From 6c5f524c113d50ad036106c5fc981c370ea017f5 Mon Sep 17 00:00:00 2001 From: Andrew Hind Date: Wed, 21 May 2008 11:14:22 +0000 Subject: [PATCH] Merged V2.9 to HEAD 9194:Merged V2.2 to V2.9 8557: Fix for WCM-1120 8580: Fix remainder of WCM-1120 git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@9200 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../impl/PermissionServiceImpl.java | 53 +++++++++++++------ 1 file changed, 38 insertions(+), 15 deletions(-) diff --git a/source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java b/source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java index 7f06065989..51e4db04e1 100644 --- a/source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java +++ b/source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java @@ -433,7 +433,13 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing { return doAvmCan(nodeRef, permIn); } - + + // Allow permissions for nodes that do not exist + if (!nodeService.exists(nodeRef)) + { + return AccessStatus.ALLOWED; + } + final PermissionReference perm; if (permIn.equals(OLD_ALL_PERMISSIONS_REFERENCE)) { @@ -443,10 +449,13 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing { perm = permIn; } - - // Allow permissions for nodes that do not exist - if (!nodeService.exists(nodeRef)) + if (AuthenticationUtil.getCurrentEffectiveUserName() == null) + { + return AccessStatus.DENIED; + } + + if (AuthenticationUtil.getCurrentEffectiveUserName().equals(AuthenticationUtil.getSystemUserName())) { return AccessStatus.ALLOWED; } @@ -469,16 +478,6 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing return hasPermission(properties.getId(), context, perm); } - if (AuthenticationUtil.getCurrentEffectiveUserName() == null) - { - return AccessStatus.DENIED; - } - - if (AuthenticationUtil.getCurrentEffectiveUserName().equals(AuthenticationUtil.getSystemUserName())) - { - return AccessStatus.ALLOWED; - } - // Get the current authentications // Use the smart authentication cache to improve permissions performance Authentication auth = AuthenticationUtil.getCurrentEffectiveAuthentication(); @@ -576,7 +575,31 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing { if (aclId == null) { - return AccessStatus.ALLOWED; + // Enforce store ACLs if set - the AVM default was to "allow" if there are no permissions set ... + if (context.getStoreAcl() == null) + { + return AccessStatus.ALLOWED; + } + else + { + if (AuthenticationUtil.getCurrentEffectiveUserName().equals(AuthenticationUtil.getSystemUserName())) + { + return AccessStatus.ALLOWED; + } + + Authentication auth = AuthenticationUtil.getCurrentEffectiveAuthentication(); + if (auth == null) + { + throw new IllegalStateException("Unauthenticated"); + } + Set storeAuthorisations = getAuthorisations(auth, (PermissionContext) null); + QName typeQname = context.getType(); + Set aspectQNames = context.getAspects(); + AclTest aclTest = new AclTest(permission, typeQname, aspectQNames); + boolean result = aclTest.evaluate(storeAuthorisations, context.getStoreAcl(), context); + AccessStatus status = result ? AccessStatus.ALLOWED : AccessStatus.DENIED; + return status; + } } if (permission == null)