[MNT-23379] Set site manager permission if node belongs to a site and inheritance flag is disabled (#1657)

* [MNT-23379] Set site manager permission if node belongs to a site and inheritance flag is disabled * [MNT-23379] Added validation. Added throwable object to error logging. * [MNT-23379] Added unit test * [MNT-23379] Changed 'runAs' call to 'runAsSystem' with lambda
2025-07-24 17:32:48 +00:00 · 2023-01-06 15:43:14 +00:00
parent 3a032b7366
commit 88a0854548
2 changed files with 72 additions and 0 deletions
--- a/remote-api/src/main/java/org/alfresco/rest/api/impl/NodesImpl.java
+++ b/remote-api/src/main/java/org/alfresco/rest/api/impl/NodesImpl.java
@@ -2402,6 +2402,9 @@ public class NodesImpl implements Nodes
            // Check inherit from parent value and if it's changed set the new value
            if (nodePerms.getIsInheritanceEnabled() != null)
            {
+                // If inheritance flag is being disabled, the site manager needs to have permission
+                setSiteManagerPermission(nodeRef, nodePerms);
+
                if (nodePerms.getIsInheritanceEnabled() != permissionService.getInheritParentPermissions(nodeRef))
                {
                    permissionService.setInheritParentPermissions(nodeRef, nodePerms.getIsInheritanceEnabled());
@@ -2763,6 +2766,34 @@ public class NodesImpl implements Nodes
        return updateExistingFile(null, nodeRef, fileName, contentInfo, stream, parameters, versionMajor, versionComment);
    }

+    private void setSiteManagerPermission(NodeRef nodeRef, NodePermissions nodePerms)
+    {
+        if (nodeRef != null && nodePerms != null)
+        {
+            try
+            {
+                if (nodePerms.getIsInheritanceEnabled() != null && !nodePerms.getIsInheritanceEnabled())
+                {
+                    SiteInfo containingSite = siteService.getSite(nodeRef);
+
+                    if (containingSite != null)
+                    {
+                        String thisSiteGroupPrefix = siteService.getSiteGroup(containingSite.getShortName());
+                        final String siteManagerAuthority = thisSiteGroupPrefix + "_" + SiteModel.SITE_MANAGER;
+                        AuthenticationUtil.runAsSystem(() -> {
+                            permissionService.setPermission(nodeRef, siteManagerAuthority, SiteModel.SITE_MANAGER, true);
+                            return null;
+                        });
+                    }
+                }
+            }
+            catch (Exception e)
+            {
+                logger.error("Error setting site manager permission on " + nodeRef, e);
+            }
+        }
+    }
+
    private Node updateExistingFile(NodeRef parentNodeRef, NodeRef nodeRef, String fileName, BasicContentInfo contentInfo, InputStream stream, Parameters parameters, Boolean versionMajor, String versionComment)
    {
        boolean isVersioned = versionService.isVersioned(nodeRef);
--- a/remote-api/src/test/java/org/alfresco/rest/api/tests/NodeApiTest.java
+++ b/remote-api/src/test/java/org/alfresco/rest/api/tests/NodeApiTest.java
@@ -6354,5 +6354,46 @@ public class NodeApiTest extends AbstractSingleNetworkSiteTest
        assertEquals(Rendition.RenditionStatus.NOT_CREATED, renditionDeleted.getStatus());
    }

+    /**
+     * Tests if site manager permissions are kept after inheritance flag is disabled
+     */
+    @Test
+    public void testSiteManagerPermission() throws Exception
+    {
+        // Change to User1 context
+        setRequestContext(user1);
+
+        // user1 creates a site and adds user2 as a site manager
+        String site1Title = "site-testSiteManagerPermissions_DocLib-" + RUNID;
+        String site1Id = createSite(site1Title, SiteVisibility.PUBLIC).getId();
+        addSiteMember(site1Id, user2, SiteRole.SiteManager);
+
+        // user1 uploads a document to the site
+        String site1DocLibNodeId = getSiteContainerNodeId(site1Id, "documentLibrary");
+        String content = "content" + RUNID;
+        String content1_Id = createTextFile(site1DocLibNodeId, content, "The quick brown fox jumps over the lazy dog.").getId();
+        NodeRef content1_Ref = new NodeRef(StoreRef.STORE_REF_WORKSPACE_SPACESSTORE, content1_Id);
+
+        // Change to User2 context
+        setRequestContext(user2);
+
+        // user2 should be able to disable the inheritance flag without getting a permission denied error
+        Node nodeUpdate = new Node();
+        NodePermissions nodePerms = new NodePermissions();
+        nodePerms.setIsInheritanceEnabled(false);
+        nodeUpdate.setPermissions(nodePerms);
+        put(URL_NODES, content1_Id, toJsonAsStringNonNull(nodeUpdate), null, 200);
+
+        // user2 checks if has access to the document
+        Map<String, String> params = new HashMap<>();
+        HttpResponse response = getSingle(NodesEntityResource.class, content1_Id, params, 200);
+        Document node = jacksonUtil.parseEntry(response.getJsonResponse(), Document.class);
+        assertNotNull(node);
+        assertEquals(node.getId(), content1_Id);
+
+        // cleanup
+        setRequestContext(user1);
+        deleteSite(site1Id, true, 204);
+    }
 }