Added permission checking to the various ChannelService.getChannel() methods. Only users who have 'Add Children' access to a channel node may see that channel.

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@29432 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2011-07-28 13:26:38 +00:00
parent ed739a5b7e
commit a59ce355c4
5 changed files with 147 additions and 30 deletions
--- a/config/alfresco/web-publishing-context.xml
+++ b/config/alfresco/web-publishing-context.xml
@@ -55,6 +55,7 @@
      <property name="nodeService" ref="NodeService" />
      <property name="dictionaryService" ref="DictionaryService" />
      <property name="fileFolderService" ref="FileFolderService" />
+      <property name="permissionService" ref="PermissionService" />
   </bean>

   <bean id="publishingRootObject" class="org.alfresco.repo.publishing.PublishingRootObject">
--- a/config/test/alfresco/test-web-publishing-context.xml
+++ b/config/test/alfresco/test-web-publishing-context.xml
@@ -95,6 +95,11 @@
        <constructor-arg value="org.alfresco.repo.transaction.RetryingTransactionHelper" />
    </bean>

+   <!-- Mock Retrying Transaction Helper -->
+    <bean id="PermissionService" class="org.mockito.Mockito" factory-method="mock">
+        <constructor-arg value="org.alfresco.service.cmr.security.PermissionService" />
+    </bean>
+
   <bean id="dictionaryBootstrap" class="java.lang.Object" />
   
 </beans>
--- a/source/java/org/alfresco/repo/publishing/AbstractPublishingIntegrationTest.java
+++ b/source/java/org/alfresco/repo/publishing/AbstractPublishingIntegrationTest.java
@@ -94,6 +94,7 @@ public abstract class AbstractPublishingIntegrationTest extends BaseSpringTest
    @After
    public void onTearDown() throws Exception
    {
+        AuthenticationUtil.setAdminUserAsFullyAuthenticatedUser();
        siteService.deleteSite(siteId);
        try
        {
--- a/source/java/org/alfresco/repo/publishing/ChannelHelper.java
+++ b/source/java/org/alfresco/repo/publishing/ChannelHelper.java
@@ -50,6 +50,8 @@ import org.alfresco.service.cmr.repository.ChildAssociationRef;
 import org.alfresco.service.cmr.repository.ContentData;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
+import org.alfresco.service.cmr.security.AccessStatus;
+import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.namespace.NamespaceService;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.util.Pair;
@@ -69,6 +71,7 @@ public class ChannelHelper
    private NodeService nodeService;
    private DictionaryService dictionaryService;
    private FileFolderService fileFolderService;
+    private PermissionService permissionService;
    
    public ChannelHelper()
    {
@@ -89,12 +92,16 @@ public class ChannelHelper
        ChildAssociationRef channelAssoc = 
            nodeService.createNode(parent, ASSOC_CONTAINS, channelQName, channelNodeType, props);
        NodeRef channelNode = channelAssoc.getChildRef();
+        // Allow any user to read Channel permissions.
+        permissionService.setPermission(channelNode, PermissionService.ALL_AUTHORITIES, PermissionService.READ_PERMISSIONS, true);
        return channelNode;
    }

    public Channel buildChannelObject(NodeRef nodeRef, ChannelService channelService)
    {
-        if(nodeRef == null || nodeService.exists(nodeRef)==false)
+        if(nodeRef == null ||
+                nodeService.exists(nodeRef)==false ||
+                permissionService.hasPermission(nodeRef, PermissionService.ADD_CHILDREN)!= AccessStatus.ALLOWED)
        {
            return null;
        }
@@ -339,6 +346,16 @@ public class ChannelHelper
        };
    }

+    public boolean isChannelAuthorised(NodeRef channelNode)
+    {
+        Boolean isAuthorised = Boolean.FALSE;
+        if (nodeService.exists(channelNode))
+        {
+            isAuthorised = (Boolean)nodeService.getProperty(channelNode, PublishingModel.PROP_AUTHORISATION_COMPLETE);
+        }
+        return isAuthorised;
+    }
+
    /**
     * @param nodeService the nodeService to set
     */
@@ -363,13 +380,12 @@ public class ChannelHelper
        this.fileFolderService = fileFolderService;
    }

-    public boolean isChannelAuthorised(NodeRef channelNode)
+    /**
+     * @param permissionService the permissionService to set
+     */
+    public void setPermissionService(PermissionService permissionService)
    {
-        Boolean isAuthorised = Boolean.FALSE;
-        if (nodeService.exists(channelNode))
-        {
-            isAuthorised = (Boolean)nodeService.getProperty(channelNode, PublishingModel.PROP_AUTHORISATION_COMPLETE);
-        }
-        return isAuthorised;
+        this.permissionService = permissionService;
    }
+    
 }
--- a/source/java/org/alfresco/repo/publishing/ChannelServiceImplIntegratedTest.java
+++ b/source/java/org/alfresco/repo/publishing/ChannelServiceImplIntegratedTest.java
@@ -31,10 +31,19 @@ import java.util.Set;
 import javax.annotation.Resource;

 import org.alfresco.model.ContentModel;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
+import org.alfresco.repo.security.person.TestPersonManager;
+import org.alfresco.service.ServiceRegistry;
 import org.alfresco.service.cmr.publishing.channels.Channel;
 import org.alfresco.service.cmr.publishing.channels.ChannelType;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
+import org.alfresco.service.cmr.security.PermissionService;
+import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.util.GUID;
+import org.alfresco.util.collections.CollectionUtils;
+import org.alfresco.util.collections.Filter;
 import org.junit.Before;
 import org.junit.Test;

@@ -44,32 +53,17 @@ import org.junit.Test;
 */
 public class ChannelServiceImplIntegratedTest extends AbstractPublishingIntegrationTest
 {
-    private static final String channelName = "Test Channel - Name";
+    private static final String channelName = GUID.generate();
    private static final String channelTypeName = "MockedChannelType";
    private static boolean channelTypeRegistered = false;

    @Resource(name="channelService")
    private ChannelServiceImpl channelService;
-
+    private PermissionService permissionService;
+    private TestPersonManager personManager;
+    
    private ChannelType mockedChannelType = mock(ChannelType.class);

-    @Before
-    @Override
-    public void onSetUp() throws Exception
-    {
-        super.onSetUp();
-        channelService = (ChannelServiceImpl) getApplicationContext().getBean("channelService");
-        when(mockedChannelType.getId()).thenReturn(channelTypeName);
-        when(mockedChannelType.getChannelNodeType()).thenReturn(PublishingModel.TYPE_DELIVERY_CHANNEL);
-
-        if (!channelTypeRegistered)
-        {
-            channelService.register(mockedChannelType);
-            channelTypeRegistered = true;
-        }
-
-    }
-
    @Test
    public void testCreateChannel() throws Exception
    {
@@ -143,6 +137,51 @@ public class ChannelServiceImplIntegratedTest extends AbstractPublishingIntegrat
        }
    }
    
+    @Test
+    public void testGetChannelsPermissions() throws Exception
+    {
+        // Create Channel as Admin user.
+        Channel channel = createChannel();
+        NodeRef channelNode = new NodeRef(channel.getId());
+        
+        // Create User1 and set as FullyAuthenticatedUser.
+        String user1 = GUID.generate();
+        personManager.createPerson(user1);
+        personManager.setUser(user1);
+        
+        // User1 should not have access to Channel.
+        Channel channelById = channelService.getChannelById(channel.getId());
+        assertNull("User1 should not have access to the channel!", channelById);
+        List<Channel> channels = channelService.getChannels();
+        assertFalse("Result of getChannels() should not contain the channel!", checkContainsChannel(channel.getId(), channels));
+        
+        // Set authentication to Admin
+        AuthenticationUtil.setAdminUserAsFullyAuthenticatedUser();
+        //Add Read permissions to User1.
+        permissionService.setPermission(channelNode, user1, PermissionService.READ, true);
+        // Set authentication to User1
+        personManager.setUser(user1);
+        
+        // Read permissions should not allow access to the Channel.
+        channelById = channelService.getChannelById(channel.getId());
+        assertNull("User1 should not have access to the channel!", channelById);
+        channels = channelService.getChannels();
+        assertFalse("Result of getChannels() should not contain the channel!", checkContainsChannel(channel.getId(), channels));
+        
+        // Set authentication to Admin
+        AuthenticationUtil.setAdminUserAsFullyAuthenticatedUser();
+        //Add ADD_CHILD permissions to User1.
+        permissionService.setPermission(channelNode, user1, PermissionService.ADD_CHILDREN, true);
+        // Set authentication to User1
+        personManager.setUser(user1);
+        
+        // Add Child permissions should allow access to the Channel.
+        channelById = channelService.getChannelById(channel.getId());
+        assertNotNull("User1 should have access to the channel!", channelById);
+        channels = channelService.getChannels();
+        assertTrue("Result of getChannels() should contain the channel!", checkContainsChannel(channel.getId(), channels));
+    }
+
    @Test
    public void testGetChannel() throws Exception
    {
@@ -166,11 +205,66 @@ public class ChannelServiceImplIntegratedTest extends AbstractPublishingIntegrat
        assertEquals(createdChannel.getNodeRef(), channel.getNodeRef());
    }
    
-    /**
-     * @return
-     */
+    private boolean checkContainsChannel(final String id, List<Channel> channels)
+    {
+        Filter<Channel> acceptor = new Filter<Channel>()
+        {
+            public Boolean apply(Channel value)
+            {
+                return id.equals(value.getId());
+            }
+        };
+        Channel result = CollectionUtils.findFirst(channels, acceptor);
+        return result != null;
+    }
+
    private Channel createChannel()
    {
        return channelService.createChannel(channelTypeName, channelName, null);
    }
+    
+    
+    @Before
+    @Override
+    public void onSetUp() throws Exception
+    {
+        super.onSetUp();
+        this.channelService = (ChannelServiceImpl) getApplicationContext().getBean("channelService");
+        this.permissionService = (PermissionService) getApplicationContext().getBean(ServiceRegistry.PERMISSIONS_SERVICE.getLocalName());
+        MutableAuthenticationService authenticationService= (MutableAuthenticationService) getApplicationContext().getBean(ServiceRegistry.AUTHENTICATION_SERVICE.getLocalName());
+        PersonService personService= (PersonService) getApplicationContext().getBean(ServiceRegistry.PERSON_SERVICE.getLocalName());
+        
+        this.personManager = new TestPersonManager(authenticationService, personService, nodeService);
+        
+        when(mockedChannelType.getId()).thenReturn(channelTypeName);
+        when(mockedChannelType.getChannelNodeType()).thenReturn(PublishingModel.TYPE_DELIVERY_CHANNEL);
+
+        if (!channelTypeRegistered)
+        {
+            channelService.register(mockedChannelType);
+            channelTypeRegistered = true;
+        }
+
+    }
+
+    /**
+    * {@inheritDoc}
+    */
+    @Override
+    public void onTearDown() throws Exception
+    {
+        AuthenticationUtil.setAdminUserAsFullyAuthenticatedUser();
+        try
+        {
+            Channel channel = channelService.getChannelByName(channelName);
+            if (channel != null)
+            {
+                channelService.deleteChannel(channel);
+            }
+        }
+        finally
+        {
+            super.onTearDown();
+        }
+    }
 }