From 6b674b414eee02199cba2cb73100d33904cb57f3 Mon Sep 17 00:00:00 2001
From: Roy Wetherall <roy.wetherall@alfresco.com>
Date: Sat, 20 Oct 2012 02:17:49 +0000
Subject: [PATCH] RM-452: RM seurity context will break core Alfresco if
 Alfresco's public services change

  * ensure the '*' definition is at the end of the updated value
  * add missing method definitions



git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.0@42897 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../security/rm-method-security.properties    |  2 ++
 .../RMMethodSecurityPostProcessor.java        | 24 +++++++++++++++----
 .../test/security/MethodSecurityTest.java     | 22 ++++++++++++++---
 3 files changed, 41 insertions(+), 7 deletions(-)

diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-method-security.properties b/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-method-security.properties
index e62a9744be..b772166c4c 100644
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-method-security.properties
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-method-security.properties
@@ -49,6 +49,7 @@ rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getChildAssocs
 rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getNodeRef=RM.Read.0
 rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getChildAssocsByPropertyValue=RM.Read.0,AFTER_RM.FilterNode 
 rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.countChildAssocs=RM.Read.0
+rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.setAssociations=RM_ALLOW
 rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.*=RM_DENY 
 
 ## File Folder Service
@@ -175,6 +176,7 @@ rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.setPermiss
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.setInheritParentPermissions=RM.Capability.0
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.getInheritParentPermissions=RM_ALLOW 
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.clearPermission=RM.Capability.0 
+rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.getReaders=RM_ALLOW
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.*=RM_DENY 
 
 # Ownable Service
diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/RMMethodSecurityPostProcessor.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/RMMethodSecurityPostProcessor.java
index e0279d2be1..65d1c319d3 100644
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/RMMethodSecurityPostProcessor.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/RMMethodSecurityPostProcessor.java
@@ -95,7 +95,7 @@ public class RMMethodSecurityPostProcessor implements BeanFactoryPostProcessor
                 PropertyValue beanValue = beanDef.getPropertyValues().getPropertyValue(PROP_OBJECT_DEFINITION_SOURCE);                                     
                 String beanStringValue = (String)((TypedStringValue)beanValue.getValue()).getValue();
                 String mergedStringValue = merge(beanStringValue);
-                beanDef.getPropertyValues().addPropertyValue(PROP_OBJECT_DEFINITION_SOURCE, new TypedStringValue(mergedStringValue));                
+                beanDef.getPropertyValues().addPropertyValue(PROP_OBJECT_DEFINITION_SOURCE, new TypedStringValue(mergedStringValue));  
             }
         }
     }
@@ -144,6 +144,7 @@ public class RMMethodSecurityPostProcessor implements BeanFactoryPostProcessor
     private String merge(String beanStringValue) 
     {
         Map<String, String> map = convertToMap(beanStringValue);
+        String allString = null;
         
         for (Map.Entry<String, String> entry : map.entrySet())
         {
@@ -151,7 +152,14 @@ public class RMMethodSecurityPostProcessor implements BeanFactoryPostProcessor
             String propKey = PROPERTY_PREFIX + key;
             if (properties.containsKey(propKey) == true)
             {
-                map.put(key, entry.getValue() + "," + properties.getProperty(propKey));
+                if (propKey.endsWith("*") == true)
+                {   
+                    allString = key + "=" + entry.getValue() + "," + properties.getProperty(propKey);
+                }
+                else
+                {    
+                    map.put(key, entry.getValue() + "," + properties.getProperty(propKey));
+                }
             }
             else
             {
@@ -162,7 +170,12 @@ public class RMMethodSecurityPostProcessor implements BeanFactoryPostProcessor
             }
         }
         
-        return convertToString(map);
+        String result = convertToString(map);
+        if (allString != null)
+        {
+            result = result + allString;
+        }
+        return result;
     }
     
     /**
@@ -190,7 +203,10 @@ public class RMMethodSecurityPostProcessor implements BeanFactoryPostProcessor
         StringBuffer buffer = new StringBuffer(256);
         for (Map.Entry<String, String> entry : map.entrySet())
         {
-            buffer.append(entry.getKey()).append("=").append(entry.getValue()).append("\n");            
+            if (entry.getKey().endsWith("*") == false)
+            {
+                buffer.append(entry.getKey()).append("=").append(entry.getValue()).append("\n");
+            }
         }    
         
         return buffer.toString();
diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/security/MethodSecurityTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/security/MethodSecurityTest.java
index f0693b44f3..99463636ae 100644
--- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/security/MethodSecurityTest.java
+++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/security/MethodSecurityTest.java
@@ -18,11 +18,8 @@
  */
 package org.alfresco.module.org_alfresco_module_rm.test.security;
 
-import java.net.URL;
-
 import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
 import org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase;
-import org.apache.log4j.PropertyConfigurator;
 
 /**
  * Tests method level security of core alfresco services.
@@ -78,4 +75,23 @@ public class MethodSecurityTest extends BaseRMTestCase implements RMPermissionMo
             
         }, rmUserName);
     }
+    
+    // TODO helper test that can be uncommented and used to show that methods that don't  have
+    //      security definitions are defaulting to RM_DENY
+//    public void testMissingMethodSecurity()
+//    {
+//        doTestInTransaction(new FailureTest
+//        (
+//                "Should be denied since method level security is missing."
+//        )
+//        {
+//            @Override
+//            public void run()
+//            {
+//                ((LockService)applicationContext.getBean("LockService")).getLockStatus(rmContainer);              
+//            }
+//            
+//        }, rmAdminName);
+//        
+//    }
 }