inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-21 18:09:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged DEV to V4.2-BUG-FIX (4.2.1)

Browse Source 
57540: MNT-9883: Consumer can add document comments via API, bypasses UI security checks
    - Only users with 'AddChildren' permission can start discussions. 
   58305: MNT-9883: Consumer can add document comments via API, bypasses UI security checks
    - Add unit test 


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/V4.2-BUG-FIX/root@59106 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Pavel Yurke
2013-12-18 10:08:26 +00:00
parent e952aa3ef6
commit 76a27e1aa2
2 changed files with 107 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
source/java/org/alfresco/repo/web/scripts/comment/ScriptCommentService.java
View File

@@ -29,10 +29,13 @@ import org.alfresco.repo.jscript.Scopeable;
import org.alfresco.repo.jscript.ScriptNode;
import org.alfresco.repo.policy.BehaviourFilter;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.permissions.AccessDeniedException;
import org.alfresco.service.ServiceRegistry;
import org.alfresco.service.cmr.repository.ChildAssociationRef;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName;
import org.alfresco.service.namespace.RegexQNamePattern;
@@ -51,11 +54,13 @@ public class ScriptCommentService extends BaseScopableProcessorExtension
private ServiceRegistry serviceRegistry;
private NodeService nodeService;
private BehaviourFilter behaviourFilter;
private PermissionService permissionService;
public void setServiceRegistry(ServiceRegistry serviceRegistry)
{
this.serviceRegistry = serviceRegistry;
this.nodeService = serviceRegistry.getNodeService();
this.permissionService = serviceRegistry.getPermissionService();
}
public void setBehaviourFilter(BehaviourFilter behaviourFilter)
@@ -66,7 +71,12 @@ public class ScriptCommentService extends BaseScopableProcessorExtension
public ScriptNode createCommentsFolder(ScriptNode node)
{
final NodeRef nodeRef = node.getNodeRef();
if (permissionService.hasPermission(nodeRef, PermissionService.ADD_CHILDREN) == AccessStatus.DENIED)
{
throw new AccessDeniedException("User '" + AuthenticationUtil.getFullyAuthenticatedUser() + "' doesn't have permission to create discussion on node '" + nodeRef + "'");
}
//Run as system user to allow Contributor create discussions
NodeRef commentsFolder = AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<NodeRef>()
{
public NodeRef doWork() throws Exception