inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-14 17:58:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged 5.1.N (5.1.2) to 5.2.N (5.2.1)

Browse Source 
128355 jvonka: MNT-16446: Edit Comment permission (part 2)
   - for v1 api


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@128362 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Alan Davis
2016-06-27 07:05:38 +00:00
parent 8bd1b00193
commit 7d7e006356
2 changed files with 181 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

161
source/java/org/alfresco/rest/api/impl/CommentsImpl.java
View File

@@ -1,28 +1,28 @@
/*
* #%L
* Alfresco Remote API
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
/*
* #%L
* Alfresco Remote API
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.rest.api.impl;
import java.io.Serializable;
@@ -37,11 +37,14 @@ import org.alfresco.model.ContentModel;
import org.alfresco.query.PagingRequest;
import org.alfresco.query.PagingResults;
import org.alfresco.repo.forum.CommentService;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.site.SiteModel;
import org.alfresco.rest.api.Comments;
import org.alfresco.rest.api.Nodes;
import org.alfresco.rest.api.model.Comment;
import org.alfresco.rest.framework.core.exceptions.ConstraintViolatedException;
import org.alfresco.rest.framework.core.exceptions.InvalidArgumentException;
import org.alfresco.rest.framework.core.exceptions.PermissionDeniedException;
import org.alfresco.rest.framework.core.exceptions.UnsupportedResourceOperationException;
import org.alfresco.rest.framework.resource.parameters.CollectionWithPagingInfo;
import org.alfresco.rest.framework.resource.parameters.Paging;
@@ -119,45 +122,72 @@ public class CommentsImpl implements Comments
nodeProps.remove(ContentModel.PROP_CONTENT);
}
boolean canEdit = true;
boolean canDelete = true;
boolean canEdit = false;
boolean canDelete = false;
boolean isNodeLocked = false;
boolean isWorkingCopy = false;
if(nodeRef != null)
if (! isWorkingCopyOrLocked(nodeRef))
{
Set<QName> aspects = nodeService.getAspects(nodeRef);
isWorkingCopy = aspects.contains(ContentModel.ASPECT_WORKING_COPY);
if(!isWorkingCopy)
{
if(aspects.contains(ContentModel.ASPECT_LOCKABLE))
{
LockStatus lockStatus = lockService.getLockStatus(nodeRef);
if (lockStatus == LockStatus.LOCKED || lockStatus == LockStatus.LOCK_OWNER)
{
isNodeLocked = true;
}
}
}
canEdit = canEditPermission(commentNodeRef);
canDelete = canDeletePermission(commentNodeRef);
}
if(isNodeLocked || isWorkingCopy)
{
canEdit = false;
canDelete = false;
}
else
{
canEdit = permissionService.hasPermission(commentNodeRef, PermissionService.WRITE) == AccessStatus.ALLOWED;
canDelete = permissionService.hasPermission(commentNodeRef, PermissionService.DELETE) == AccessStatus.ALLOWED;
}
Comment comment = new Comment(commentNodeRef.getId(), nodeProps, canEdit, canDelete);
return comment;
}
private boolean isWorkingCopyOrLocked(NodeRef nodeRef)
{
boolean isWorkingCopy = false;
boolean isLocked = false;
if (nodeRef != null)
{
Set<QName> aspects = nodeService.getAspects(nodeRef);
isWorkingCopy = aspects.contains(ContentModel.ASPECT_WORKING_COPY);
if(!isWorkingCopy)
{
if(aspects.contains(ContentModel.ASPECT_LOCKABLE))
{
LockStatus lockStatus = lockService.getLockStatus(nodeRef);
if (lockStatus == LockStatus.LOCKED || lockStatus == LockStatus.LOCK_OWNER)
{
isLocked = true;
}
}
}
}
return (isWorkingCopy || isLocked);
}
private boolean canEdit(NodeRef nodeRef, NodeRef commentNodeRef)
{
return ((! isWorkingCopyOrLocked(nodeRef) && canEditPermission(commentNodeRef)));
}
// TODO refactor (ACE-5437) - see also CommentsPost
private boolean canEditPermission(NodeRef commentNodeRef)
{
String creator = (String)nodeService.getProperty(commentNodeRef, ContentModel.PROP_CREATOR);
Serializable owner = nodeService.getProperty(commentNodeRef, ContentModel.PROP_OWNER);
String currentUser = AuthenticationUtil.getFullyAuthenticatedUser();
boolean isSiteManager = permissionService.hasPermission(commentNodeRef, SiteModel.SITE_MANAGER) == (AccessStatus.ALLOWED);
boolean isCoordinator = permissionService.hasPermission(commentNodeRef, PermissionService.COORDINATOR) == (AccessStatus.ALLOWED);
return (isSiteManager || isCoordinator || currentUser.equals(creator) || currentUser.equals(owner));
}
private boolean canDelete(NodeRef nodeRef, NodeRef commentNodeRef)
{
return ((! isWorkingCopyOrLocked(nodeRef) || canDeletePermission(commentNodeRef)));
}
private boolean canDeletePermission(NodeRef commentNodeRef)
{
return permissionService.hasPermission(commentNodeRef, PermissionService.DELETE) == AccessStatus.ALLOWED;
}
public Comment createComment(String nodeId, Comment comment)
{
NodeRef nodeRef = nodes.validateNode(nodeId);
@@ -193,8 +223,14 @@ public class CommentsImpl implements Comments
{
throw new InvalidArgumentException();
}
commentService.updateComment(commentNodeRef, title, content);
// MNT-16446 (pending future ACE-5437)
if (! canEdit(nodeRef, commentNodeRef))
{
throw new PermissionDeniedException("Cannot edit comment");
}
commentService.updateComment(commentNodeRef, title, content);
return toComment(nodeRef, commentNodeRef);
}
catch(IllegalArgumentException e)
@@ -243,9 +279,16 @@ public class CommentsImpl implements Comments
{
try
{
nodes.validateNode(nodeId);
NodeRef nodeRef = nodes.validateNode(nodeId);
NodeRef commentNodeRef = nodes.validateNode(commentNodeId);
commentService.deleteComment(commentNodeRef);
// MNT-16446 (pending future ACE-5437)
if (! canDelete(nodeRef, commentNodeRef))
{
throw new PermissionDeniedException("Cannot delete comment");
}
commentService.deleteComment(commentNodeRef);
}
catch(IllegalArgumentException e)
{