From 6a8eeda7950fc00c834c408e103d08770f17c0e1 Mon Sep 17 00:00:00 2001 From: Tuna Aksoy Date: Fri, 10 Jul 2015 15:50:55 +0000 Subject: [PATCH] RM-2388 (User without any clearance should not see the classify action) git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@108131 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../classified-content-context.xml | 2 ++ .../rm-ui-evaluators-context.xml | 1 + .../SecurityClearanceService.java | 15 ++++++++++ .../SecurityClearanceServiceImpl.java | 30 +++++++++++++++++++ .../jscript/app/JSONConversionComponent.java | 16 ++++++++++ .../SecurityClearanceServiceImplUnitTest.java | 26 +++++++++++++++- 6 files changed, 89 insertions(+), 1 deletion(-) diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/classified-content-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/classified-content-context.xml index 15cd6eecba..0d9fea42db 100644 --- a/rm-server/config/alfresco/module/org_alfresco_module_rm/classified-content-context.xml +++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/classified-content-context.xml @@ -178,6 +178,8 @@ org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.isCurrentUserClearedForClassification=ACL_ALLOW org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.setUserSecurityClearance=ACL_ALLOW org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.getClearanceLevels=ACL_ALLOW + org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.hasCurrentUserClearance=ACL_ALLOW + org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.hasUserClearance=ACL_ALLOW org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService.*=ACL_DENY diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-ui-evaluators-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-ui-evaluators-context.xml index 3723b0b490..f76d6c5c53 100644 --- a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-ui-evaluators-context.xml +++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-ui-evaluators-context.xml @@ -18,6 +18,7 @@ + diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/SecurityClearanceService.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/SecurityClearanceService.java index 48766faed1..1285968c1f 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/SecurityClearanceService.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/SecurityClearanceService.java @@ -74,4 +74,19 @@ public interface SecurityClearanceService * and therefore access to the most restricted documents). */ List getClearanceLevels(); + + /** + * Checks if the current user has any clearance set + * + * @return true if the current user has a clearance set different than "No Clearance", false otherwise + */ + boolean hasCurrentUserClearance(); + + /** + * Checks if the user with the given id has any clearance set + * + * @param userId {@link String} The user id + * @return true if the user with the given id has a clearance set different than "No Clearance", false otherwise + */ + boolean hasUserClearance(String userId); } diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/SecurityClearanceServiceImpl.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/SecurityClearanceServiceImpl.java index 1d6b7dea27..4f3ef06530 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/SecurityClearanceServiceImpl.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/SecurityClearanceServiceImpl.java @@ -18,8 +18,10 @@ */ package org.alfresco.module.org_alfresco_module_rm.classification; +import static org.alfresco.module.org_alfresco_module_rm.classification.ClearanceLevelManager.NO_CLEARANCE; import static org.alfresco.module.org_alfresco_module_rm.classification.model.ClassifiedContentModel.ASPECT_SECURITY_CLEARANCE; import static org.alfresco.module.org_alfresco_module_rm.classification.model.ClassifiedContentModel.PROP_CLEARANCE_LEVEL; +import static org.alfresco.module.org_alfresco_module_rm.util.RMParameterCheck.checkNotBlank; import java.util.ArrayList; import java.util.Collections; @@ -202,4 +204,32 @@ public class SecurityClearanceServiceImpl extends ServiceBaseImpl implements Sec List subList = allLevels.subList(targetIndex, allLevels.size()); return Collections.unmodifiableList(subList); } + + /** + * @see org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService#hasCurrentUserClearance() + */ + @Override + public boolean hasCurrentUserClearance() + { + return hasUserClearance(authenticationUtil.getRunAsUser()); + } + + /** + * @see org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService#hasUserClearance(java.lang.String) + */ + @Override + public boolean hasUserClearance(String userId) + { + checkNotBlank("userId", userId); + + boolean hasUserClearance = false; + + ClearanceLevel userCleranceLevel = getUserSecurityClearance(userId).getClearanceLevel(); + if (userCleranceLevel != null && userCleranceLevel != NO_CLEARANCE) + { + hasUserClearance = true; + } + + return hasUserClearance; + } } diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/jscript/app/JSONConversionComponent.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/jscript/app/JSONConversionComponent.java index 63c98bc758..34bd4a4d93 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/jscript/app/JSONConversionComponent.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/jscript/app/JSONConversionComponent.java @@ -30,6 +30,7 @@ import org.alfresco.model.ContentModel; import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService; import org.alfresco.module.org_alfresco_module_rm.capability.impl.ViewRecordsCapability; import org.alfresco.module.org_alfresco_module_rm.classification.ContentClassificationService; +import org.alfresco.module.org_alfresco_module_rm.classification.SecurityClearanceService; import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanComponentKind; import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService; import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel; @@ -70,6 +71,7 @@ public class JSONConversionComponent extends org.alfresco.repo.jscript.app.JS private static final String IS_RECORD_CONTRIBUTOR_GROUP_ENABLED = "isRecordContributorGroupEnabled"; private static final String RECORD_CONTRIBUTOR_GROUP_NAME = "recordContributorGroupName"; public static final String IS_CLASSIFIED = "isClassified"; + private static final String HAS_CURRENT_USER_CLEARANCE = "hasCurrentUserClearance"; /** true if record contributor group is enabled, false otherwise */ private boolean isRecordContributorsGroupEnabled = false; @@ -95,6 +97,9 @@ public class JSONConversionComponent extends org.alfresco.repo.jscript.app.JS /** Content classification service */ private ContentClassificationService contentClassificationService; + /** Security clearance service */ + private SecurityClearanceService securityClearanceService; + /** Indicators */ private List indicators = new ArrayList(); @@ -174,6 +179,14 @@ public class JSONConversionComponent extends org.alfresco.repo.jscript.app.JS this.contentClassificationService = contentClassificationService; } + /** + * @param securityClearanceService the securityClearanceService to set + */ + public void setSecurityClearanceService(SecurityClearanceService securityClearanceService) + { + this.securityClearanceService = securityClearanceService; + } + /** * @param indicator registered indicator */ @@ -260,6 +273,9 @@ public class JSONConversionComponent extends org.alfresco.repo.jscript.app.JS // Is the node classified rootJSONObject.put(IS_CLASSIFIED, contentClassificationService.isClassified(nodeRef)); + // Has current user clearance + rootJSONObject.put(HAS_CURRENT_USER_CLEARANCE, securityClearanceService.hasCurrentUserClearance()); + if (AccessStatus.ALLOWED.equals(capabilityService.getCapabilityAccessState(nodeRef, ViewRecordsCapability.NAME))) { // Indicate whether the node is a RM object or not diff --git a/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/classification/SecurityClearanceServiceImplUnitTest.java b/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/classification/SecurityClearanceServiceImplUnitTest.java index 6a5cdf9a23..312d09d72c 100644 --- a/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/classification/SecurityClearanceServiceImplUnitTest.java +++ b/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/classification/SecurityClearanceServiceImplUnitTest.java @@ -20,6 +20,7 @@ package org.alfresco.module.org_alfresco_module_rm.classification; import static org.alfresco.module.org_alfresco_module_rm.classification.model.ClassifiedContentModel.ASPECT_SECURITY_CLEARANCE; import static org.alfresco.module.org_alfresco_module_rm.classification.model.ClassifiedContentModel.PROP_CLEARANCE_LEVEL; +import static org.alfresco.util.GUID.generate; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; @@ -30,7 +31,6 @@ import static org.mockito.Mockito.when; import java.util.List; -import com.google.common.collect.ImmutableList; import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationException.LevelIdNotFound; import org.alfresco.module.org_alfresco_module_rm.test.util.MockAuthenticationUtilHelper; import org.alfresco.module.org_alfresco_module_rm.util.AuthenticationUtil; @@ -46,6 +46,8 @@ import org.mockito.InjectMocks; import org.mockito.Mock; import org.mockito.MockitoAnnotations; +import com.google.common.collect.ImmutableList; + /** * Unit tests for {@link SecurityClearanceServiceImpl}. * @@ -300,4 +302,26 @@ public class SecurityClearanceServiceImplUnitTest assertEquals(mockClearanceLevels.get(1), restrictedClearanceLevels.get(0)); assertEquals(mockClearanceLevels.get(2), restrictedClearanceLevels.get(1)); } + + @Test + public void hasUserClearance() + { + // Check if the current user has clearance + PersonInfo user1 = createMockPerson(generate(), generate(), generate(), null); + MockAuthenticationUtilHelper.setup(mockAuthenticationUtil, user1.getUserName()); + assertFalse(securityClearanceServiceImpl.hasCurrentUserClearance()); + + // Check if a user with a given id has clearance + String user2 = generate(); + String classificationLevelId = generate(); + ClassificationLevel classificationLevel = new ClassificationLevel(classificationLevelId, generate()); + ClearanceLevel clearanceLevel = new ClearanceLevel(classificationLevel, generate()); + + when(mockClearanceLevelManager.findLevelByClassificationLevelId(classificationLevelId)).thenReturn(clearanceLevel); + + createMockPerson(user2, generate(), generate(), classificationLevelId); + MockAuthenticationUtilHelper.setup(mockAuthenticationUtil, user2); + assertTrue(securityClearanceServiceImpl.hasUserClearance(user2)); + } + }