PublishingQueue.scheduleNewEvent() now includes a permission check to ensure user has 'Add CHild' access to the relevant Channels.

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@29440 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2011-07-28 16:15:42 +00:00
parent b27eed65e6
commit 874a165cbb
9 changed files with 162 additions and 47 deletions
--- a/source/java/org/alfresco/repo/publishing/PublishingEventHelper.java
+++ b/source/java/org/alfresco/repo/publishing/PublishingEventHelper.java
@@ -59,6 +59,7 @@ import java.util.TimeZone;
 import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.model.ContentModel;
 import org.alfresco.repo.node.NodeUtils;
+import org.alfresco.repo.security.permissions.AccessDeniedException;
 import org.alfresco.repo.workflow.WorkflowModel;
 import org.alfresco.service.cmr.publishing.PublishingEvent;
 import org.alfresco.service.cmr.publishing.PublishingEventFilter;
@@ -72,6 +73,8 @@ import org.alfresco.service.cmr.repository.ContentService;
 import org.alfresco.service.cmr.repository.ContentWriter;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
+import org.alfresco.service.cmr.security.AccessStatus;
+import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.workflow.WorkflowDefinition;
 import org.alfresco.service.cmr.workflow.WorkflowPath;
 import org.alfresco.service.cmr.workflow.WorkflowService;
@@ -98,6 +101,7 @@ public class PublishingEventHelper
    private ContentService contentService;
    private WorkflowService workflowService;
    private PublishingPackageSerializer serializer;
+    private PermissionService permissionService;
    
    private String workflowEngineId;
    
@@ -143,6 +147,14 @@ public class PublishingEventHelper
        this.serializer = serializer;
    }

+    /**
+     * @param permissionService the permissionService to set
+     */
+    public void setPermissionService(PermissionService permissionService)
+    {
+        this.permissionService = permissionService;
+    }
+    
    public PublishingEvent getPublishingEvent(NodeRef eventNode) throws AlfrescoRuntimeException
    {
        if(eventNode == null)
@@ -198,6 +210,12 @@ public class PublishingEventHelper
    public NodeRef createNode(NodeRef queueNode, PublishingPackage publishingPackage, String channelId, Calendar schedule, String comment, StatusUpdate statusUpdate)
        throws Exception
    {
+        checkChannelAccess(channelId);
+        if(statusUpdate != null && isEmpty(statusUpdate.getChannelIds())==false )
+        for (String statusChannelId : statusUpdate.getChannelIds())
+        {
+            checkChannelAccess(statusChannelId);
+        }
        if (schedule == null)
        {
            schedule = Calendar.getInstance();
@@ -214,6 +232,16 @@ public class PublishingEventHelper
        return eventNode;
    }

+    private void checkChannelAccess(String channelId)
+    {
+        NodeRef channelNode = new NodeRef(channelId);
+        AccessStatus accessStatus = permissionService.hasPermission(channelNode, PermissionService.ADD_CHILDREN);
+        if(AccessStatus.ALLOWED != accessStatus)
+        {
+            throw new AccessDeniedException("You do not have access to channel: " + channelId);
+        }
+    }
+
    private Map<QName, Serializable> buildPublishingEventProperties(PublishingPackage publishingPackage,
            String channelId, Calendar schedule, String comment, StatusUpdate statusUpdate, String name)
    {