - AccessStatus.DENIED, // record read - AccessStatus.DENIED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file } /** @@ -250,38 +250,38 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase String userName = createTestUser(); assertPermissions(userName, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.DENIED, // category read - AccessStatus.DENIED, // category file - AccessStatus.DENIED, // record folder read - AccessStatus.DENIED, // record folder file - AccessStatus.DENIED, // record read - AccessStatus.DENIED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file setPermission(recordOne, userName, RMPermissionModel.FILING); assertPermissions(userName, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.DENIED, // category read - AccessStatus.DENIED, // category file - AccessStatus.DENIED, // record folder read - AccessStatus.DENIED, // record folder file - AccessStatus.ALLOWED, // record read - AccessStatus.ALLOWED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.ALLOWED, // record read + AccessStatus.ALLOWED); // record file deletePermission(recordOne, userName, RMPermissionModel.FILING); assertPermissions(userName, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.DENIED, // category read - AccessStatus.DENIED, // category file - AccessStatus.DENIED, // record folder read - AccessStatus.DENIED, // record folder file - AccessStatus.DENIED, // record read - AccessStatus.DENIED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file } public void testMoveRecord() throws Exception @@ -300,14 +300,15 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase }); assertPermissions(userOne, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.DENIED, // category read - AccessStatus.DENIED, // category file - AccessStatus.DENIED, // record folder read - AccessStatus.DENIED, // record folder file - AccessStatus.DENIED, // record read - AccessStatus.DENIED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + doTestInTransaction(new Test() { @Override @@ -318,15 +319,17 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase return null; } }, userOne); + assertPermissions(userTwo, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.DENIED, // category read - AccessStatus.DENIED, // category file - AccessStatus.DENIED, // record folder read - AccessStatus.DENIED, // record folder file - AccessStatus.DENIED, // record read - AccessStatus.DENIED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + doTestInTransaction(new Test() { @Override @@ -337,15 +340,17 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase return null; } }, userTwo); + assertPermissions(userThree, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.DENIED, // category read - AccessStatus.DENIED, // category file - AccessStatus.DENIED, // record folder read - AccessStatus.DENIED, // record folder file - AccessStatus.DENIED, // record read - AccessStatus.DENIED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + doTestInTransaction(new Test() { @Override @@ -362,14 +367,15 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase setPermission(recordOne, userThree, RMPermissionModel.FILING); assertPermissions(userOne, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.DENIED, // category read - AccessStatus.DENIED, // category file - AccessStatus.ALLOWED, // record folder read - AccessStatus.ALLOWED, // record folder file - AccessStatus.ALLOWED, // record read - AccessStatus.ALLOWED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.ALLOWED, // record folder read + AccessStatus.ALLOWED, // record folder file + AccessStatus.ALLOWED, // record read + AccessStatus.ALLOWED); // record file + doTestInTransaction(new Test() { @Override @@ -380,15 +386,17 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase return null; } }, userOne); + assertPermissions(userTwo, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.DENIED, // category read - AccessStatus.DENIED, // category file - AccessStatus.DENIED, // record folder read - AccessStatus.DENIED, // record folder file - AccessStatus.DENIED, // record read - AccessStatus.DENIED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + doTestInTransaction(new Test() { @Override @@ -399,15 +407,17 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase return null; } }, userTwo); + assertPermissions(userThree, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.DENIED, // category read - AccessStatus.DENIED, // category file - AccessStatus.DENIED, // record folder read - AccessStatus.DENIED, // record folder file - AccessStatus.ALLOWED, // record read - AccessStatus.ALLOWED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.ALLOWED, // record read + AccessStatus.ALLOWED); // record file + doTestInTransaction(new Test() { @Override @@ -431,14 +441,15 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase }); assertPermissions(userOne, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.DENIED, // category read - AccessStatus.DENIED, // category file - AccessStatus.ALLOWED, // record folder read - AccessStatus.ALLOWED, // record folder file - AccessStatus.DENIED, // record read - AccessStatus.DENIED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.ALLOWED, // record folder read + AccessStatus.ALLOWED, // record folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + doTestInTransaction(new Test() { @Override @@ -449,15 +460,17 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase return null; } }, userOne); + assertPermissions(userTwo, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.DENIED, // category read - AccessStatus.DENIED, // category file - AccessStatus.DENIED, // record folder read - AccessStatus.DENIED, // record folder file - AccessStatus.ALLOWED, // record read - AccessStatus.ALLOWED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.ALLOWED, // record read + AccessStatus.ALLOWED); // record file + doTestInTransaction(new Test() { @Override @@ -468,15 +481,17 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase return null; } }, userTwo); + assertPermissions(userThree, - AccessStatus.ALLOWED, // fileplan read - AccessStatus.DENIED, // fileplan file - AccessStatus.DENIED, // category read - AccessStatus.DENIED, // category file - AccessStatus.DENIED, // record folder read - AccessStatus.DENIED, // record folder file - AccessStatus.ALLOWED, // record read - AccessStatus.ALLOWED); // record file + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.DENIED, // category read + AccessStatus.DENIED, // category file + AccessStatus.DENIED, // record folder read + AccessStatus.DENIED, // record folder file + AccessStatus.ALLOWED, // record read + AccessStatus.ALLOWED); // record file + doTestInTransaction(new Test() { @Override @@ -490,7 +505,6 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase } - /** * Helper to assert permissions for passed user */ @@ -521,6 +535,52 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase }, userName); } + /** + * Helper to assert permissions for the passed user + */ + private void assertPermissionsWithInheritance( + final String userName, + final NodeRef subCategory, + final NodeRef folder, + final NodeRef record, + final AccessStatus ... accessStatus) + { + assertEquals(16, accessStatus.length); + + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(accessStatus[0], permissionService.hasPermission(filePlan, RMPermissionModel.READ_RECORDS)); + assertEquals(accessStatus[1], permissionService.hasPermission(filePlan, RMPermissionModel.FILING)); + + assertEquals(accessStatus[2], permissionService.hasPermission(transfersContainer, RMPermissionModel.READ_RECORDS)); + assertEquals(accessStatus[3], permissionService.hasPermission(transfersContainer, RMPermissionModel.FILING)); + + assertEquals(accessStatus[4], permissionService.hasPermission(holdsContainer, RMPermissionModel.READ_RECORDS)); + assertEquals(accessStatus[5], permissionService.hasPermission(holdsContainer, RMPermissionModel.FILING)); + + assertEquals(accessStatus[6], permissionService.hasPermission(unfiledContainer, RMPermissionModel.READ_RECORDS)); + assertEquals(accessStatus[7], permissionService.hasPermission(unfiledContainer, RMPermissionModel.FILING)); + + assertEquals(accessStatus[8], permissionService.hasPermission(rmContainer, RMPermissionModel.READ_RECORDS)); + assertEquals(accessStatus[9], permissionService.hasPermission(rmContainer, RMPermissionModel.FILING)); + + assertEquals(accessStatus[10], permissionService.hasPermission(subCategory, RMPermissionModel.READ_RECORDS)); + assertEquals(accessStatus[11], permissionService.hasPermission(subCategory, RMPermissionModel.FILING)); + + assertEquals(accessStatus[12], permissionService.hasPermission(folder, RMPermissionModel.READ_RECORDS)); + assertEquals(accessStatus[13], permissionService.hasPermission(folder, RMPermissionModel.FILING)); + + assertEquals(accessStatus[14], permissionService.hasPermission(record, RMPermissionModel.READ_RECORDS)); + assertEquals(accessStatus[15], permissionService.hasPermission(record, RMPermissionModel.FILING)); + + return null; + } + }, userName); + } + public void testFilePlanComponentInheritance() { doTestInTransaction(new Test() @@ -546,161 +606,331 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase public void testRolesSetByDefault() { - final NodeRef transferContainer = filePlanService.getTransferContainer(filePlan); - final NodeRef holdContainer = filePlanService.getHoldContainer(filePlan); - final NodeRef subCategory = rmService.createRecordFolder(rmContainer, "subCategory"); + NodeRef subCategory = filePlanService.createRecordCategory(rmContainer, "subCategory1"); + NodeRef folder = rmService.createRecordFolder(subCategory, "rmFolder1"); + NodeRef record = utils.createRecord(folder, "record1.txt"); // Admin user has read/filing permissions on file plan, transfer, hold, unfiled records, root categories, sub categories, folders and records - doTestInTransaction(new Test() - { - @Override - public Void run() - { - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan, RMPermissionModel.FILING)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan, RMPermissionModel.READ_RECORDS)); + assertPermissionsWithInheritance(rmAdminName, subCategory, folder, record, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.ALLOWED, // fileplan file + AccessStatus.ALLOWED, // transfer read + AccessStatus.ALLOWED, // transfer file + AccessStatus.ALLOWED, // holds read + AccessStatus.ALLOWED, // holds file + AccessStatus.ALLOWED, // unfiled records file + AccessStatus.ALLOWED, // unfiled records file + AccessStatus.ALLOWED, // root category read + AccessStatus.ALLOWED, // root category file + AccessStatus.ALLOWED, // sub category read + AccessStatus.ALLOWED, // sub category file + AccessStatus.ALLOWED, // folder read + AccessStatus.ALLOWED, // folder file + AccessStatus.ALLOWED, // record read + AccessStatus.ALLOWED); // record file - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(transferContainer, RMPermissionModel.FILING)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(transferContainer, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(holdContainer, RMPermissionModel.FILING)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(holdContainer, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(unfiledContainer, RMPermissionModel.FILING)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(unfiledContainer, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(rmContainer, RMPermissionModel.FILING)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(rmContainer, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(subCategory, RMPermissionModel.FILING)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(subCategory, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(rmFolder, RMPermissionModel.FILING)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(rmFolder, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(recordOne, RMPermissionModel.FILING)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(recordOne, RMPermissionModel.READ_RECORDS)); - - return null; - } - }, rmAdminName); - - // test user has read permissions on file plan, transfer, hold and unfiled records as the user will be added in the all records management roles + // Test user has read permissions on file plan, transfer, hold and unfiled records as the user will be added in the all records management roles // which has read permissions on those nodes by default - doTestInTransaction(new Test() - { - @Override - public Void run() - { - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(filePlan, RMPermissionModel.FILING)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(transferContainer, RMPermissionModel.FILING)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(transferContainer, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(holdContainer, RMPermissionModel.FILING)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(holdContainer, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(unfiledContainer, RMPermissionModel.FILING)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(unfiledContainer, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmContainer, RMPermissionModel.FILING)); - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmContainer, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory, RMPermissionModel.FILING)); - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmFolder, RMPermissionModel.FILING)); - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmFolder, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(recordOne, RMPermissionModel.FILING)); - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(recordOne, RMPermissionModel.READ_RECORDS)); - - return null; - } - }, createTestUser()); + assertPermissionsWithInheritance(createTestUser(), subCategory, folder, record, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // transfer read + AccessStatus.DENIED, // transfer file + AccessStatus.ALLOWED, // holds read + AccessStatus.DENIED, // holds file + AccessStatus.ALLOWED, // unfiled records file + AccessStatus.DENIED, // unfiled records file + AccessStatus.DENIED, // root category read + AccessStatus.DENIED, // root category file + AccessStatus.DENIED, // sub category read + AccessStatus.DENIED, // sub category file + AccessStatus.DENIED, // folder read + AccessStatus.DENIED, // folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file } public void testAddUserToContainers() { - final NodeRef transferContainer = filePlanService.getTransferContainer(filePlan); - final NodeRef holdContainer = filePlanService.getHoldContainer(filePlan); - final NodeRef subCategory = rmService.createRecordFolder(rmContainer, "subCategory"); + NodeRef subCategory = filePlanService.createRecordCategory(rmContainer, "subCategory2"); + NodeRef folder = rmService.createRecordFolder(subCategory, "rmFolder2"); + NodeRef record = utils.createRecord(folder, "record2.txt"); + + // The user1 will have read permissions on the file plan + // and read permissions on transfer, hold and unfiled records as the user will be in the all records management users role + String user1 = createTestUser(); + setPermission(filePlan, user1, RMPermissionModel.READ_RECORDS); + assertPermissionsWithInheritance(user1, subCategory, folder, record, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // transfer read + AccessStatus.DENIED, // transfer file + AccessStatus.ALLOWED, // holds read + AccessStatus.DENIED, // holds file + AccessStatus.ALLOWED, // unfiled records file + AccessStatus.DENIED, // unfiled records file + AccessStatus.DENIED, // root category read + AccessStatus.DENIED, // root category file + AccessStatus.DENIED, // sub category read + AccessStatus.DENIED, // sub category file + AccessStatus.DENIED, // folder read + AccessStatus.DENIED, // folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + + // The user2 will have read and filing permissions on the transfer container + // and read permissions on file plan, hold and unfiled records as the user will be in the all records management users role + String user2 = createTestUser(); + setPermission(transfersContainer, user2, RMPermissionModel.FILING); + assertPermissionsWithInheritance(user2, subCategory, folder, record, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // transfer read + AccessStatus.ALLOWED, // transfer file + AccessStatus.ALLOWED, // holds read + AccessStatus.DENIED, // holds file + AccessStatus.ALLOWED, // unfiled records file + AccessStatus.DENIED, // unfiled records file + AccessStatus.DENIED, // root category read + AccessStatus.DENIED, // root category file + AccessStatus.DENIED, // sub category read + AccessStatus.DENIED, // sub category file + AccessStatus.DENIED, // folder read + AccessStatus.DENIED, // folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + + // The user3 will have read permissions on file plan, transfer, hold and unfiled records + String user3 = createTestUser(); + setPermission(holdsContainer, user3, RMPermissionModel.READ_RECORDS); + assertPermissionsWithInheritance(user3, subCategory, folder, record, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // transfer read + AccessStatus.DENIED, // transfer file + AccessStatus.ALLOWED, // holds read + AccessStatus.DENIED, // holds file + AccessStatus.ALLOWED, // unfiled records file + AccessStatus.DENIED, // unfiled records file + AccessStatus.DENIED, // root category read + AccessStatus.DENIED, // root category file + AccessStatus.DENIED, // sub category read + AccessStatus.DENIED, // sub category file + AccessStatus.DENIED, // folder read + AccessStatus.DENIED, // folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + + // The user4 will have read permissions on file plan, transfer, hold + // and read and filing permissions on unfiled records container + String user4 = createTestUser(); + setPermission(unfiledContainer, user4, RMPermissionModel.FILING); + assertPermissionsWithInheritance(user4, subCategory, folder, record, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // transfer read + AccessStatus.DENIED, // transfer file + AccessStatus.ALLOWED, // holds read + AccessStatus.DENIED, // holds file + AccessStatus.ALLOWED, // unfiled records file + AccessStatus.ALLOWED, // unfiled records file + AccessStatus.DENIED, // root category read + AccessStatus.DENIED, // root category file + AccessStatus.DENIED, // sub category read + AccessStatus.DENIED, // sub category file + AccessStatus.DENIED, // folder read + AccessStatus.DENIED, // folder file + AccessStatus.DENIED, // record read + AccessStatus.DENIED); // record file + + // The user5 will read permissions on the root category + // as the inheritance is turned on for the sub category the user will have also read permissions on sub category, folder and record + // and also read permissions on file plan, transfer, hold and unfiled records + String user5 = createTestUser(); + setPermission(rmContainer, user5, RMPermissionModel.READ_RECORDS); + assertPermissionsWithInheritance(user5, subCategory, folder, record, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // transfer read + AccessStatus.DENIED, // transfer file + AccessStatus.ALLOWED, // holds read + AccessStatus.DENIED, // holds file + AccessStatus.ALLOWED, // unfiled records file + AccessStatus.DENIED, // unfiled records file + AccessStatus.ALLOWED, // root category read + AccessStatus.DENIED, // root category file + AccessStatus.ALLOWED, // sub category read + AccessStatus.DENIED, // sub category file + AccessStatus.ALLOWED, // folder read + AccessStatus.DENIED, // folder file + AccessStatus.ALLOWED, // record read + AccessStatus.DENIED); // record file + + // The user6 will read and filing permissions on the sub category + // as the inheritance is turned on the user will have also read and filing permissions on folder and record + // and also read permissions on file plan, transfer, hold and unfiled records + String user6 = createTestUser(); + setPermission(subCategory, user6, RMPermissionModel.FILING); + assertPermissionsWithInheritance(user6, subCategory, folder, record, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // transfer read + AccessStatus.DENIED, // transfer file + AccessStatus.ALLOWED, // holds read + AccessStatus.DENIED, // holds file + AccessStatus.ALLOWED, // unfiled records file + AccessStatus.DENIED, // unfiled records file + AccessStatus.DENIED, // root category read + AccessStatus.DENIED, // root category file + AccessStatus.ALLOWED, // sub category read + AccessStatus.ALLOWED, // sub category file + AccessStatus.ALLOWED, // folder read + AccessStatus.ALLOWED, // folder file + AccessStatus.ALLOWED, // record read + AccessStatus.ALLOWED); // record file + + // The user7 will read permissions on the folder + // as the inheritance is turned on the user will have also read on record + // and also read permissions on file plan, transfer, hold and unfiled records + String user7 = createTestUser(); + setPermission(folder, user7, RMPermissionModel.READ_RECORDS); + assertPermissionsWithInheritance(user7, subCategory, folder, record, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // transfer read + AccessStatus.DENIED, // transfer file + AccessStatus.ALLOWED, // holds read + AccessStatus.DENIED, // holds file + AccessStatus.ALLOWED, // unfiled records file + AccessStatus.DENIED, // unfiled records file + AccessStatus.DENIED, // root category read + AccessStatus.DENIED, // root category file + AccessStatus.DENIED, // sub category read + AccessStatus.DENIED, // sub category file + AccessStatus.ALLOWED, // folder read + AccessStatus.DENIED, // folder file + AccessStatus.ALLOWED, // record read + AccessStatus.DENIED); // record file + + // The user8 will read and filing permissions on the record + // and also read permissions on file plan, transfer, hold and unfiled records + String user8 = createTestUser(); + setPermission(record, user8, RMPermissionModel.FILING); + assertPermissionsWithInheritance(user8, subCategory, folder, record, + AccessStatus.ALLOWED, // fileplan read + AccessStatus.DENIED, // fileplan file + AccessStatus.ALLOWED, // transfer read + AccessStatus.DENIED, // transfer file + AccessStatus.ALLOWED, // holds read + AccessStatus.DENIED, // holds file + AccessStatus.ALLOWED, // unfiled records file + AccessStatus.DENIED, // unfiled records file + AccessStatus.DENIED, // root category read + AccessStatus.DENIED, // root category file + AccessStatus.DENIED, // sub category read + AccessStatus.DENIED, // sub category file + AccessStatus.DENIED, // folder read + AccessStatus.DENIED, // folder file + AccessStatus.ALLOWED, // record read + AccessStatus.ALLOWED); // record file + } + + public void testAccessPermissionOnSingleRecordWithSeveralUsers() + { + final NodeRef subCategory = filePlanService.createRecordCategory(rmContainer, "subCategory3"); + final NodeRef folder = rmService.createRecordFolder(subCategory, "rmFolder3"); + final NodeRef record = utils.createRecord(folder, "record3.txt"); String user1 = createTestUser(); - filePlanPermissionService.setPermission(filePlan, user1, RMPermissionModel.FILING); + String user2 = createTestUser(); - // The user1 will just read and filing permissions on the file plan - // and read permissions on transfer, hold and unfiled records as the user will be in the all records management users role + setPermission(rmContainer, user1, RMPermissionModel.READ_RECORDS); + + // user1 will have access to file plan, root category and because of inheritance sub category, folder and record doTestInTransaction(new Test() { @Override public Void run() { - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan, RMPermissionModel.FILING)); assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(transferContainer, RMPermissionModel.FILING)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(transferContainer, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(holdContainer, RMPermissionModel.FILING)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(holdContainer, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(unfiledContainer, RMPermissionModel.FILING)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(unfiledContainer, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmContainer, RMPermissionModel.FILING)); - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmContainer, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory, RMPermissionModel.FILING)); - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmFolder, RMPermissionModel.FILING)); - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmFolder, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(recordOne, RMPermissionModel.FILING)); - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(recordOne, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(rmContainer, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(subCategory, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(folder, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(record, RMPermissionModel.READ_RECORDS)); return null; } }, user1); - String user2 = createTestUser(); - filePlanPermissionService.setPermission(unfiledContainer, user2, RMPermissionModel.FILING); - - // The user2 will just read permissions on file plan, transfer, hold - // and read and filing permissions on unfiled records container + // user2 will have access to file plan doTestInTransaction(new Test() { @Override public Void run() { - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(filePlan, RMPermissionModel.FILING)); assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(transferContainer, RMPermissionModel.FILING)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(transferContainer, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(holdContainer, RMPermissionModel.FILING)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(holdContainer, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(unfiledContainer, RMPermissionModel.FILING)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(unfiledContainer, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmContainer, RMPermissionModel.FILING)); assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmContainer, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory, RMPermissionModel.FILING)); assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmFolder, RMPermissionModel.FILING)); - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(rmFolder, RMPermissionModel.READ_RECORDS)); - - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(recordOne, RMPermissionModel.FILING)); - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(recordOne, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(folder, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(record, RMPermissionModel.READ_RECORDS)); return null; } }, user2); } + public void testDenyPermissionsOnRecordsWithSeveralUsers() + { + final NodeRef subCategory = filePlanService.createRecordCategory(rmContainer, "subCategory4"); + final NodeRef folder = rmService.createRecordFolder(subCategory, "rmFolder4"); + final NodeRef record4 = utils.createRecord(folder, "record4.txt"); + final NodeRef record5 = utils.createRecord(folder, "record5.txt"); + + String user1 = createTestUser(); + String user2 = createTestUser(); + + setPermission(rmContainer, user1, RMPermissionModel.READ_RECORDS); + setPermission(rmContainer, user2, RMPermissionModel.READ_RECORDS); + + permissionService.setInheritParentPermissions(record4, false); + permissionService.setInheritParentPermissions(record5, false); + + setPermission(record4, user1, RMPermissionModel.READ_RECORDS); + setPermission(record5, user1, RMPermissionModel.READ_RECORDS); + + // user1 will have access to file plan, root category and because of inheritance sub category, folder, record4 and record5 + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(rmContainer, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(subCategory, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(folder, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(record4, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(record5, RMPermissionModel.READ_RECORDS)); + + return null; + } + }, user1); + + // user2 will have access to file plan, root category and because of inheritance sub category and folder + // user2 won't have access to the records as the inheritance is set to false + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(rmContainer, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(subCategory, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(folder, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(record4, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(record5, RMPermissionModel.READ_RECORDS)); + + return null; + } + }, user2); + } } diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/util/BaseRMTestCase.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/util/BaseRMTestCase.java index 520b9b7d94..26adac22f5 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/util/BaseRMTestCase.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/util/BaseRMTestCase.java @@ -151,6 +151,8 @@ public abstract class BaseRMTestCase extends RetryingTransactionHelperTestCase protected DispositionSchedule dispositionSchedule; protected NodeRef rmFolder; protected NodeRef unfiledContainer; + protected NodeRef holdsContainer; + protected NodeRef transfersContainer; /** multi-hierarchy test data * @@ -295,7 +297,7 @@ public abstract class BaseRMTestCase extends RetryingTransactionHelperTestCase // Get the application context applicationContext = ApplicationContextHelper.getApplicationContext(CONFIG_LOCATIONS); utils = new CommonRMTestUtils(applicationContext); - + // Initialise the service beans initServices(); @@ -414,19 +416,19 @@ public abstract class BaseRMTestCase extends RetryingTransactionHelperTestCase freezeService.relinquish(hold); } } - + if (nodeService.exists(folder) == true) { // Delete the folder nodeService.deleteNode(folder); } - + if (siteService.getSite(siteId) != null) { // Delete the site siteService.deleteSite(siteId); } - + // delete the collaboration site (if required) if (isCollaborationSiteTest() == true && siteService.getSite(COLLABORATION_SITE_ID) != null) { @@ -480,6 +482,14 @@ public abstract class BaseRMTestCase extends RetryingTransactionHelperTestCase // unfiled container unfiledContainer = filePlanService.getUnfiledContainer(filePlan); assertNotNull(unfiledContainer); + + // holds container + holdsContainer = filePlanService.getHoldContainer(filePlan); + assertNotNull(holdsContainer); + + // transfers container + transfersContainer = filePlanService.getTransferContainer(filePlan); + assertNotNull(transfersContainer); } }, AuthenticationUtil.getSystemUserName()); } @@ -510,7 +520,7 @@ public abstract class BaseRMTestCase extends RetryingTransactionHelperTestCase ContentModel.TYPE_FOLDER, containerProps).getChildRef(); assertNotNull("Could not create base folder", folder); - + permissionService.setPermission(folder, "rmadmin", PermissionService.WRITE, true); permissionService.setPermission(folder, "rmadmin", PermissionService.ADD_CHILDREN, true); From 3a550eb89719ec1aec23304cdf8a0eb124a3ee04 Mon Sep 17 00:00:00 2001 From: Tuna Aksoy Date: Fri, 17 Oct 2014 18:25:41 +0000 Subject: [PATCH 19/29] RM-1742 (Locally Set Permissions for moved Record duplicate parent folder Locally Set Permissions) git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@88685 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../FilePlanPermissionServiceImpl.java | 25 ++++++++----------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java index aa6391f52a..dd0e9ea9f4 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java @@ -361,25 +361,22 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl public Void doWork() { NodeRef record = sourceAssocRef.getChildRef(); - if (nodeService.exists(record) == true && nodeService.hasAspect(record, ASPECT_RECORD) == true) + if (nodeService.exists(record) && nodeService.hasAspect(record, ASPECT_RECORD)) { Set keepPerms = new HashSet(5); - - // record any permissions specifically set on the record (ie any filling or record_file permisions not on the parent) - Set origionalParentPerms = permissionService.getAllSetPermissions(sourceAssocRef.getParentRef()); Set origionalRecordPerms= permissionService.getAllSetPermissions(record); - for (AccessPermission perm : origionalRecordPerms) + + for (AccessPermission recordPermission : origionalRecordPerms) { - if (ExtendedReaderDynamicAuthority.EXTENDED_READER.equals(perm.getAuthority()) == false && - ExtendedWriterDynamicAuthority.EXTENDED_WRITER.equals(perm.getAuthority()) == false) + String permission = recordPermission.getPermission(); + String authority = recordPermission.getAuthority(); + if ((RMPermissionModel.FILING.equals(permission) || RMPermissionModel.READ_RECORDS.equals(permission)) && + recordPermission.isSetDirectly() && + !ExtendedReaderDynamicAuthority.EXTENDED_READER.equals(authority) && + !ExtendedWriterDynamicAuthority.EXTENDED_WRITER.equals(authority)) { - if ((perm.getPermission().equals(RMPermissionModel.FILING) == true || - perm.getPermission().equals(RMPermissionModel.FILE_RECORDS) == true) && - origionalParentPerms.contains(perm) == false) - { - // then we can assume this is a permission we want to preserve - keepPerms.add(perm); - } + // then we can assume this is a permission we want to preserve + keepPerms.add(recordPermission); } } From cd3e693b65647b2f4575cf2af131c65c87c70cc3 Mon Sep 17 00:00:00 2001 From: Tuna Aksoy Date: Fri, 17 Oct 2014 18:26:26 +0000 Subject: [PATCH 20/29] RM-1741 (Moved root category doesn't inherit permissions) git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@88686 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../FilePlanPermissionServiceImpl.java | 57 ++++++++++++++++++- 1 file changed, 56 insertions(+), 1 deletion(-) diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java index dd0e9ea9f4..5f4071d235 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java @@ -34,6 +34,7 @@ import org.alfresco.repo.policy.Behaviour.NotificationFrequency; import org.alfresco.repo.policy.JavaBehaviour; import org.alfresco.repo.policy.PolicyComponent; import org.alfresco.repo.security.authentication.AuthenticationUtil; +import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork; import org.alfresco.service.cmr.repository.ChildAssociationRef; import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeService; @@ -53,7 +54,8 @@ import org.apache.commons.logging.LogFactory; */ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl implements FilePlanPermissionService, - RecordsManagementModel + RecordsManagementModel, + NodeServicePolicies.OnMoveNodePolicy { /** Permission service */ protected PermissionService permissionService; @@ -82,6 +84,10 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl NodeServicePolicies.OnCreateNodePolicy.QNAME, TYPE_RECORD_CATEGORY, new JavaBehaviour(this, "onCreateRMContainer", NotificationFrequency.TRANSACTION_COMMIT)); + policyComponent.bindClassBehaviour( + NodeServicePolicies.OnMoveNodePolicy.QNAME, + TYPE_RECORD_CATEGORY, + new JavaBehaviour(this, "onMoveNode", NotificationFrequency.TRANSACTION_COMMIT)); policyComponent.bindClassBehaviour( NodeServicePolicies.OnCreateNodePolicy.QNAME, TYPE_RECORD_FOLDER, @@ -312,6 +318,55 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl }); } + /** + * @see org.alfresco.repo.node.NodeServicePolicies.OnMoveNodePolicy#onMoveNode(org.alfresco.service.cmr.repository.ChildAssociationRef, org.alfresco.service.cmr.repository.ChildAssociationRef) + */ + @Override + public void onMoveNode(final ChildAssociationRef oldChildAssocRef, final ChildAssociationRef newChildAssocRef) + { + AuthenticationUtil.runAs(new RunAsWork() + { + @Override + public Void doWork() throws Exception + { + NodeRef sourceCategory = oldChildAssocRef.getChildRef(); + boolean inheritParentPermissions = permissionService.getInheritParentPermissions(sourceCategory); + if (!inheritParentPermissions) + { + permissionService.setInheritParentPermissions(sourceCategory, true); + } + + Set keepPerms = new HashSet(5); + Set origionalCategoryPerms= permissionService.getAllSetPermissions(sourceCategory); + + for (AccessPermission categoryPermission : origionalCategoryPerms) + { + String permission = categoryPermission.getPermission(); + String authority = categoryPermission.getAuthority(); + if ((RMPermissionModel.FILING.equals(permission) || RMPermissionModel.READ_RECORDS.equals(permission)) && + categoryPermission.isSetDirectly() && + !ExtendedReaderDynamicAuthority.EXTENDED_READER.equals(authority) && + !ExtendedWriterDynamicAuthority.EXTENDED_WRITER.equals(authority)) + { + // then we can assume this is a permission we want to preserve + keepPerms.add(categoryPermission); + } + } + + // clear all existing permissions and start again + permissionService.deletePermissions(sourceCategory); + + // re-add keep'er permissions + for (AccessPermission keeper : keepPerms) + { + setPermission(sourceCategory, keeper.getAuthority(), keeper.getPermission()); + } + + return null; + } + }, AuthenticationUtil.getSystemUserName()); + } + /** * Initialise the record permissions for the given parent. * From f9a6ec3bdac0a67595e9f61882951428d84156a5 Mon Sep 17 00:00:00 2001 From: Tuna Aksoy Date: Fri, 17 Oct 2014 20:04:51 +0000 Subject: [PATCH 21/29] RM-1741 (Moved root category doesn't inherit permissions) * Unit test added git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@88687 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../FilePlanPermissionServiceImplTest.java | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java index ef8d4398b5..071ad72aec 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java @@ -933,4 +933,77 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase } }, user2); } + + public void testMoveRootCategoryIntoAnotherRootCategory() + { + final NodeRef subCategory5 = filePlanService.createRecordCategory(filePlan, "subCategory5"); + final NodeRef subCategory6 = filePlanService.createRecordCategory(filePlan, "subCategory6"); + + assertFalse(permissionService.getInheritParentPermissions(subCategory5)); + assertFalse(permissionService.getInheritParentPermissions(subCategory6)); + + final String user1 = createTestUser(); + final String user2 = createTestUser(); + + setPermission(subCategory5, user1, RMPermissionModel.READ_RECORDS); + setPermission(subCategory6, user2, RMPermissionModel.FILING); + + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(subCategory5, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory5, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory6, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory6, RMPermissionModel.FILING)); + + return null; + } + }, user1); + + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory5, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory5, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(subCategory6, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(subCategory6, RMPermissionModel.FILING)); + + return null; + } + }, user2); + + doTestInTransaction(new Test() + { + @Override + public NodeRef run() throws Exception + { + return fileFolderService.move(subCategory5, subCategory6, null).getNodeRef(); + } + + @Override + public void test(final NodeRef movedSubCategory5) throws Exception + { + assertTrue(permissionService.getInheritParentPermissions(movedSubCategory5)); + assertFalse(permissionService.getInheritParentPermissions(subCategory6)); + + AuthenticationUtil.setFullyAuthenticatedUser(user1); + + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedSubCategory5, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(movedSubCategory5, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory6, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory6, RMPermissionModel.FILING)); + + AuthenticationUtil.setFullyAuthenticatedUser(user2); + + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedSubCategory5, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedSubCategory5, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(subCategory6, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(subCategory6, RMPermissionModel.FILING)); + } + }); + } } From b0040d26a441730bbf3874ac84a313e8ea26f118 Mon Sep 17 00:00:00 2001 From: Tuna Aksoy Date: Fri, 17 Oct 2014 21:10:09 +0000 Subject: [PATCH 22/29] RM-1742 (Locally Set Permissions for moved Record duplicate parent folder Locally Set Permissions) * Unit test added git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@88688 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../FilePlanPermissionServiceImplTest.java | 201 +++++++++++++++--- 1 file changed, 175 insertions(+), 26 deletions(-) diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java index 071ad72aec..018edf4114 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java @@ -936,27 +936,27 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase public void testMoveRootCategoryIntoAnotherRootCategory() { - final NodeRef subCategory5 = filePlanService.createRecordCategory(filePlan, "subCategory5"); - final NodeRef subCategory6 = filePlanService.createRecordCategory(filePlan, "subCategory6"); + final NodeRef category5 = filePlanService.createRecordCategory(filePlan, "category5"); + final NodeRef category6 = filePlanService.createRecordCategory(filePlan, "category6"); - assertFalse(permissionService.getInheritParentPermissions(subCategory5)); - assertFalse(permissionService.getInheritParentPermissions(subCategory6)); + assertFalse(permissionService.getInheritParentPermissions(category5)); + assertFalse(permissionService.getInheritParentPermissions(category6)); final String user1 = createTestUser(); final String user2 = createTestUser(); - setPermission(subCategory5, user1, RMPermissionModel.READ_RECORDS); - setPermission(subCategory6, user2, RMPermissionModel.FILING); + setPermission(category5, user1, RMPermissionModel.READ_RECORDS); + setPermission(category6, user2, RMPermissionModel.FILING); doTestInTransaction(new Test() { @Override public Void run() { - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(subCategory5, RMPermissionModel.READ_RECORDS)); - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory5, RMPermissionModel.FILING)); - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory6, RMPermissionModel.READ_RECORDS)); - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory6, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(category5, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category5, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category6, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category6, RMPermissionModel.FILING)); return null; } @@ -967,10 +967,10 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase @Override public Void run() { - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory5, RMPermissionModel.READ_RECORDS)); - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory5, RMPermissionModel.FILING)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(subCategory6, RMPermissionModel.READ_RECORDS)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(subCategory6, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category5, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category5, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(category6, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(category6, RMPermissionModel.FILING)); return null; } @@ -981,28 +981,177 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase @Override public NodeRef run() throws Exception { - return fileFolderService.move(subCategory5, subCategory6, null).getNodeRef(); + return fileFolderService.move(category5, category6, null).getNodeRef(); } @Override - public void test(final NodeRef movedSubCategory5) throws Exception + public void test(final NodeRef movedCategory5) throws Exception { - assertTrue(permissionService.getInheritParentPermissions(movedSubCategory5)); - assertFalse(permissionService.getInheritParentPermissions(subCategory6)); + assertTrue(permissionService.getInheritParentPermissions(movedCategory5)); + assertFalse(permissionService.getInheritParentPermissions(category6)); AuthenticationUtil.setFullyAuthenticatedUser(user1); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedSubCategory5, RMPermissionModel.READ_RECORDS)); - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(movedSubCategory5, RMPermissionModel.FILING)); - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory6, RMPermissionModel.READ_RECORDS)); - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(subCategory6, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedCategory5, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(movedCategory5, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category6, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category6, RMPermissionModel.FILING)); AuthenticationUtil.setFullyAuthenticatedUser(user2); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedSubCategory5, RMPermissionModel.READ_RECORDS)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedSubCategory5, RMPermissionModel.FILING)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(subCategory6, RMPermissionModel.READ_RECORDS)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(subCategory6, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedCategory5, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedCategory5, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(category6, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(category6, RMPermissionModel.FILING)); + } + }); + } + + public void testPermissionsForMovedRecord() + { + final NodeRef category7 = filePlanService.createRecordCategory(filePlan, "category7"); + final NodeRef folder7 = rmService.createRecordFolder(category7, "rmFolder7"); + final NodeRef record7 = utils.createRecord(folder7, "record7.txt"); + + final NodeRef category8 = filePlanService.createRecordCategory(filePlan, "category8"); + final NodeRef folder8 = rmService.createRecordFolder(category8, "rmFolder8"); + final NodeRef record8 = utils.createRecord(folder8, "record8.txt"); + + final String user1 = createTestUser(); + final String user2 = createTestUser(); + final String user3 = createTestUser(); + + setPermission(folder7, user1, RMPermissionModel.FILING); + setPermission(record8, user2, RMPermissionModel.READ_RECORDS); + setPermission(category7, user3, RMPermissionModel.FILING); + + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category7, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category7, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(folder7, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(folder7, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(record7, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(record7, RMPermissionModel.FILING)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category8, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category8, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(folder8, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(folder8, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(record8, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(record8, RMPermissionModel.FILING)); + + return null; + } + }, user1); + + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category7, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category7, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(folder7, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(folder7, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(record7, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(record7, RMPermissionModel.FILING)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category8, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category8, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(folder8, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(folder8, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(record8, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(record8, RMPermissionModel.FILING)); + + return null; + } + }, user2); + + doTestInTransaction(new Test() + { + @Override + public Void run() + { + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(category7, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(category7, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(folder7, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(folder7, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(record7, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(record7, RMPermissionModel.FILING)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category8, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category8, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(folder8, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(folder8, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(record8, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(record8, RMPermissionModel.FILING)); + + return null; + } + }, user3); + + doTestInTransaction(new Test() + { + @Override + public NodeRef run() throws Exception + { + return fileFolderService.move(record8, folder7, null).getNodeRef(); + } + + @Override + public void test(final NodeRef movedRecord8) throws Exception + { + AuthenticationUtil.setFullyAuthenticatedUser(user1); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category7, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category7, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(folder7, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(folder7, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(record7, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(record7, RMPermissionModel.FILING)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category8, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category8, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(folder8, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(folder8, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedRecord8, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedRecord8, RMPermissionModel.FILING)); + + AuthenticationUtil.setFullyAuthenticatedUser(user2); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category7, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category7, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(folder7, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(folder7, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(record7, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(record7, RMPermissionModel.FILING)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category8, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category8, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(folder8, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(folder8, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedRecord8, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(movedRecord8, RMPermissionModel.FILING)); + + AuthenticationUtil.setFullyAuthenticatedUser(user3); + + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(category7, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(category7, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(folder7, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(folder7, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(record7, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(record7, RMPermissionModel.FILING)); + + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category8, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category8, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(folder8, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(folder8, RMPermissionModel.FILING)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedRecord8, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedRecord8, RMPermissionModel.FILING)); } }); } From 64ee5aa1b7c2858bb35806042fc65ba35d7f4afe Mon Sep 17 00:00:00 2001 From: Tuna Aksoy Date: Mon, 20 Oct 2014 16:05:10 +0000 Subject: [PATCH 23/29] RM-1741 (Moved root category doesn't inherit permissions) git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@88772 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../FilePlanPermissionServiceImpl.java | 6 -- .../FilePlanPermissionServiceImplTest.java | 59 ++++++++++++++----- 2 files changed, 43 insertions(+), 22 deletions(-) diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java index 5f4071d235..bb8f10f399 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java @@ -499,12 +499,6 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl { if (canPerformPermissionAction(nodeRef)) { - if (RMPermissionModel.FILING.equals(permission)) - { - // Remove record read permission before adding filing permission - permissionService.deletePermission(nodeRef, authority, RMPermissionModel.READ_RECORDS); - } - // Set the permission on the node permissionService.setPermission(nodeRef, authority, permission, true); } diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java index 018edf4114..2a8ddf488f 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java @@ -976,35 +976,45 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase } }, user2); - doTestInTransaction(new Test() + final NodeRef movedCategory5 = doTestInTransaction(new Test() { @Override public NodeRef run() throws Exception { return fileFolderService.move(category5, category6, null).getNodeRef(); } + }); + assertTrue(permissionService.getInheritParentPermissions(movedCategory5)); + assertFalse(permissionService.getInheritParentPermissions(category6)); + + doTestInTransaction(new Test() + { @Override - public void test(final NodeRef movedCategory5) throws Exception + public Void run() { - assertTrue(permissionService.getInheritParentPermissions(movedCategory5)); - assertFalse(permissionService.getInheritParentPermissions(category6)); - - AuthenticationUtil.setFullyAuthenticatedUser(user1); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedCategory5, RMPermissionModel.READ_RECORDS)); assertEquals(AccessStatus.DENIED, permissionService.hasPermission(movedCategory5, RMPermissionModel.FILING)); assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category6, RMPermissionModel.READ_RECORDS)); assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category6, RMPermissionModel.FILING)); - AuthenticationUtil.setFullyAuthenticatedUser(user2); + return null; + } + }, user1); + doTestInTransaction(new Test() + { + @Override + public Void run() + { assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedCategory5, RMPermissionModel.READ_RECORDS)); assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedCategory5, RMPermissionModel.FILING)); assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(category6, RMPermissionModel.READ_RECORDS)); assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(category6, RMPermissionModel.FILING)); + + return null; } - }); + }, user2); } public void testPermissionsForMovedRecord() @@ -1094,19 +1104,20 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase } }, user3); - doTestInTransaction(new Test() + final NodeRef movedRecord8 = doTestInTransaction(new Test() { @Override public NodeRef run() throws Exception { return fileFolderService.move(record8, folder7, null).getNodeRef(); } + }); + doTestInTransaction(new Test() + { @Override - public void test(final NodeRef movedRecord8) throws Exception + public Void run() { - AuthenticationUtil.setFullyAuthenticatedUser(user1); - assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category7, RMPermissionModel.READ_RECORDS)); assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category7, RMPermissionModel.FILING)); assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(folder7, RMPermissionModel.READ_RECORDS)); @@ -1121,8 +1132,15 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedRecord8, RMPermissionModel.READ_RECORDS)); assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedRecord8, RMPermissionModel.FILING)); - AuthenticationUtil.setFullyAuthenticatedUser(user2); + return null; + } + }, user1); + doTestInTransaction(new Test() + { + @Override + public Void run() + { assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category7, RMPermissionModel.READ_RECORDS)); assertEquals(AccessStatus.DENIED, permissionService.hasPermission(category7, RMPermissionModel.FILING)); assertEquals(AccessStatus.DENIED, permissionService.hasPermission(folder7, RMPermissionModel.READ_RECORDS)); @@ -1137,8 +1155,15 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedRecord8, RMPermissionModel.READ_RECORDS)); assertEquals(AccessStatus.DENIED, permissionService.hasPermission(movedRecord8, RMPermissionModel.FILING)); - AuthenticationUtil.setFullyAuthenticatedUser(user3); + return null; + } + }, user2); + doTestInTransaction(new Test() + { + @Override + public Void run() + { assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(category7, RMPermissionModel.READ_RECORDS)); assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(category7, RMPermissionModel.FILING)); assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(folder7, RMPermissionModel.READ_RECORDS)); @@ -1152,7 +1177,9 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase assertEquals(AccessStatus.DENIED, permissionService.hasPermission(folder8, RMPermissionModel.FILING)); assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedRecord8, RMPermissionModel.READ_RECORDS)); assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedRecord8, RMPermissionModel.FILING)); + + return null; } - }); + }, user3); } } From ea939d8d9d763075ce6c4bc7201fe04df0be8d78 Mon Sep 17 00:00:00 2001 From: Tuna Aksoy Date: Tue, 21 Oct 2014 17:23:20 +0000 Subject: [PATCH 24/29] RM-1661 (Performance on setting permissions at a high category level) git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@88860 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../extended-repository-context.xml | 65 +++++----- .../capability/RMPermissionModel.java | 38 ++++-- .../FilePlanPermissionServiceImpl.java | 12 +- .../impl/RMPermissionServiceImpl.java | 119 ++++++++++++++---- .../test/issue/RM804Test.java | 65 +++++----- .../FilePlanPermissionServiceImplTest.java | 58 +++++++++ .../service/FilePlanRoleServiceImplTest.java | 20 +-- 7 files changed, 269 insertions(+), 108 deletions(-) diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml index 3e8250673a..87a373e578 100644 --- a/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml +++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml @@ -24,7 +24,7 @@ - + --> @@ -43,7 +43,7 @@ - + @@ -69,11 +69,11 @@ - + - + @@ -135,39 +135,42 @@ + + + - + - + - + - + - + - + - + - + - + - + @@ -177,33 +180,33 @@ - + - + - + - + - + - + - + - + @@ -218,16 +221,16 @@ false - + ${rm.rule.runasrmadmin} - - + + - + @@ -240,14 +243,14 @@ - + search - + @@ -258,11 +261,11 @@ ${spaces.store} - + true - - \ No newline at end of file + + \ No newline at end of file diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMPermissionModel.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMPermissionModel.java index 50cc4ff0d9..4bc2c5db66 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMPermissionModel.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMPermissionModel.java @@ -19,11 +19,12 @@ package org.alfresco.module.org_alfresco_module_rm.capability; import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel; +import org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService; import org.alfresco.repo.security.permissions.impl.SimplePermissionReference; /** * Capability constants for the RM Permission Model - * + * * @author andyh */ public interface RMPermissionModel @@ -32,15 +33,34 @@ public interface RMPermissionModel public static final String FILING = "Filing"; public static final String READ_RECORDS = "ReadRecords"; public static final String FILE_RECORDS = "FileRecords"; - - // Roles - public static final String ROLE_NAME_USER = "User"; - public static final String ROLE_NAME_POWER_USER = "PowerUser"; - public static final String ROLE_NAME_SECURITY_OFFICER = "SecurityOfficer"; - public static final String ROLE_NAME_RECORDS_MANAGER = "RecordsManager"; - public static final String ROLE_NAME_ADMINISTRATOR = "Administrator"; - public static final String ROLE_ADMINISTRATOR = SimplePermissionReference.getPermissionReference(RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT, ROLE_NAME_ADMINISTRATOR).toString(); + // Roles + /** + * @deprecated as of 2.1.0.3, please use {@link FilePlanRoleService.ROLE_USER} instead + */ + @Deprecated + public static final String ROLE_NAME_USER = FilePlanRoleService.ROLE_USER; + /** + * @deprecated as of 2.1.0.3, please use {@link FilePlanRoleService.ROLE_POWER_USER} instead + */ + @Deprecated + public static final String ROLE_NAME_POWER_USER = FilePlanRoleService.ROLE_POWER_USER; + /** + * @deprecated as of 2.1.0.3, please use {@link FilePlanRoleService.ROLE_SECURITY_OFFICER} instead + */ + @Deprecated + public static final String ROLE_NAME_SECURITY_OFFICER = FilePlanRoleService.ROLE_SECURITY_OFFICER; + /** + * @deprecated as of 2.1.0.3, please use {@link FilePlanRoleService.ROLE_RECORDS_MANAGER} instead + */ + @Deprecated + public static final String ROLE_NAME_RECORDS_MANAGER = FilePlanRoleService.ROLE_RECORDS_MANAGER; + /** + * @deprecated as of 2.1.0.3, please use {@link FilePlanRoleService.ROLE_ADMIN} instead + */ + @Deprecated + public static final String ROLE_NAME_ADMINISTRATOR = FilePlanRoleService.ROLE_ADMIN; + public static final String ROLE_ADMINISTRATOR = SimplePermissionReference.getPermissionReference(RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT, FilePlanRoleService.ROLE_ADMIN).toString(); // Capability permissions diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java index bb8f10f399..22f6e3067c 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java @@ -467,11 +467,15 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl public Object doWork() { // set inheritance - permissionService.setInheritParentPermissions(nodeRef, isInheritanceAllowed(nodeRef, isParentNodeFilePlan)); + boolean inheritanceAllowed = isInheritanceAllowed(nodeRef, isParentNodeFilePlan); + permissionService.setInheritParentPermissions(nodeRef, inheritanceAllowed); - // set extended reader permissions - permissionService.setPermission(nodeRef, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.READ_RECORDS, true); - permissionService.setPermission(nodeRef, ExtendedWriterDynamicAuthority.EXTENDED_WRITER, RMPermissionModel.FILING, true); + if (!inheritanceAllowed) + { + // set extended reader permissions + permissionService.setPermission(nodeRef, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.READ_RECORDS, true); + permissionService.setPermission(nodeRef, ExtendedWriterDynamicAuthority.EXTENDED_WRITER, RMPermissionModel.FILING, true); + } return null; } diff --git a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java index aba0984bfd..9c1c263df3 100644 --- a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java +++ b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java @@ -23,13 +23,20 @@ import java.util.Collections; import java.util.HashSet; import java.util.Set; +import org.alfresco.error.AlfrescoRuntimeException; import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel; +import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService; import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel; +import org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService; +import org.alfresco.module.org_alfresco_module_rm.security.ExtendedReaderDynamicAuthority; +import org.alfresco.module.org_alfresco_module_rm.security.ExtendedWriterDynamicAuthority; import org.alfresco.repo.cache.SimpleCache; import org.alfresco.repo.security.permissions.AccessControlEntry; import org.alfresco.repo.security.permissions.AccessControlList; import org.alfresco.service.cmr.repository.NodeRef; +import org.alfresco.service.cmr.security.AccessPermission; import org.alfresco.service.cmr.security.AccessStatus; +import org.alfresco.service.cmr.security.AuthorityType; import org.alfresco.service.cmr.security.PermissionService; import org.alfresco.util.PropertyCheck; import org.springframework.context.ApplicationEvent; @@ -39,7 +46,7 @@ import org.springframework.context.ApplicationEvent; * permission. *

* This is required for SOLR support. - * + * * @author Roy Wetherall */ public class RMPermissionServiceImpl extends PermissionServiceImpl @@ -47,7 +54,30 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl { /** Writers simple cache */ protected SimpleCache> writersCache; - + + /** File plan service */ + private FilePlanService filePlanService; + + /** + * Gets the file plan service + * + * @return the filePlanService + */ + public FilePlanService getFilePlanService() + { + return this.filePlanService; + } + + /** + * Sets the file plan service + * + * @param filePlanService the filePlanService to set + */ + public void setFilePlanService(FilePlanService filePlanService) + { + this.filePlanService = filePlanService; + } + /** * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#setAnyDenyDenies(boolean) */ @@ -57,7 +87,7 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl super.setAnyDenyDenies(anyDenyDenies); writersCache.clear(); } - + /** * @param writersCache the writersCache to set */ @@ -65,44 +95,44 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl { this.writersCache = writersCache; } - + /** * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#onBootstrap(org.springframework.context.ApplicationEvent) */ @Override protected void onBootstrap(ApplicationEvent event) { - super.onBootstrap(event); + super.onBootstrap(event); PropertyCheck.mandatory(this, "writersCache", writersCache); } - + /** * Override to deal with the possibility of hard coded permission checks in core code. - * + * * Note: Eventually we need to merge the RM permission model into the core to make this more rebust. - * + * * @see org.alfresco.repo.security.permissions.impl.ExtendedPermissionService#hasPermission(org.alfresco.service.cmr.repository.NodeRef, java.lang.String) */ @Override public AccessStatus hasPermission(NodeRef nodeRef, String perm) { AccessStatus acs = super.hasPermission(nodeRef, perm); - if (AccessStatus.DENIED.equals(acs) == true && + if (AccessStatus.DENIED.equals(acs) == true && PermissionService.READ.equals(perm) == true && nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT) == true) { return super.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS); } - else if (AccessStatus.DENIED.equals(acs) == true && + else if (AccessStatus.DENIED.equals(acs) == true && PermissionService.WRITE.equals(perm) == true && nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT) == true) { return super.hasPermission(nodeRef, RMPermissionModel.FILE_RECORDS); } - + return acs; } - + /** * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#canRead(java.lang.Long) */ @@ -111,8 +141,8 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl { Set authorities = getAuthorisations(); - // test denied - + // test denied + if(anyDenyDenies) { @@ -125,12 +155,12 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl return AccessStatus.DENIED; } } - + } // test acl readers Set aclReaders = getReaders(aclId); - + for(String auth : aclReaders) { if(authorities.contains(auth)) @@ -141,7 +171,7 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl return AccessStatus.DENIED; } - + /** * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#getReaders(java.lang.Long) */ @@ -159,7 +189,7 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl { return aclReaders; } - + HashSet assigned = new HashSet(); HashSet readers = new HashSet(); @@ -185,7 +215,7 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl /** * Override with check for RM read - * + * * @param aclId * @return */ @@ -219,12 +249,12 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl denied.add(authority); } } - + readersDeniedCache.put((Serializable)acl.getProperties(), denied); return denied; } - + /** * @see org.alfresco.repo.security.permissions.impl.ExtendedPermissionService#getWriters(java.lang.Long) */ @@ -241,7 +271,7 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl { return aclWriters; } - + HashSet assigned = new HashSet(); HashSet readers = new HashSet(); @@ -263,4 +293,49 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl writersCache.put((Serializable)acl.getProperties(), aclWriters); return aclWriters; } + + /** + * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#setInheritParentPermissions(org.alfresco.service.cmr.repository.NodeRef, boolean) + */ + @Override + public void setInheritParentPermissions(final NodeRef nodeRef, boolean inheritParentPermissions) + { + if (nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT)) + { + final String adminRole = getAdminRole(nodeRef); + if (inheritParentPermissions) + { + Set accessPermissions = getAllSetPermissions(nodeRef); + for (AccessPermission accessPermission : accessPermissions) + { + String authority = accessPermission.getAuthority(); + String permission = accessPermission.getPermission(); + if (accessPermission.isSetDirectly() && + (RMPermissionModel.FILING.equals(permission) || RMPermissionModel.READ_RECORDS.equals(permission)) && + (ExtendedReaderDynamicAuthority.EXTENDED_READER.equals(authority) || ExtendedWriterDynamicAuthority.EXTENDED_WRITER.equals(authority)) || adminRole.equals(authority)) + { + // FIXME!!! + //deletePermission(nodeRef, authority, permission); + } + } + } + else + { + setPermission(nodeRef, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.READ_RECORDS, true); + setPermission(nodeRef, ExtendedWriterDynamicAuthority.EXTENDED_WRITER, RMPermissionModel.FILING, true); + setPermission(nodeRef, adminRole, RMPermissionModel.FILING, true); + } + } + super.setInheritParentPermissions(nodeRef, inheritParentPermissions); + } + + private String getAdminRole(NodeRef nodeRef) + { + NodeRef filePlan = getFilePlanService().getFilePlan(nodeRef); + if (filePlan == null) + { + throw new AlfrescoRuntimeException("The file plan could not be found for the node '" + nodeRef + "'."); + } + return authorityService.getName(AuthorityType.GROUP, FilePlanRoleService.ROLE_ADMIN + filePlan.getId()); + } } diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/issue/RM804Test.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/issue/RM804Test.java index 7105d692ce..5f6b9c44ed 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/issue/RM804Test.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/issue/RM804Test.java @@ -19,6 +19,7 @@ package org.alfresco.module.org_alfresco_module_rm.test.issue; import org.alfresco.error.AlfrescoRuntimeException; +import org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService; import org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase; import org.alfresco.service.cmr.security.AccessStatus; import org.alfresco.service.cmr.site.SiteRole; @@ -26,30 +27,30 @@ import org.alfresco.service.cmr.site.SiteRole; /** * Unit test for RM-804 .. site managers are able to delete file plans - * + * * @author Roy Wetherall * @since 2.1 */ -public class RM804Test extends BaseRMTestCase -{ +public class RM804Test extends BaseRMTestCase +{ @Override protected void initServices() { super.initServices(); } - + @Override protected boolean isCollaborationSiteTest() { return true; } - + @Override protected boolean isUserTest() { return true; } - + public void testUsersHaveDeletePermissionsOnFilePlan() throws Exception { // as rmuser @@ -59,29 +60,29 @@ public class RM804Test extends BaseRMTestCase public Void run() { assertEquals(AccessStatus.ALLOWED, capabilityService.getCapabilityAccessState(filePlan, "Delete")); - + return null; } }, "rmadmin"); - + doTestInTransaction(new Test() { @Override public Void run() { assertEquals(AccessStatus.ALLOWED, capabilityService.getCapabilityAccessState(filePlan, "Delete")); - + return null; } }, "admin"); - + doTestInTransaction(new Test() { @Override public Void run() { assertEquals(AccessStatus.ALLOWED, capabilityService.getCapabilityAccessState(filePlan, "Delete")); - + return null; } }, rmAdminName); @@ -92,23 +93,23 @@ public class RM804Test extends BaseRMTestCase public Void run() { assertEquals(AccessStatus.DENIED, capabilityService.getCapabilityAccessState(filePlan, "Delete")); - + return null; } }, rmUserName); - + doTestInTransaction(new Test() { @Override public Void run() { assertEquals(AccessStatus.DENIED, capabilityService.getCapabilityAccessState(filePlan, "Delete")); - + return null; } }, userName); } - + public void testTryAndDeleteSiteAsSiteManagerOnly() { doTestInTransaction(new Test() @@ -117,73 +118,73 @@ public class RM804Test extends BaseRMTestCase public Void run() { siteService.setMembership(siteId, userName, SiteRole.SiteManager.toString()); - + return null; } }, "admin"); - + doTestInTransaction(new FailureTest ( "Should not be able to delete site as a site manager only.", AlfrescoRuntimeException.class ) - { + { @Override public void run() throws Exception { siteService.deleteSite(siteId); - + } }, userName); - + // give the user a RM role (but not sufficient to delete the file plan node ref) doTestInTransaction(new Test() { @Override public Void run() { - filePlanRoleService.assignRoleToAuthority(filePlan, ROLE_NAME_USER, userName); - + filePlanRoleService.assignRoleToAuthority(filePlan, FilePlanRoleService.ROLE_USER, userName); + return null; } }, "admin"); - + doTestInTransaction(new FailureTest ( "Should not be able to delete site as a site manager with an RM role that doesn't have the capability.", AlfrescoRuntimeException.class ) - { + { @Override public void run() throws Exception { siteService.deleteSite(siteId); - + } }, userName); - + doTestInTransaction(new Test() { @Override public Void run() { - filePlanRoleService.assignRoleToAuthority(filePlan, ROLE_NAME_ADMINISTRATOR, userName); - + filePlanRoleService.assignRoleToAuthority(filePlan, FilePlanRoleService.ROLE_ADMIN, userName); + return null; } }, "admin"); - + doTestInTransaction(new Test() { @Override public Void run() { siteService.deleteSite(siteId); - + return null; } }, userName); - + } - + } diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java index 2a8ddf488f..88d74f1605 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java @@ -18,12 +18,20 @@ */ package org.alfresco.module.org_alfresco_module_rm.test.service; +import java.util.HashMap; +import java.util.Map; +import java.util.Set; + import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel; import org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService; +import org.alfresco.module.org_alfresco_module_rm.security.ExtendedReaderDynamicAuthority; +import org.alfresco.module.org_alfresco_module_rm.security.ExtendedWriterDynamicAuthority; import org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase; import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.service.cmr.repository.NodeRef; +import org.alfresco.service.cmr.security.AccessPermission; import org.alfresco.service.cmr.security.AccessStatus; +import org.alfresco.service.cmr.security.AuthorityType; import org.springframework.extensions.webscripts.GUID; /** @@ -1182,4 +1190,54 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase } }, user3); } + + public void testSpecialRoles() + { + final NodeRef category9 = filePlanService.createRecordCategory(filePlan, "category9"); + final NodeRef subCategory9 = filePlanService.createRecordCategory(category9, "subCategory9"); + final NodeRef folder9 = rmService.createRecordFolder(subCategory9, "rmFolder9"); + final NodeRef record9 = utils.createRecord(folder9, "record9.txt"); + + assertExistenceOfSpecialRolesAndPermissions(category9); + + assertExistenceOfSpecialRolesAndPermissions(subCategory9); + // After setting the permissions off the special roles should be still available as they will be added to the node automatically + permissionService.setInheritParentPermissions(subCategory9, false); + assertExistenceOfSpecialRolesAndPermissions(subCategory9); + permissionService.setInheritParentPermissions(subCategory9, true); + assertExistenceOfSpecialRolesAndPermissions(subCategory9); + + assertExistenceOfSpecialRolesAndPermissions(folder9); + permissionService.setInheritParentPermissions(folder9, false); + assertExistenceOfSpecialRolesAndPermissions(folder9); + permissionService.setInheritParentPermissions(folder9, true); + assertExistenceOfSpecialRolesAndPermissions(folder9); + + assertExistenceOfSpecialRolesAndPermissions(record9); + permissionService.setInheritParentPermissions(record9, false); + assertExistenceOfSpecialRolesAndPermissions(record9); + permissionService.setInheritParentPermissions(record9, true); + assertExistenceOfSpecialRolesAndPermissions(record9); + } + + private void assertExistenceOfSpecialRolesAndPermissions(NodeRef node) + { + Map accessPermissions = new HashMap(); + Set permissions = permissionService.getAllSetPermissions(node); + // FIXME!!! + //assertEquals(3, permissions.size()); + + for (AccessPermission permission : permissions) + { + accessPermissions.put(permission.getAuthority(), permission.getPermission()); + } + + assertTrue(accessPermissions.containsKey(ExtendedReaderDynamicAuthority.EXTENDED_READER)); + assertEquals(RMPermissionModel.READ_RECORDS, accessPermissions.get(ExtendedReaderDynamicAuthority.EXTENDED_READER)); + assertTrue(accessPermissions.containsKey(ExtendedWriterDynamicAuthority.EXTENDED_WRITER)); + assertEquals(RMPermissionModel.FILING, accessPermissions.get(ExtendedWriterDynamicAuthority.EXTENDED_WRITER)); + String allRoles = authorityService.getName(AuthorityType.GROUP, FilePlanRoleService.ROLE_ADMIN + filePlan.getId()); + assertTrue(accessPermissions.containsKey(allRoles)); + assertEquals(RMPermissionModel.FILING, accessPermissions.get(allRoles)); + } } diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanRoleServiceImplTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanRoleServiceImplTest.java index 1d6d8ee106..93bf5b2552 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanRoleServiceImplTest.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanRoleServiceImplTest.java @@ -107,9 +107,9 @@ public class FilePlanRoleServiceImplTest extends BaseRMTestCase { public Void run() { - Role role = filePlanRoleService.getRole(filePlan, ROLE_NAME_POWER_USER); + Role role = filePlanRoleService.getRole(filePlan, FilePlanRoleService.ROLE_POWER_USER); assertNotNull(role); - assertEquals(ROLE_NAME_POWER_USER, role.getName()); + assertEquals(FilePlanRoleService.ROLE_POWER_USER, role.getName()); role = filePlanRoleService.getRole(filePlan, "donkey"); assertNull(role); @@ -125,7 +125,7 @@ public class FilePlanRoleServiceImplTest extends BaseRMTestCase { public Void run() { - assertTrue(filePlanRoleService.existsRole(filePlan, ROLE_NAME_POWER_USER)); + assertTrue(filePlanRoleService.existsRole(filePlan, FilePlanRoleService.ROLE_POWER_USER)); assertFalse(filePlanRoleService.existsRole(filePlan, "donkey")); return null; @@ -184,33 +184,33 @@ public class FilePlanRoleServiceImplTest extends BaseRMTestCase assertNotNull(roles); assertEquals(1, roles.size()); - Set authorities = filePlanRoleService.getUsersAssignedToRole(filePlan, ROLE_NAME_RECORDS_MANAGER); + Set authorities = filePlanRoleService.getUsersAssignedToRole(filePlan, FilePlanRoleService.ROLE_RECORDS_MANAGER); assertNotNull(authorities); assertEquals(1, authorities.size()); - authorities = filePlanRoleService.getGroupsAssignedToRole(filePlan, ROLE_NAME_RECORDS_MANAGER); + authorities = filePlanRoleService.getGroupsAssignedToRole(filePlan, FilePlanRoleService.ROLE_RECORDS_MANAGER); assertNotNull(authorities); assertEquals(0, authorities.size()); - authorities = filePlanRoleService.getAllAssignedToRole(filePlan, ROLE_NAME_RECORDS_MANAGER); + authorities = filePlanRoleService.getAllAssignedToRole(filePlan, FilePlanRoleService.ROLE_RECORDS_MANAGER); assertNotNull(authorities); assertEquals(1, authorities.size()); - filePlanRoleService.assignRoleToAuthority(filePlan, ROLE_NAME_RECORDS_MANAGER, rmUserName); + filePlanRoleService.assignRoleToAuthority(filePlan, FilePlanRoleService.ROLE_RECORDS_MANAGER, rmUserName); roles = filePlanRoleService.getRolesByUser(filePlan, rmUserName); assertNotNull(roles); assertEquals(2, roles.size()); - authorities = filePlanRoleService.getUsersAssignedToRole(filePlan, ROLE_NAME_RECORDS_MANAGER); + authorities = filePlanRoleService.getUsersAssignedToRole(filePlan, FilePlanRoleService.ROLE_RECORDS_MANAGER); assertNotNull(authorities); assertEquals(2, authorities.size()); - authorities = filePlanRoleService.getGroupsAssignedToRole(filePlan, ROLE_NAME_RECORDS_MANAGER); + authorities = filePlanRoleService.getGroupsAssignedToRole(filePlan, FilePlanRoleService.ROLE_RECORDS_MANAGER); assertNotNull(authorities); assertEquals(0, authorities.size()); - authorities = filePlanRoleService.getAllAssignedToRole(filePlan, ROLE_NAME_RECORDS_MANAGER); + authorities = filePlanRoleService.getAllAssignedToRole(filePlan, FilePlanRoleService.ROLE_RECORDS_MANAGER); assertNotNull(authorities); assertEquals(2, authorities.size()); From b4aefce9dfebfcfd1d833ab26cd23bfac0209a70 Mon Sep 17 00:00:00 2001 From: Tuna Aksoy Date: Tue, 21 Oct 2014 19:46:55 +0000 Subject: [PATCH 25/29] RM-1661 (Performance on setting permissions at a high category level) * Fixed failing unit tests git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@88864 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../permissions/impl/RMPermissionServiceImpl.java | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java index 9c1c263df3..44e653ffe5 100644 --- a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java +++ b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java @@ -18,12 +18,13 @@ */ package org.alfresco.repo.security.permissions.impl; +import static org.apache.commons.lang.StringUtils.isNotBlank; + import java.io.Serializable; import java.util.Collections; import java.util.HashSet; import java.util.Set; -import org.alfresco.error.AlfrescoRuntimeException; import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel; import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService; import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel; @@ -300,9 +301,9 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl @Override public void setInheritParentPermissions(final NodeRef nodeRef, boolean inheritParentPermissions) { - if (nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT)) + final String adminRole = getAdminRole(nodeRef); + if (nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT) && isNotBlank(adminRole)) { - final String adminRole = getAdminRole(nodeRef); if (inheritParentPermissions) { Set accessPermissions = getAllSetPermissions(nodeRef); @@ -331,11 +332,12 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl private String getAdminRole(NodeRef nodeRef) { + String adminRole = null; NodeRef filePlan = getFilePlanService().getFilePlan(nodeRef); - if (filePlan == null) + if (filePlan != null) { - throw new AlfrescoRuntimeException("The file plan could not be found for the node '" + nodeRef + "'."); + adminRole = authorityService.getName(AuthorityType.GROUP, FilePlanRoleService.ROLE_ADMIN + filePlan.getId()); } - return authorityService.getName(AuthorityType.GROUP, FilePlanRoleService.ROLE_ADMIN + filePlan.getId()); + return adminRole; } } From f8d808070f5fb806c6280777efb30e130a665036 Mon Sep 17 00:00:00 2001 From: Tuna Aksoy Date: Wed, 22 Oct 2014 19:06:49 +0000 Subject: [PATCH 26/29] RM-1746 (Moved record/category always have the inheritance on) git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@88959 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../security/FilePlanPermissionServiceImpl.java | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java index 22f6e3067c..b5a1b14f3c 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.java @@ -331,10 +331,6 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl { NodeRef sourceCategory = oldChildAssocRef.getChildRef(); boolean inheritParentPermissions = permissionService.getInheritParentPermissions(sourceCategory); - if (!inheritParentPermissions) - { - permissionService.setInheritParentPermissions(sourceCategory, true); - } Set keepPerms = new HashSet(5); Set origionalCategoryPerms= permissionService.getAllSetPermissions(sourceCategory); @@ -362,6 +358,8 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl setPermission(sourceCategory, keeper.getAuthority(), keeper.getPermission()); } + permissionService.setInheritParentPermissions(sourceCategory, isFilePlan(newChildAssocRef.getParentRef()) ? false : inheritParentPermissions); + return null; } }, AuthenticationUtil.getSystemUserName()); @@ -418,6 +416,8 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl NodeRef record = sourceAssocRef.getChildRef(); if (nodeService.exists(record) && nodeService.hasAspect(record, ASPECT_RECORD)) { + boolean inheritParentPermissions = permissionService.getInheritParentPermissions(record); + Set keepPerms = new HashSet(5); Set origionalRecordPerms= permissionService.getAllSetPermissions(record); @@ -446,6 +446,8 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl { setPermission(record, keeper.getAuthority(), keeper.getPermission()); } + + permissionService.setInheritParentPermissions(record, inheritParentPermissions); } return null; From 6109a94cefcd247ad9092487610635510b0a499b Mon Sep 17 00:00:00 2001 From: Tuna Aksoy Date: Wed, 22 Oct 2014 19:18:02 +0000 Subject: [PATCH 27/29] RM-1661 (Performance on setting permissions at a high category level) * Fixed failing unit tests git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@88960 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../test/service/FilePlanPermissionServiceImplTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java index 88d74f1605..bb10e4d5ea 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java @@ -994,7 +994,7 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase }); assertTrue(permissionService.getInheritParentPermissions(movedCategory5)); - assertFalse(permissionService.getInheritParentPermissions(category6)); + assertTrue(permissionService.getInheritParentPermissions(category6)); doTestInTransaction(new Test() { From bd5fe7a3c8dd18c0eb4903d17608607267a56459 Mon Sep 17 00:00:00 2001 From: Tuna Aksoy Date: Wed, 22 Oct 2014 19:21:45 +0000 Subject: [PATCH 28/29] RM-1661 (Performance on setting permissions at a high category level) * Fixed failing unit tests git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@88961 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../test/service/FilePlanPermissionServiceImplTest.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java index bb10e4d5ea..38e01ddb52 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java @@ -993,8 +993,8 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase } }); - assertTrue(permissionService.getInheritParentPermissions(movedCategory5)); - assertTrue(permissionService.getInheritParentPermissions(category6)); + assertFalse(permissionService.getInheritParentPermissions(movedCategory5)); + assertFalse(permissionService.getInheritParentPermissions(category6)); doTestInTransaction(new Test() { From d93a041d7564906e37117b1d4f9938d146b26299 Mon Sep 17 00:00:00 2001 From: Tuna Aksoy Date: Wed, 22 Oct 2014 19:48:32 +0000 Subject: [PATCH 29/29] RM-1661 (Performance on setting permissions at a high category level) * Fixed failing unit tests git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@88962 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../test/service/FilePlanPermissionServiceImplTest.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java index 38e01ddb52..2dac47fff4 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/FilePlanPermissionServiceImplTest.java @@ -1015,8 +1015,8 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase @Override public Void run() { - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedCategory5, RMPermissionModel.READ_RECORDS)); - assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(movedCategory5, RMPermissionModel.FILING)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(movedCategory5, RMPermissionModel.READ_RECORDS)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(movedCategory5, RMPermissionModel.FILING)); assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(category6, RMPermissionModel.READ_RECORDS)); assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(category6, RMPermissionModel.FILING));