When there are no authentication credentials, CQ permissions are ignored

- The public service interceptors prevent unauthenticated access, while the internal services ('little' services) should not apply any permission checks - Added explicit Authority-related test to check - ALF-9033, ALF-9129 (RINF 50), ALF-9322, ALF-7167 (RINF 11) git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@28737 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2011-07-01 00:03:54 +00:00
parent ba38811c16
commit a6e553c048
5 changed files with 46 additions and 21 deletions
--- a/source/java/org/alfresco/repo/security/permissions/impl/acegi/AbstractCannedQueryPermissions.java
+++ b/source/java/org/alfresco/repo/security/permissions/impl/acegi/AbstractCannedQueryPermissions.java
@@ -18,7 +18,6 @@
 */
 package org.alfresco.repo.security.permissions.impl.acegi;

-import java.util.Collections;
 import java.util.List;

 import net.sf.acegisecurity.Authentication;
@@ -52,17 +51,32 @@ public abstract class AbstractCannedQueryPermissions<R> extends AbstractCannedQu
        this.methodSecurity = methodSecurity;
    }
    
+    /**
+     * {@inheritDoc}
+     * <p/>
+     * By default, the is a permission checking class.  Override the method if you wish to
+     * switch the behaviour at runtime.
+     * 
+     * @return      <tt>true</tt> always
+     */
+    @Override
+    protected boolean isApplyPostQueryPermissions()
+    {
+        return true;
+    }
+
    @Override
    protected List<R> applyPostQueryPermissions(List<R> results, int requestedCount)
    {
        Context context = ContextHolder.getContext();
        if ((context == null) || (! (context instanceof AlfrescoSecureContext)))
        {
+            // This indicates that we have come via the internal service methods
            if (logger.isDebugEnabled())
            {
-                logger.debug("Unexpected context: "+(context == null ? "null" : context.getClass())+" - "+Thread.currentThread().getId());
+                logger.debug("Ignoring post-query permissions.  The secure context is empty: " + this);
            }
-            return Collections.emptyList();
+            return results;
        }
        Authentication authentication = (((SecureContext) context).getAuthentication());