ACE-2869: SOLR4 - security.anyDenyDenies=true config - result count from fts query still wrong.

Results are no longer post-processed for anyDenyDenies when Solr4 is in use - the processing is done on the Solr side instead.

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@86007 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

config/alfresco/public-services-security-context.xml

@@ -247,6 +247,9 @@
         <property name="anyDenyDenies">
             <value>${security.anyDenyDenies}</value>
         </property>
+        <property name="postProcessDenies">
+            <value>${security.postProcessDenies}</value>
+        </property>
     </bean>
     
     <bean id="afterAclMarking" class="org.alfresco.repo.security.permissions.impl.acegi.MarkingAfterInvocationProvider" />

config/alfresco/repository.properties

@@ -837,6 +837,8 @@ orphanReaper.lockTimeOut=3600000
 
 # security
 security.anyDenyDenies=true
+# Whether to post-process denies. Only applies to solr4+ when anyDenyDenies is true.
+security.postProcessDenies=false
 
 #
 # Encryption properties

source/java/org/alfresco/repo/search/impl/lucene/SolrJSONResultSet.java

@@ -81,6 +81,9 @@ public class SolrJSONResultSet implements ResultSet, JSONResult
     private long lastIndexedTxId;
     
     private SpellCheckResult spellCheckResult;
+    
+    private boolean processedDenies;
+    
     /**
      * Detached result set based on that provided
      * @param resultSet
@@ -104,7 +107,10 @@ public class SolrJSONResultSet implements ResultSet, JSONResult
             {
                 lastIndexedTxId = json.getLong("lastIndexedTx");
             }
-            
+            if (json.has("processedDenies"))
+            {
+                processedDenies = json.getBoolean("processedDenies");
+            }
             JSONArray docs = response.getJSONArray("docs");
             
             int numDocs = docs.length();
@@ -466,4 +472,9 @@ public class SolrJSONResultSet implements ResultSet, JSONResult
     {
         return this.spellCheckResult;
     }
+
+    public boolean getProcessedDenies()
+    {
+        return processedDenies;
+    }
 }

source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java

@@ -94,7 +94,7 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
 	private boolean optimisePermissionsCheck;
 	private int optimisePermissionsBulkFetchSize;
     private boolean anyDenyDenies = false;
-
+    private boolean postProcessDenies = false;
     /**
      * Default constructor
      */
@@ -279,7 +279,8 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
             {
                 return decide(authentication, object, config, (ChildAssociationRef) returnedObject);
             }
-            else if (SolrJSONResultSet.class.isAssignableFrom(returnedObject.getClass()) && !anyDenyDenies)
+            else if (SolrJSONResultSet.class.isAssignableFrom(returnedObject.getClass()) &&
+                        (!anyDenyDenies || (!postProcessDenies && ((SolrJSONResultSet)returnedObject).getProcessedDenies())))
             {
                 return returnedObject;
             }
@@ -525,6 +526,11 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
         this.anyDenyDenies = anyDenyDenies;
     }
     
+    public void setPostProcessDenies(boolean postProcessDenies)
+    {
+        this.postProcessDenies = postProcessDenies;
+    }
+    
 	private ResultSet decide(Authentication authentication, Object object, ConfigAttributeDefinition config, ResultSet returnedObject) throws AccessDeniedException
     {
     	ResultSet rs = optimisePermissionsCheck ? decideNew(authentication, object, config, returnedObject) :