[MNT-24513] Immutable user (IDS): allow to change enabled status (#2789)

* [MNT-24513] Immutable user: allow enabled status change * [MNT-24513] Created 'allow.immutable.user.enabled.status.update' to control whether an immutabled user enabled status can be changed or not * [MNT-24513] Regardless user details enabled status, the person nodeRef enabled status is also checked * [MNT-24513] Prevent LDAP users from being disabled. Changed variable name.
2025-07-24 17:32:48 +00:00 · 2024-07-25 21:23:51 +01:00
parent f9946827c4
commit 8a61badabc
5 changed files with 116 additions and 9 deletions
--- a/remote-api/src/main/java/org/alfresco/rest/api/impl/PeopleImpl.java
+++ b/remote-api/src/main/java/org/alfresco/rest/api/impl/PeopleImpl.java
@@ -125,7 +125,7 @@ public class PeopleImpl implements People
    protected ResetPasswordService resetPasswordService;
    protected UserRegistrySynchronizer userRegistrySynchronizer;
    protected Renditions renditions;
-
+    private Boolean allowImmutableEnabledUpdate;

    private final static Map<String, QName> sort_params_to_qnames;
    static
@@ -202,6 +202,11 @@ public class PeopleImpl implements People
        this.userRegistrySynchronizer = userRegistrySynchronizer;
    }

+    public void setAllowImmutableEnabledUpdate(Boolean allowImmutableEnabledUpdate)
+    {
+        this.allowImmutableEnabledUpdate = allowImmutableEnabledUpdate;
+    }
+
    /**
     * Validate, perform -me- substitution and canonicalize the person ID.
     * 
@@ -708,16 +713,26 @@ public class PeopleImpl implements People
        // if requested, update password
        updatePassword(isAdmin, personIdToUpdate, person);

-        if (person.isEnabled() != null)
+        Set<QName> immutableProperties = userRegistrySynchronizer.getPersonMappedProperties(personIdToUpdate);
+
+        Boolean isEnabled = person.isEnabled();
+        if (isEnabled != null)
        {
            if (isAdminAuthority(personIdToUpdate))
            {
                throw new PermissionDeniedException("Admin authority cannot be disabled.");
            }

-            // note: if current user is not an admin then permission denied exception is thrown
-            MutableAuthenticationService mutableAuthenticationService = (MutableAuthenticationService) authenticationService;
-            mutableAuthenticationService.setAuthenticationEnabled(personIdToUpdate, person.isEnabled());
+            if (allowImmutableEnabledStatusUpdate(personIdToUpdate, isAdmin, immutableProperties))
+            {
+                LOGGER.info("User " + personIdToUpdate + " is immutable but enabled status will be set to: " + isEnabled);
+            }
+            else
+            {
+                // note: if current user is not an admin then permission denied exception is thrown
+                MutableAuthenticationService mutableAuthenticationService = (MutableAuthenticationService) authenticationService;
+                mutableAuthenticationService.setAuthenticationEnabled(personIdToUpdate, person.isEnabled());
+            }
        }

 		NodeRef personNodeRef = personService.getPerson(personIdToUpdate, false);
@@ -742,9 +757,7 @@ public class PeopleImpl implements People
 			properties.putAll(nodes.mapToNodeProperties(customProps));
 		}

-        // MNT-21150 LDAP synced attributes can be changed using REST API
-        Set<QName> immutableProperties = userRegistrySynchronizer.getPersonMappedProperties(personIdToUpdate);
-
+        // MNT-21150 LDAP synced attributes can't be changed using REST API
        immutableProperties.forEach(immutableProperty -> {
            if (properties.containsKey(immutableProperty))
            {
@@ -768,6 +781,28 @@ public class PeopleImpl implements People
        return getPerson(personId);
    }

+    private boolean allowImmutableEnabledStatusUpdate(String userId, boolean isAdmin, Set<QName> immutableProperties)
+    {
+        if (allowImmutableEnabledUpdate)
+        {
+            boolean containLdapUserAccountStatus = false;
+            QName propertyNameToCheck = QName.createQName(NamespaceService.CONTENT_MODEL_1_0_URI, "userAccountStatusProperty");
+
+            for (QName immutableProperty : immutableProperties)
+            {
+                if (immutableProperty.equals(propertyNameToCheck))
+                {
+                    containLdapUserAccountStatus = true;
+                    break;
+                }
+            }
+
+            return isAdmin && !containLdapUserAccountStatus && !isMutableAuthority(userId);
+        }
+
+        return false;
+    }
+
    private boolean checkCurrentUserOrAdmin(String personId)
    {
        boolean isAdmin = isAdminAuthority();
--- a/remote-api/src/main/resources/alfresco/public-rest-context.xml
+++ b/remote-api/src/main/resources/alfresco/public-rest-context.xml
@@ -764,6 +764,7 @@
        <property name="thumbnailService" ref="ThumbnailService" />
        <property name="resetPasswordService" ref="resetPasswordService" />
        <property name="userRegistrySynchronizer" ref="userRegistrySynchronizer" />
+        <property name="allowImmutableEnabledUpdate" value="${allow.immutable.user.enabled.status.update}" />
    </bean>

    <bean id="People" class="org.springframework.aop.framework.ProxyFactoryBean">