Merged HEAD (5.2) to 5.2.N (5.2.1)

126448 jkaabimofrad: Merged FILE-FOLDER-API (5.2.0) to HEAD (5.2) 122008 jvonka: (Quick) Shared Links API - limit @WebApiNoAuth to specific GET methods (not complete resource) RA-775, RA-750 git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@126793 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-14 17:58:59 +00:00 · 2016-05-11 11:21:10 +00:00
parent e6a946a443
commit 7cf61675a8
2 changed files with 35 additions and 5 deletions
--- a/source/java/org/alfresco/rest/api/impl/QuickShareLinksImpl.java
+++ b/source/java/org/alfresco/rest/api/impl/QuickShareLinksImpl.java
@@ -125,12 +125,21 @@ public class QuickShareLinksImpl implements QuickShareLinks, InitializingBean
     * <p>
     * Note: does *not* require authenticated access for (public) shared link.
     */
-    public QuickShareLink readById(String sharedId, Parameters parameters)
+    public QuickShareLink readById(final String sharedId, Parameters parameters)
    {
        checkEnabled();

+        Pair<String, NodeRef> pair = quickShareService.getTenantNodeRefFromSharedId(sharedId);
+        String networkTenantDomain = pair.getFirst();
+
+        return TenantUtil.runAsSystemTenant(new TenantUtil.TenantRunAsWork<QuickShareLink>()
+        {
+            public QuickShareLink doWork() throws Exception
+            {
                return getQuickShareInfo(sharedId);
            }
+        }, networkTenantDomain);
+    }

    /**
     * Download content via shared link.
@@ -254,6 +263,7 @@ public class QuickShareLinksImpl implements QuickShareLinks, InitializingBean
            {
                // Note: this throws AccessDeniedException (=> 403) via QuickShareService (when NodeService tries to getAspects)
                QuickShareDTO qsDto = quickShareService.shareContent(nodeRef);
+
                result.add(getQuickShareInfo(qsDto.getId()));
            }
            catch (AccessDeniedException ade)
--- a/source/java/org/alfresco/rest/framework/core/ResourceInspector.java
+++ b/source/java/org/alfresco/rest/framework/core/ResourceInspector.java
@@ -70,6 +70,7 @@ import org.springframework.util.ReflectionUtils;
 * Looks at resources to see what they can do
 * 
 * @author Gethin James
+ * @author janv
 */
 public class ResourceInspector
 {
@@ -125,7 +126,12 @@ public class ResourceInspector
        findOperation(MultiPartResourceAction.Create.class,   HttpMethod.POST, helper);

        boolean noAuth = resource.isAnnotationPresent(WebApiNoAuth.class);
-        Set<Class<? extends ResourceAction>> apiNoAuth = (noAuth ? ALL_ENTITY_RESOURCE_INTERFACES : helper.apiNoAuth);
+        if (noAuth)
+        {
+            throw new IllegalArgumentException("@WebApiNoAuth should not be on all (entity resource class) - only on individual methods: "+urlPath);
+        }
+
+        Set<Class<? extends ResourceAction>> apiNoAuth = helper.apiNoAuth;

        if (resource.isAnnotationPresent(WebApiDeleted.class))
        {
@@ -164,7 +170,12 @@ public class ResourceInspector
        findOperation(BinaryResourceAction.Update.class, HttpMethod.PUT, helperForAddressProps);

        boolean noAuth = resource.isAnnotationPresent(WebApiNoAuth.class);
-        Set<Class<? extends ResourceAction>> apiNoAuth = (noAuth ? ALL_PROPERTY_RESOURCE_INTERFACES : helperForAddressProps.apiNoAuth);
+        if (noAuth)
+        {
+            throw new IllegalArgumentException("@WebApiNoAuth should not be on all (address properties) - only on individual methods: "+entityPath);
+        }
+
+        Set<Class<? extends ResourceAction>> apiNoAuth = helperForAddressProps.apiNoAuth;

        if (resource.isAnnotationPresent(WebApiDeleted.class))
        {
@@ -202,7 +213,12 @@ public class ResourceInspector
        findOperation(MultiPartRelationshipResourceAction.Create.class, HttpMethod.POST, helper);

        boolean noAuth = resource.isAnnotationPresent(WebApiNoAuth.class);
-        Set<Class<? extends ResourceAction>> apiNoAuth = (noAuth ? ALL_RELATIONSHIP_RESOURCE_INTERFACES : helper.apiNoAuth);
+        if (noAuth)
+        {
+            throw new IllegalArgumentException("@WebApiNoAuth should not be on all (relationship resource class) - only on methods: "+urlPath);
+        }
+
+        Set<Class<? extends ResourceAction>> apiNoAuth = helper.apiNoAuth;

        if (resource.isAnnotationPresent(WebApiDeleted.class))
        {
@@ -239,6 +255,10 @@ public class ResourceInspector

            if (isNoAuth(aMethod))
            {
+                if (! httpMethod.equals(HttpMethod.GET))
+                {
+                    throw new IllegalArgumentException("@WebApiNoAuth should only be on GET methods: "+operation.getTitle());
+                }
                helper.whenOperationNoAuth(resourceInterfaceWithOneMethod, aMethod);
            }
        }