ACS-3657 Allow returning partial list of rule sets.

If a user does not have access to a rule set applied to a node then it will be
excluded from the results, but the user will be able to see the list of other
rule sets.

Also add E2E tests for permissions when viewing rule sets.

remote-api/src/main/java/org/alfresco/rest/api/impl/rules/RuleSetsImpl.java

@@ -39,6 +39,7 @@ import java.util.stream.IntStream;
 
 import org.alfresco.repo.rule.RuleModel;
 import org.alfresco.repo.rule.RuntimeRuleService;
+import org.alfresco.repo.security.permissions.AccessDeniedException;
 import org.alfresco.rest.api.RuleSets;
 import org.alfresco.rest.api.model.rules.RuleSet;
 import org.alfresco.rest.api.model.rules.RuleSetLink;
@@ -50,10 +51,14 @@ import org.alfresco.service.Experimental;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.rule.RuleService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 @Experimental
 public class RuleSetsImpl implements RuleSets
 {
+    private static final Logger LOGGER = LoggerFactory.getLogger(RuleSetsImpl.class);
+
     private RuleSetLoader ruleSetLoader;
     private RuleService ruleService;
     private NodeValidator validator;
@@ -67,15 +72,42 @@ public class RuleSetsImpl implements RuleSets
 
         List<RuleSet> ruleSets = ruleService.getNodesSupplyingRuleSets(folderNode)
                                             .stream()
-                                            .map(ruleService::getRuleSetNode)
+                                            .map(supplyingNode -> loadRuleSet(supplyingNode, folderNode, includes))
                                             .filter(Objects::nonNull)
-                                            .map(nodeRef -> ruleSetLoader.loadRuleSet(nodeRef, folderNode, includes))
                                             .distinct()
                                             .collect(toList());
 
         return ListPage.of(ruleSets, paging);
     }
 
+    /**
+     * Load the specified rule set if the user has permission.
+     *
+     * @param supplyingNode The folder supplying a rule set.
+     * @param folderNode The folder being supplied with rule sets.
+     * @param includes The list of optional fields to include for each rule set in the response.
+     * @return The rule set from the DB or null if the folder has no rule set, or the current user does not have permission to view it.
+     */
+    private RuleSet loadRuleSet(NodeRef supplyingNode, NodeRef folderNode, List<String> includes)
+    {
+        NodeRef ruleSetNode = ruleService.getRuleSetNode(supplyingNode);
+        // Check if the folder has no rule sets.
+        if (ruleSetNode == null)
+        {
+            return null;
+        }
+
+        try
+        {
+            return ruleSetLoader.loadRuleSet(ruleSetNode, folderNode, includes);
+        }
+        catch (AccessDeniedException e)
+        {
+            LOGGER.debug("User does not have permission to view rule set with id {}.", ruleSetNode, e);
+            return null;
+        }
+    }
+
     @Override
     public RuleSet getRuleSetById(String folderNodeId, String ruleSetId, List<String> includes)
     {

remote-api/src/test/java/org/alfresco/rest/api/impl/rules/RuleSetsImplTest.java

@@ -42,6 +42,7 @@ import java.util.List;
 import junit.framework.TestCase;
 import org.alfresco.repo.rule.RuleModel;
 import org.alfresco.repo.rule.RuntimeRuleService;
+import org.alfresco.repo.security.permissions.AccessDeniedException;
 import org.alfresco.rest.api.model.rules.RuleSet;
 import org.alfresco.rest.framework.core.exceptions.InvalidArgumentException;
 import org.alfresco.rest.framework.resource.parameters.CollectionWithPagingInfo;
@@ -146,6 +147,34 @@ public class RuleSetsImplTest extends TestCase
         assertEquals(PAGING, actual.getPaging());
     }
 
+    @Test
+    public void testOnlyGetPermittedRuleSets()
+    {
+        // Simulate a private folder with a rule set that the current user can't access.
+        NodeRef privateFolder = new NodeRef("private://folder/");
+        NodeRef privateRuleSetNode = new NodeRef("private://rule/set/node/");
+        given(ruleServiceMock.getRuleSetNode(privateFolder)).willReturn(privateRuleSetNode);
+        given(ruleServiceMock.getNodesSupplyingRuleSets(FOLDER_NODE)).willReturn(List.of(FOLDER_NODE, privateFolder));
+        given(ruleSetLoaderMock.loadRuleSet(eq(privateRuleSetNode), any(NodeRef.class), any(List.class)))
+                .willThrow(new AccessDeniedException("Cannot access private rule set."));
+
+        // Call the method under test.
+        CollectionWithPagingInfo<RuleSet> actual = ruleSets.getRuleSets(FOLDER_ID, INCLUDES, PAGING);
+
+        then(nodeValidatorMock).should().validateFolderNode(FOLDER_ID, false);
+        then(nodeValidatorMock).shouldHaveNoMoreInteractions();
+
+        then(ruleServiceMock).should().getNodesSupplyingRuleSets(FOLDER_NODE);
+        then(ruleServiceMock).should().getRuleSetNode(FOLDER_NODE);
+        then(ruleServiceMock).should().getRuleSetNode(privateFolder);
+        then(ruleServiceMock).shouldHaveNoMoreInteractions();
+
+        // Check we only get the accessible rule set back.
+        Collection<RuleSet> expected = List.of(ruleSetMock);
+        assertEquals(expected, actual.getCollection());
+        assertEquals(PAGING, actual.getPaging());
+    }
+
     /** Check that a folder with a parent and grandparent can inherit rule sets from the grandparent, even if the parent has no rules. */
     @Test
     public void testGetInheritedRuleSets()