mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-07-31 17:39:05 +00:00
MNT-15068: Merged V2.2 to V2.2.1.x
109401: RM-2391 : The Audit Log GET requests have to verify first which user is logged in and to which data it has access.
- Added capability checking to the AuditLog Get REST API. Added a unit test. Minor changes on the Share side to forward the forbidden status.
111064: RM-2391 :
- also check for the access audit capability on each node from the report
114786: RM-2391 :
- Implemented final fix and added a unit test.
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.2.1.x@115178 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Tatyana Valkevych
@@ -40,6 +40,7 @@ import org.alfresco.model.ContentModel;
|
||||
import org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementAction;
|
||||
import org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementActionService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.audit.event.AuditEvent;
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService;
|
||||
import org.alfresco.repo.audit.AuditComponent;
|
||||
import org.alfresco.repo.audit.model.AuditApplication;
|
||||
@@ -62,6 +63,7 @@ import org.alfresco.service.cmr.repository.ContentWriter;
|
||||
import org.alfresco.service.cmr.repository.MLText;
|
||||
import org.alfresco.service.cmr.repository.NodeRef;
|
||||
import org.alfresco.service.cmr.repository.NodeService;
|
||||
import org.alfresco.service.cmr.security.AccessStatus;
|
||||
import org.alfresco.service.namespace.NamespaceService;
|
||||
import org.alfresco.service.namespace.QName;
|
||||
import org.alfresco.service.transaction.TransactionService;
|
||||
@@ -98,6 +100,8 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean
|
||||
/** Logger */
|
||||
private static Log logger = LogFactory.getLog(RecordsManagementAuditServiceImpl.class);
|
||||
|
||||
private static final String ACCESS_AUDIT_CAPABILITY = "AccessAudit";
|
||||
|
||||
private static final String KEY_RM_AUDIT_NODE_RECORDS = "RMAUditNodeRecords";
|
||||
|
||||
protected static final String RM_AUDIT_EVENT_LOGIN_SUCCESS = "Login.Success";
|
||||
@@ -179,6 +183,7 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean
|
||||
private RecordsManagementActionService rmActionService;
|
||||
private FilePlanService filePlanService;
|
||||
private NamespaceService namespaceService;
|
||||
protected CapabilityService capabilityService;
|
||||
|
||||
private boolean shutdown = false;
|
||||
|
||||
@@ -270,6 +275,17 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean
|
||||
{
|
||||
this.namespaceService = namespaceService;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param capabilityService capability service
|
||||
*/
|
||||
public void setCapabilityService(CapabilityService capabilityService)
|
||||
{
|
||||
this.capabilityService = capabilityService;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* @param ignoredAuditProperties
|
||||
@@ -904,6 +920,13 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean
|
||||
// Skip it
|
||||
return true;
|
||||
}
|
||||
|
||||
if(nodeRef != null && nodeService.exists(nodeRef) &&
|
||||
!AccessStatus.ALLOWED.equals(
|
||||
capabilityService.getCapabilityAccessState(nodeRef, ACCESS_AUDIT_CAPABILITY)))
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
// TODO: Refactor this to use the builder pattern
|
||||
RecordsManagementAuditEntry entry = new RecordsManagementAuditEntry(
|
||||
|
||||
@@ -21,9 +21,17 @@ package org.alfresco.module.org_alfresco_module_rm.script;
|
||||
import java.io.File;
|
||||
import java.io.IOException;
|
||||
|
||||
import org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditQueryParameters;
|
||||
import org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditService.ReportFormat;
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService;
|
||||
import org.alfresco.repo.web.scripts.content.ContentStreamer;
|
||||
import org.alfresco.service.cmr.repository.NodeRef;
|
||||
import org.alfresco.service.cmr.security.AccessStatus;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.springframework.extensions.webscripts.Status;
|
||||
import org.springframework.extensions.webscripts.WebScriptException;
|
||||
import org.springframework.extensions.webscripts.WebScriptRequest;
|
||||
import org.springframework.extensions.webscripts.WebScriptResponse;
|
||||
|
||||
@@ -39,9 +47,16 @@ public class AuditLogGet extends BaseAuditRetrievalWebScript
|
||||
private static Log logger = LogFactory.getLog(AuditLogGet.class);
|
||||
|
||||
private static final String PARAM_EXPORT = "export";
|
||||
private static final String ACCESS_AUDIT_CAPABILITY = "AccessAudit";
|
||||
|
||||
/** Content Streamer */
|
||||
protected ContentStreamer contentStreamer;
|
||||
|
||||
/** Capability service */
|
||||
protected CapabilityService capabilityService;
|
||||
|
||||
/** File plan service */
|
||||
protected FilePlanService filePlanService;
|
||||
|
||||
/**
|
||||
* @param contentStreamer
|
||||
@@ -50,6 +65,24 @@ public class AuditLogGet extends BaseAuditRetrievalWebScript
|
||||
{
|
||||
this.contentStreamer = contentStreamer;
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* @param capabilityService Capability Service
|
||||
*/
|
||||
public void setCapabilityService(CapabilityService capabilityService)
|
||||
{
|
||||
this.capabilityService = capabilityService;
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* @param capabilityService Capability Service
|
||||
*/
|
||||
public void setFilePlanService(FilePlanService filePlanService)
|
||||
{
|
||||
this.filePlanService = filePlanService;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void execute(WebScriptRequest req, WebScriptResponse res) throws IOException
|
||||
@@ -58,8 +91,16 @@ public class AuditLogGet extends BaseAuditRetrievalWebScript
|
||||
|
||||
try
|
||||
{
|
||||
|
||||
RecordsManagementAuditQueryParameters queryParams = parseQueryParameters(req);
|
||||
ReportFormat reportFormat = parseReportFormat(req);
|
||||
|
||||
if( !userCanAccessAudit(queryParams) )
|
||||
{
|
||||
throw new WebScriptException(Status.STATUS_FORBIDDEN, "Access denied because the user does not have the Access Audit capability");
|
||||
}
|
||||
// parse the parameters and get a file containing the audit trail
|
||||
auditTrail = this.rmAuditService.getAuditTrailFile(parseQueryParameters(req), parseReportFormat(req));
|
||||
auditTrail = this.rmAuditService.getAuditTrailFile(queryParams, reportFormat);
|
||||
|
||||
if (logger.isDebugEnabled())
|
||||
{
|
||||
@@ -101,4 +142,15 @@ public class AuditLogGet extends BaseAuditRetrievalWebScript
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private boolean userCanAccessAudit(RecordsManagementAuditQueryParameters queryParams)
|
||||
{
|
||||
NodeRef targetNode = queryParams.getNodeRef();
|
||||
if( targetNode == null )
|
||||
{
|
||||
targetNode = filePlanService.getFilePlanBySiteId(FilePlanService.DEFAULT_RM_SITE_ID);
|
||||
}
|
||||
return AccessStatus.ALLOWED.equals(
|
||||
capabilityService.getCapabilityAccessState(targetNode, ACCESS_AUDIT_CAPABILITY));
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user