Merged V2.9 to HEAD

9194:Merged V2.2 to V2.9
      8557: Fix for WCM-1120
      8580: Fix remainder of WCM-1120

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@9200 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java

@@ -434,6 +434,12 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing
             return doAvmCan(nodeRef, permIn);
         }
 
+        // Allow permissions for nodes that do not exist
+        if (!nodeService.exists(nodeRef))
+        {
+            return AccessStatus.ALLOWED;
+        }
+
         final PermissionReference perm;
         if (permIn.equals(OLD_ALL_PERMISSIONS_REFERENCE))
         {
@@ -444,9 +450,12 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing
             perm = permIn;
         }
         
+        if (AuthenticationUtil.getCurrentEffectiveUserName() == null)
+        {
+            return AccessStatus.DENIED;
+        }
 
-        // Allow permissions for nodes that do not exist
-        if (!nodeService.exists(nodeRef))
+        if (AuthenticationUtil.getCurrentEffectiveUserName().equals(AuthenticationUtil.getSystemUserName()))
         {
             return AccessStatus.ALLOWED;
         }
@@ -469,16 +478,6 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing
             return hasPermission(properties.getId(), context, perm);
         }
 
-        if (AuthenticationUtil.getCurrentEffectiveUserName() == null)
-        {
-            return AccessStatus.DENIED;
-        }
-
-        if (AuthenticationUtil.getCurrentEffectiveUserName().equals(AuthenticationUtil.getSystemUserName()))
-        {
-            return AccessStatus.ALLOWED;
-        }
-
         // Get the current authentications
         // Use the smart authentication cache to improve permissions performance
         Authentication auth = AuthenticationUtil.getCurrentEffectiveAuthentication();
@@ -575,9 +574,33 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing
     private AccessStatus hasPermission(Long aclId, PermissionContext context, PermissionReference permission)
     {
         if (aclId == null)
+        {
+            // Enforce store ACLs if set - the AVM default was to "allow" if there are no permissions set ...
+            if (context.getStoreAcl() == null)
             {
                 return AccessStatus.ALLOWED;
             }
+            else
+            {
+                if (AuthenticationUtil.getCurrentEffectiveUserName().equals(AuthenticationUtil.getSystemUserName()))
+                {
+                    return AccessStatus.ALLOWED;
+                }
+                
+                Authentication auth = AuthenticationUtil.getCurrentEffectiveAuthentication();
+                if (auth == null)
+                {
+                    throw new IllegalStateException("Unauthenticated");
+                }
+                Set<String> storeAuthorisations = getAuthorisations(auth, (PermissionContext) null);
+                QName typeQname = context.getType();
+                Set<QName> aspectQNames = context.getAspects();
+                AclTest aclTest = new AclTest(permission, typeQname, aspectQNames);
+                boolean result = aclTest.evaluate(storeAuthorisations, context.getStoreAcl(), context);
+                AccessStatus status = result ? AccessStatus.ALLOWED : AccessStatus.DENIED;
+                return status;
+            }
+        }
 
         if (permission == null)
         {