mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-07-31 17:39:05 +00:00
RM-982: Normal user can File and Reject record they declared.
* FileUnfiledRecords and RejectRecords are now assignable capabilities * by default Admin, Records Manager, Security Manager and Power User have them * they can be added and removed from custom or default roles via the management UI * capability patch updated accordingly * extedned get roles ReST API to include/exclude system roles * In-Place Reader and In-Place Writer roles capabilities are configurable again, but their users and groups are not (as intended) git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@55935 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Roy Wetherall
@@ -101,7 +101,7 @@
|
||||
<ref bean="rmMoveRecordCategoryCapability"/>
|
||||
<ref bean="rmMoveRecordFolderCapability"/>
|
||||
<ref bean="rmMoveRecordsCapability"/>
|
||||
<ref bean="rmFileToRecordsCapability"/>
|
||||
<ref bean="rmFileUnfiledRecordsCapability"/>
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
@@ -117,10 +117,10 @@
|
||||
<property name="targetCapability" ref="rmFileRecordsCapability" />
|
||||
</bean>
|
||||
|
||||
<bean id="rmFileToRecordsCapability"
|
||||
<bean id="rmFileUnfiledRecordsCapability"
|
||||
parent="declarativeCapability">
|
||||
<property name="name" value="FileToRecords"/>
|
||||
<property name="private" value="true" /> <!-- This is an unasingable capability, we reference an assignable one in the target -->
|
||||
<property name="name" value="FileUnfiledRecords"/>
|
||||
<property name="permission" value="FileUnfiledRecords"/>
|
||||
<property name="conditions">
|
||||
<map>
|
||||
<entry key="capabilityCondition.filling" value="true"/> <!-- Checks if the user has the filling capability -->
|
||||
@@ -128,7 +128,9 @@
|
||||
<entry key="capabilityCondition.recordFiled" value="false"/> <!-- Checks that the node hasn't been filed -->
|
||||
</map>
|
||||
</property>
|
||||
<property name="targetCapability" ref="rmFileRecordsCapability" /> <!-- Checks that the user has the correct capability on the destination folder -->
|
||||
<property name="targetCapability" ref="rmFileRecordsCapability" /> <!-- Checks that the user has the correct capability on the destination folder -->
|
||||
<property name="group"><ref bean="recordsGroup"/></property>
|
||||
<property name="index" value="41" />
|
||||
</bean>
|
||||
|
||||
<bean id="rmDeclareRecordsCapability"
|
||||
@@ -254,7 +256,7 @@
|
||||
<bean id="rmRejectRecordsCapability"
|
||||
parent="declarativeCapability">
|
||||
<property name="name" value="RejectRecords"/>
|
||||
<property name="private" value="true" />
|
||||
<property name="permission" value="RejectRecords"/>
|
||||
<property name="conditions">
|
||||
<map>
|
||||
<entry key="capabilityCondition.filling" value="true"/>
|
||||
@@ -265,6 +267,8 @@
|
||||
<entry key="capabilityCondition.recordFiled" value="false"/>
|
||||
</map>
|
||||
</property>
|
||||
<property name="group"><ref bean="recordsGroup"/></property>
|
||||
<property name="index" value="42" />
|
||||
</bean>
|
||||
|
||||
<bean id="rmHideRecordsCapability"
|
||||
|
||||
@@ -5,6 +5,8 @@ capability.ViewRecords.title=View Records
|
||||
capability.UndeclareRecords.title=Reopen Records
|
||||
capability.CreateRecords.title=Create Records
|
||||
capability.RequestRecordInformation.title=Request Record Information
|
||||
capability.RejectRecords=Reject Records
|
||||
capability.FileUnfiledRecords=File Unfiled Records
|
||||
|
||||
# Metadata Control
|
||||
capability.group.metadataControl.title=Metadata Control
|
||||
|
||||
@@ -84,6 +84,8 @@
|
||||
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="ManageRules"/>
|
||||
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="RequestRecordInformation"/>
|
||||
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="FileDestructionReport"/>
|
||||
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="FileUnfiledRecords"/>
|
||||
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="RejectRecords"/>
|
||||
</permissionGroup>
|
||||
|
||||
<permissionGroup name="Filing" allowFullControl="false" expose="true">
|
||||
@@ -160,6 +162,8 @@
|
||||
<permissionGroup name="ManageRules" expose="false" allowFullControl="false"/>
|
||||
<permissionGroup name="RequestRecordInformation" expose="false" allowFullControl="false"/>
|
||||
<permissionGroup name="FileDestructionReport" expose="false" allowFullControl="false"/>
|
||||
<permissionGroup name="RejectRecords" expose="false" allowFullControl="false"/>
|
||||
<permissionGroup name="FileUnfiledRecords" expose="false" allowFullControl="false"/>
|
||||
|
||||
<!-- End -->
|
||||
|
||||
@@ -421,6 +425,14 @@
|
||||
<grantedToGroup permissionGroup="FileDestructionReport"/>
|
||||
</permission>
|
||||
|
||||
<permission name="_FileUnfiledRecords" expose="false">
|
||||
<grantedToGroup permissionGroup="FileUnfiledRecords"/>
|
||||
</permission>
|
||||
|
||||
<permission name="_RejectRecords" expose="false">
|
||||
<grantedToGroup permissionGroup="RejectRecords"/>
|
||||
</permission>
|
||||
|
||||
</permissionSet>
|
||||
|
||||
</permissions>
|
||||
@@ -807,10 +807,20 @@
|
||||
<property name="target" ref="reject"/>
|
||||
<property name="interceptorNames">
|
||||
<list>
|
||||
<idref bean="allow_security"/>
|
||||
<idref bean="reject_security"/>
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="reject_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" parent="actionSecurity">
|
||||
<property name="objectDefinitionSource">
|
||||
<value>
|
||||
org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementAction.execute=RM_CAP.0.rma:filePlanComponent.RejectRecords
|
||||
org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementAction.*=RM_ALLOW
|
||||
org.alfresco.repo.action.executer.ActionExecuter.*=RM_ALLOW
|
||||
</value>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="reject" class="org.alfresco.module.org_alfresco_module_rm.action.impl.RejectAction" parent="rmAction">
|
||||
<property name="publicAction" value="true"/>
|
||||
@@ -822,10 +832,20 @@
|
||||
<property name="target" ref="fileTo"/>
|
||||
<property name="interceptorNames">
|
||||
<list>
|
||||
<idref bean="allow_security"/>
|
||||
<idref bean="fileTo_security"/>
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="fileTo_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" parent="actionSecurity">
|
||||
<property name="objectDefinitionSource">
|
||||
<value>
|
||||
org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementAction.execute=RM_CAP.0.rma:filePlanComponent.FileUnfiledRecords
|
||||
org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementAction.*=RM_ALLOW
|
||||
org.alfresco.repo.action.executer.ActionExecuter.*=RM_ALLOW
|
||||
</value>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="fileTo" class="org.alfresco.module.org_alfresco_module_rm.action.impl.FileToAction" parent="rmAction">
|
||||
<property name="fileFolderService" ref="FileFolderService"/>
|
||||
|
||||
@@ -308,7 +308,7 @@
|
||||
<value>RECORD</value>
|
||||
</set>
|
||||
</property>
|
||||
<property name="capability" value="FileToRecords" />
|
||||
<property name="capability" value="FileUnfiledRecords" />
|
||||
</bean>
|
||||
|
||||
<bean id="jsonConversionComponent.file"
|
||||
|
||||
@@ -46,7 +46,9 @@
|
||||
"ReOpenFolders",
|
||||
"CycleVitalRecords",
|
||||
"PlanningReviewCycles",
|
||||
"RequestRecordInformation"
|
||||
"RequestRecordInformation",
|
||||
"FileUnfiledRecords",
|
||||
"RejectRecords"
|
||||
]
|
||||
},
|
||||
{
|
||||
@@ -67,7 +69,9 @@
|
||||
"ReOpenFolders",
|
||||
"CycleVitalRecords",
|
||||
"PlanningReviewCycles",
|
||||
"RequestRecordInformation"
|
||||
"RequestRecordInformation",
|
||||
"FileUnfiledRecords",
|
||||
"RejectRecords"
|
||||
]
|
||||
},
|
||||
{
|
||||
@@ -128,7 +132,9 @@
|
||||
"ExportAudit",
|
||||
"CreateModifyDestroyReferenceTypes",
|
||||
"RequestRecordInformation",
|
||||
"FileDestructionReport"
|
||||
"FileDestructionReport",
|
||||
"FileUnfiledRecords",
|
||||
"RejectRecords"
|
||||
]
|
||||
},
|
||||
{
|
||||
@@ -191,7 +197,9 @@
|
||||
"ManageAccessControls",
|
||||
"ManageRules",
|
||||
"RequestRecordInformation",
|
||||
"FileDestructionReport"
|
||||
"FileDestructionReport",
|
||||
"FileUnfiledRecords",
|
||||
"RejectRecords"
|
||||
]
|
||||
}
|
||||
]
|
||||
|
||||
@@ -9,11 +9,12 @@
|
||||
siteid - id of a RM site to take the file plan from
|
||||
user - only returns roles that this user is assigned to
|
||||
auths - if true, returns details of authorites directly assigned to the role. false by default.
|
||||
is - if true includes system roles in the results, otherwise excludes them. false by default.
|
||||
]]>
|
||||
</description>
|
||||
<url>/api/rma/admin/rmroles?user={user?}&auths={auths?}</url> <!-- NOTE: this URL should be considered as deprecated -->
|
||||
<url>/api/rma/admin/{store_type}/{store_id}/{id}/rmroles?user={user?}&auths={auths?}</url>
|
||||
<url>/api/rma/admin/{siteid}/rmroles?user={user?}&auths={auths?}</url>
|
||||
<url>/api/rma/admin/rmroles?user={user?}&auths={auths?}&is={is?}</url> <!-- NOTE: this URL should be considered as deprecated -->
|
||||
<url>/api/rma/admin/{store_type}/{store_id}/{id}/rmroles?user={user?}&auths={auths?}&is={is?}</url>
|
||||
<url>/api/rma/admin/{siteid}/rmroles?user={user?}&auths={auths?}&is={is?}</url>
|
||||
<format default="json">argument</format>
|
||||
<authentication>user</authentication>
|
||||
<transaction allow="readonly">required</transaction>
|
||||
|
||||
@@ -122,7 +122,19 @@ public class RMv21CapabilityPatch extends ModulePatchComponent
|
||||
addCapability(filePlan,
|
||||
"FileDestructionReport",
|
||||
FilePlanRoleService.ROLE_ADMIN,
|
||||
FilePlanRoleService.ROLE_RECORDS_MANAGER);
|
||||
FilePlanRoleService.ROLE_RECORDS_MANAGER);
|
||||
addCapability(filePlan,
|
||||
"RejectRecords",
|
||||
FilePlanRoleService.ROLE_ADMIN,
|
||||
FilePlanRoleService.ROLE_POWER_USER,
|
||||
FilePlanRoleService.ROLE_RECORDS_MANAGER,
|
||||
FilePlanRoleService.ROLE_SECURITY_OFFICER);
|
||||
addCapability(filePlan,
|
||||
"FileUnfiledRecords",
|
||||
FilePlanRoleService.ROLE_ADMIN,
|
||||
FilePlanRoleService.ROLE_POWER_USER,
|
||||
FilePlanRoleService.ROLE_RECORDS_MANAGER,
|
||||
FilePlanRoleService.ROLE_SECURITY_OFFICER);
|
||||
}
|
||||
|
||||
if (logger.isDebugEnabled() == true)
|
||||
|
||||
@@ -57,16 +57,24 @@ public class RmRolesGet extends RoleDeclarativeWebScript
|
||||
{
|
||||
throw new WebScriptException(Status.STATUS_FOUND, "File plan does not exist.");
|
||||
}
|
||||
|
||||
// get the includesystem parameter
|
||||
boolean includeSystem = false;
|
||||
String includeSystemValue = req.getParameter("is");
|
||||
if (includeSystemValue != null && includeSystemValue.length() != 0)
|
||||
{
|
||||
includeSystem = Boolean.parseBoolean(includeSystemValue);
|
||||
}
|
||||
|
||||
// get the user filter
|
||||
String user = req.getParameter("user");
|
||||
if (user != null && user.length() != 0)
|
||||
{
|
||||
roles = filePlanRoleService.getRolesByUser(filePlan, user, false);
|
||||
roles = filePlanRoleService.getRolesByUser(filePlan, user, includeSystem);
|
||||
}
|
||||
else
|
||||
{
|
||||
roles = filePlanRoleService.getRoles(filePlan, false);
|
||||
roles = filePlanRoleService.getRoles(filePlan, includeSystem);
|
||||
}
|
||||
|
||||
// get the auths parameter
|
||||
|
||||
@@ -83,7 +83,7 @@ public class FileToActionTest extends BaseRMTestCase
|
||||
assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(unfiledContainer, RMPermissionModel.FILING));
|
||||
assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(rmFolder, RMPermissionModel.FILING));
|
||||
|
||||
Capability capability = capabilityService.getCapability("FileToRecords");
|
||||
Capability capability = capabilityService.getCapability("FileUnfiledRecords");
|
||||
assertNotNull(capability);
|
||||
assertEquals(AccessStatus.ALLOWED, capability.hasPermission(dmDocument));
|
||||
|
||||
|
||||
Reference in New Issue
Block a user