diff --git a/source/java/org/alfresco/repo/blog/cannedqueries/DraftsAndPublishedBlogPostsCannedQuery.java b/source/java/org/alfresco/repo/blog/cannedqueries/DraftsAndPublishedBlogPostsCannedQuery.java index c4f01f06e2..d4c738dd76 100644 --- a/source/java/org/alfresco/repo/blog/cannedqueries/DraftsAndPublishedBlogPostsCannedQuery.java +++ b/source/java/org/alfresco/repo/blog/cannedqueries/DraftsAndPublishedBlogPostsCannedQuery.java @@ -183,10 +183,4 @@ public class DraftsAndPublishedBlogPostsCannedQuery extends AbstractCannedQueryP // No post-query sorting. It's done within the queryAndFilter() method above. return false; } - - @Override - protected boolean isApplyPostQueryPermissions() - { - return true; - } } \ No newline at end of file diff --git a/source/java/org/alfresco/repo/blog/cannedqueries/GetBlogPostsCannedQuery.java b/source/java/org/alfresco/repo/blog/cannedqueries/GetBlogPostsCannedQuery.java index fb520ee2bc..b622249398 100644 --- a/source/java/org/alfresco/repo/blog/cannedqueries/GetBlogPostsCannedQuery.java +++ b/source/java/org/alfresco/repo/blog/cannedqueries/GetBlogPostsCannedQuery.java @@ -168,10 +168,4 @@ public class GetBlogPostsCannedQuery extends AbstractCannedQueryPermissions results = pubAuthorityService.getAuthorities( + AuthorityType.GROUP, null, null, true, true, new PagingRequest(10)); + AuthenticationUtil.clearCurrentSecurityContext(); + try + { + pubAuthorityService.getAuthorities( + AuthorityType.GROUP, null, null, true, true, new PagingRequest(10)); + fail("Public AuthorityService should reject unauthorized use."); + } + catch (AuthenticationCredentialsNotFoundException e) + { + // Expected + } + PagingResults resultsCheck = authorityService.getAuthorities( + AuthorityType.GROUP, null, null, true, true, new PagingRequest(10)); + assertEquals( + "Unauthorized use of private service should work just like 'admin'", + results.getPage().size(), resultsCheck.getPage().size()); + } + public void testAuthorities() { assertEquals(1, getAllAuthorities(AuthorityType.ADMIN).size()); diff --git a/source/java/org/alfresco/repo/security/authority/GetAuthoritiesCannedQuery.java b/source/java/org/alfresco/repo/security/authority/GetAuthoritiesCannedQuery.java index 2dae864ae1..64b5bcdd1d 100644 --- a/source/java/org/alfresco/repo/security/authority/GetAuthoritiesCannedQuery.java +++ b/source/java/org/alfresco/repo/security/authority/GetAuthoritiesCannedQuery.java @@ -164,6 +164,7 @@ public class GetAuthoritiesCannedQuery extends AbstractCannedQueryPermissions applyPostQuerySorting(List results, CannedQuerySortDetails sortDetails) { + @SuppressWarnings("rawtypes") final List> sortPairs = (List)sortDetails.getSortPairs(); if (sortPairs.size() > 0) { @@ -205,12 +206,6 @@ public class GetAuthoritiesCannedQuery extends AbstractCannedQueryPermissions extends AbstractCannedQu this.methodSecurity = methodSecurity; } + /** + * {@inheritDoc} + *

+ * By default, the is a permission checking class. Override the method if you wish to + * switch the behaviour at runtime. + * + * @return true always + */ + @Override + protected boolean isApplyPostQueryPermissions() + { + return true; + } + @Override protected List applyPostQueryPermissions(List results, int requestedCount) { Context context = ContextHolder.getContext(); if ((context == null) || (! (context instanceof AlfrescoSecureContext))) { + // This indicates that we have come via the internal service methods if (logger.isDebugEnabled()) { - logger.debug("Unexpected context: "+(context == null ? "null" : context.getClass())+" - "+Thread.currentThread().getId()); + logger.debug("Ignoring post-query permissions. The secure context is empty: " + this); } - return Collections.emptyList(); + return results; } Authentication authentication = (((SecureContext) context).getAuthentication());