Added permission checking to the various ChannelService.getChannel() methods. Only users who have 'Add Children' access to a channel node may see that channel.

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@29432 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2011-07-28 13:26:38 +00:00
parent ed739a5b7e
commit a59ce355c4
5 changed files with 147 additions and 30 deletions
--- a/config/alfresco/web-publishing-context.xml
+++ b/config/alfresco/web-publishing-context.xml
@@ -55,6 +55,7 @@
      <property name="nodeService" ref="NodeService" />
      <property name="dictionaryService" ref="DictionaryService" />
      <property name="fileFolderService" ref="FileFolderService" />
      <property name="permissionService" ref="PermissionService" />
   </bean>
   <bean id="publishingRootObject" class="org.alfresco.repo.publishing.PublishingRootObject">
--- a/config/test/alfresco/test-web-publishing-context.xml
+++ b/config/test/alfresco/test-web-publishing-context.xml
@@ -95,6 +95,11 @@
        <constructor-arg value="org.alfresco.repo.transaction.RetryingTransactionHelper" />
    </bean>
   <!-- Mock Retrying Transaction Helper -->
    <bean id="PermissionService" class="org.mockito.Mockito" factory-method="mock">
        <constructor-arg value="org.alfresco.service.cmr.security.PermissionService" />
    </bean>
   <bean id="dictionaryBootstrap" class="java.lang.Object" />
 </beans>
--- a/source/java/org/alfresco/repo/publishing/AbstractPublishingIntegrationTest.java
+++ b/source/java/org/alfresco/repo/publishing/AbstractPublishingIntegrationTest.java
@@ -94,6 +94,7 @@ public abstract class AbstractPublishingIntegrationTest extends BaseSpringTest
    @After
    public void onTearDown() throws Exception
    {
        AuthenticationUtil.setAdminUserAsFullyAuthenticatedUser();
        siteService.deleteSite(siteId);
        try
        {
--- a/source/java/org/alfresco/repo/publishing/ChannelHelper.java
+++ b/source/java/org/alfresco/repo/publishing/ChannelHelper.java
@@ -50,6 +50,8 @@ import org.alfresco.service.cmr.repository.ChildAssociationRef;
 import org.alfresco.service.cmr.repository.ContentData;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.security.AccessStatus;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.namespace.NamespaceService;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.util.Pair;
@@ -69,6 +71,7 @@ public class ChannelHelper
    private NodeService nodeService;
    private DictionaryService dictionaryService;
    private FileFolderService fileFolderService;
    private PermissionService permissionService;
    public ChannelHelper()
    {
@@ -89,12 +92,16 @@ public class ChannelHelper
        ChildAssociationRef channelAssoc = 
            nodeService.createNode(parent, ASSOC_CONTAINS, channelQName, channelNodeType, props);
        NodeRef channelNode = channelAssoc.getChildRef();
        // Allow any user to read Channel permissions.
        permissionService.setPermission(channelNode, PermissionService.ALL_AUTHORITIES, PermissionService.READ_PERMISSIONS, true);
        return channelNode;
    }
    public Channel buildChannelObject(NodeRef nodeRef, ChannelService channelService)
    {
-        if(nodeRef == null || nodeService.exists(nodeRef)==false)
+        if(nodeRef == null ||
                nodeService.exists(nodeRef)==false ||
                permissionService.hasPermission(nodeRef, PermissionService.ADD_CHILDREN)!= AccessStatus.ALLOWED)
        {
            return null;
        }
@@ -339,6 +346,16 @@ public class ChannelHelper
        };
    }
    public boolean isChannelAuthorised(NodeRef channelNode)
    {
        Boolean isAuthorised = Boolean.FALSE;
        if (nodeService.exists(channelNode))
        {
            isAuthorised = (Boolean)nodeService.getProperty(channelNode, PublishingModel.PROP_AUTHORISATION_COMPLETE);
        }
        return isAuthorised;
    }
    /**
     * @param nodeService the nodeService to set
     */
@@ -363,13 +380,12 @@ public class ChannelHelper
        this.fileFolderService = fileFolderService;
    }
-    public boolean isChannelAuthorised(NodeRef channelNode)
+    /**
     * @param permissionService the permissionService to set
     */
    public void setPermissionService(PermissionService permissionService)
    {
-        Boolean isAuthorised = Boolean.FALSE;
+        this.permissionService = permissionService;
        if (nodeService.exists(channelNode))
        {
            isAuthorised = (Boolean)nodeService.getProperty(channelNode, PublishingModel.PROP_AUTHORISATION_COMPLETE);
        }
        return isAuthorised;
    }
 }
--- a/source/java/org/alfresco/repo/publishing/ChannelServiceImplIntegratedTest.java
+++ b/source/java/org/alfresco/repo/publishing/ChannelServiceImplIntegratedTest.java
@@ -31,10 +31,19 @@ import java.util.Set;
 import javax.annotation.Resource;
 import org.alfresco.model.ContentModel;
 import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.security.person.TestPersonManager;
 import org.alfresco.service.ServiceRegistry;
 import org.alfresco.service.cmr.publishing.channels.Channel;
 import org.alfresco.service.cmr.publishing.channels.ChannelType;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.util.GUID;
 import org.alfresco.util.collections.CollectionUtils;
 import org.alfresco.util.collections.Filter;
 import org.junit.Before;
 import org.junit.Test;
@@ -44,32 +53,17 @@ import org.junit.Test;
 */
 public class ChannelServiceImplIntegratedTest extends AbstractPublishingIntegrationTest
 {
-    private static final String channelName = "Test Channel - Name";
+    private static final String channelName = GUID.generate();
    private static final String channelTypeName = "MockedChannelType";
    private static boolean channelTypeRegistered = false;
    @Resource(name="channelService")
    private ChannelServiceImpl channelService;
    private PermissionService permissionService;
    private TestPersonManager personManager;
    private ChannelType mockedChannelType = mock(ChannelType.class);
    @Before
    @Override
    public void onSetUp() throws Exception
    {
        super.onSetUp();
        channelService = (ChannelServiceImpl) getApplicationContext().getBean("channelService");
        when(mockedChannelType.getId()).thenReturn(channelTypeName);
        when(mockedChannelType.getChannelNodeType()).thenReturn(PublishingModel.TYPE_DELIVERY_CHANNEL);
        if (!channelTypeRegistered)
        {
            channelService.register(mockedChannelType);
            channelTypeRegistered = true;
        }
    }
    @Test
    public void testCreateChannel() throws Exception
    {
@@ -143,6 +137,51 @@ public class ChannelServiceImplIntegratedTest extends AbstractPublishingIntegrat
        }
    }
    @Test
    public void testGetChannelsPermissions() throws Exception
    {
        // Create Channel as Admin user.
        Channel channel = createChannel();
        NodeRef channelNode = new NodeRef(channel.getId());
        // Create User1 and set as FullyAuthenticatedUser.
        String user1 = GUID.generate();
        personManager.createPerson(user1);
        personManager.setUser(user1);
        // User1 should not have access to Channel.
        Channel channelById = channelService.getChannelById(channel.getId());
        assertNull("User1 should not have access to the channel!", channelById);
        List<Channel> channels = channelService.getChannels();
        assertFalse("Result of getChannels() should not contain the channel!", checkContainsChannel(channel.getId(), channels));
        // Set authentication to Admin
        AuthenticationUtil.setAdminUserAsFullyAuthenticatedUser();
        //Add Read permissions to User1.
        permissionService.setPermission(channelNode, user1, PermissionService.READ, true);
        // Set authentication to User1
        personManager.setUser(user1);
        // Read permissions should not allow access to the Channel.
        channelById = channelService.getChannelById(channel.getId());
        assertNull("User1 should not have access to the channel!", channelById);
        channels = channelService.getChannels();
        assertFalse("Result of getChannels() should not contain the channel!", checkContainsChannel(channel.getId(), channels));
        // Set authentication to Admin
        AuthenticationUtil.setAdminUserAsFullyAuthenticatedUser();
        //Add ADD_CHILD permissions to User1.
        permissionService.setPermission(channelNode, user1, PermissionService.ADD_CHILDREN, true);
        // Set authentication to User1
        personManager.setUser(user1);
        // Add Child permissions should allow access to the Channel.
        channelById = channelService.getChannelById(channel.getId());
        assertNotNull("User1 should have access to the channel!", channelById);
        channels = channelService.getChannels();
        assertTrue("Result of getChannels() should contain the channel!", checkContainsChannel(channel.getId(), channels));
    }
    @Test
    public void testGetChannel() throws Exception
    {
@@ -166,11 +205,66 @@ public class ChannelServiceImplIntegratedTest extends AbstractPublishingIntegrat
        assertEquals(createdChannel.getNodeRef(), channel.getNodeRef());
    }
-    /**
+    private boolean checkContainsChannel(final String id, List<Channel> channels)
-     * @return
+    {
-     */
+        Filter<Channel> acceptor = new Filter<Channel>()
        {
            public Boolean apply(Channel value)
            {
                return id.equals(value.getId());
            }
        };
        Channel result = CollectionUtils.findFirst(channels, acceptor);
        return result != null;
    }
    private Channel createChannel()
    {
        return channelService.createChannel(channelTypeName, channelName, null);
    }
    @Before
    @Override
    public void onSetUp() throws Exception
    {
        super.onSetUp();
        this.channelService = (ChannelServiceImpl) getApplicationContext().getBean("channelService");
        this.permissionService = (PermissionService) getApplicationContext().getBean(ServiceRegistry.PERMISSIONS_SERVICE.getLocalName());
        MutableAuthenticationService authenticationService= (MutableAuthenticationService) getApplicationContext().getBean(ServiceRegistry.AUTHENTICATION_SERVICE.getLocalName());
        PersonService personService= (PersonService) getApplicationContext().getBean(ServiceRegistry.PERSON_SERVICE.getLocalName());
        this.personManager = new TestPersonManager(authenticationService, personService, nodeService);
        when(mockedChannelType.getId()).thenReturn(channelTypeName);
        when(mockedChannelType.getChannelNodeType()).thenReturn(PublishingModel.TYPE_DELIVERY_CHANNEL);
        if (!channelTypeRegistered)
        {
            channelService.register(mockedChannelType);
            channelTypeRegistered = true;
        }
    }
    /**
    * {@inheritDoc}
    */
    @Override
    public void onTearDown() throws Exception
    {
        AuthenticationUtil.setAdminUserAsFullyAuthenticatedUser();
        try
        {
            Channel channel = channelService.getChannelByName(channelName);
            if (channel != null)
            {
                channelService.deleteChannel(channel);
            }
        }
        finally
        {
            super.onTearDown();
        }
    }
 }