inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-31 17:39:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

RM: Fallout from previous model security service changes

Browse Source 
* we don't need to evaluate the capabilites, just need to know if the user 'has' the capability
  * added ebable/disable 
  * disabled for now since code refactor is complete, but we need to think some more about what (and why) some properties and aspects are protected



git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@44230 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Roy Wetherall
2012-12-03 08:10:21 +00:00
parent e7f1b2e62c
commit aaab4b2c9e
6 changed files with 181 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
rm-server/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml
View File

@@ -550,10 +550,12 @@
<bean id="modelSecurityService" <bean id="modelSecurityService"
class="org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityServiceImpl" class="org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityServiceImpl"
init-method="init"> init-method="init">
<property name="enabled" value="false" />
<property name="policyComponent" ref="policyComponent" /> <property name="policyComponent" ref="policyComponent" />
<property name="nodeService" ref="NodeService" /> <property name="nodeService" ref="NodeService" />
<property name="capabilityService" ref="CapabilityService" />
<property name="namespaceService" ref="namespaceService" /> <property name="namespaceService" ref="namespaceService" />
<property name="securityService" ref="RecordsManagementSecurityService" />
<property name="recordsManagementService" ref="RecordsManagementService" />
</bean> </bean>
<bean id="ModelSecurityService" class="org.springframework.aop.framework.ProxyFactoryBean"> <bean id="ModelSecurityService" class="org.springframework.aop.framework.ProxyFactoryBean">

14
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/model/security/ModelSecurityService.java
View File

@@ -31,6 +31,20 @@ import org.alfresco.service.namespace.QName;
*/ */
public interface ModelSecurityService public interface ModelSecurityService
{ {
/**
* Sets whether model security is enabled or not.
*
* @param enabled
*/
void setEnabled(boolean enabled);
/**
* Indicates whether model security is enabled or not.
*
* @return
*/
boolean isEnabled();
/** /**
* Registers a protected model artifact with the service. * Registers a protected model artifact with the service.
* *

81
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/model/security/ModelSecurityServiceImpl.java
View File

@@ -24,9 +24,11 @@ import java.util.HashMap;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
import org.alfresco.module.org_alfresco_module_rm.capability.Capability; import org.alfresco.module.org_alfresco_module_rm.RecordsManagementService;
import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService; import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel; import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
import org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService;
import org.alfresco.module.org_alfresco_module_rm.security.Role;
import org.alfresco.repo.node.NodeServicePolicies; import org.alfresco.repo.node.NodeServicePolicies;
import org.alfresco.repo.policy.JavaBehaviour; import org.alfresco.repo.policy.JavaBehaviour;
import org.alfresco.repo.policy.PolicyComponent; import org.alfresco.repo.policy.PolicyComponent;
@@ -34,7 +36,6 @@ import org.alfresco.repo.policy.Behaviour.NotificationFrequency;
import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService; import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.namespace.NamespaceService; import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName; import org.alfresco.service.namespace.QName;
import org.alfresco.util.EqualsHelper; import org.alfresco.util.EqualsHelper;
@@ -54,18 +55,24 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
NodeServicePolicies.BeforeRemoveAspectPolicy, NodeServicePolicies.BeforeRemoveAspectPolicy,
NodeServicePolicies.OnUpdatePropertiesPolicy NodeServicePolicies.OnUpdatePropertiesPolicy
{ {
/** Indicates whether model security is enabled or not */
private boolean enabled = true;
/** Policy component */ /** Policy component */
private PolicyComponent policyComponent; private PolicyComponent policyComponent;
/** Node service */ /** Node service */
private NodeService nodeService; private NodeService nodeService;
/** Capability service */
private CapabilityService capabilityService;
/** Namespace service */ /** Namespace service */
private NamespaceService namespaceService; private NamespaceService namespaceService;
/** Security service */
private RecordsManagementSecurityService securityService;
/** Records management service */
private RecordsManagementService recordsManagementService;
/** Map of protected properties keyed by name */ /** Map of protected properties keyed by name */
private Map<QName, ProtectedProperty> protectedProperties = new HashMap<QName, ProtectedProperty>(21); private Map<QName, ProtectedProperty> protectedProperties = new HashMap<QName, ProtectedProperty>(21);
@@ -83,6 +90,22 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
"onUpdateProperties", "onUpdateProperties",
NotificationFrequency.EVERY_EVENT); NotificationFrequency.EVERY_EVENT);
/**
* @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#setEnabled(boolean)
*/
public void setEnabled(boolean enabled)
{
this.enabled = enabled;
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#isEnabled()
*/
public boolean isEnabled()
{
return enabled;
}
/** /**
* @param policyComponent policy component * @param policyComponent policy component
*/ */
@@ -99,14 +122,6 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
this.nodeService = nodeService; this.nodeService = nodeService;
} }
/**
* @param capabilityService capability service
*/
public void setCapabilityService(CapabilityService capabilityService)
{
this.capabilityService = capabilityService;
}
/** /**
* @param namespaceService namespace service * @param namespaceService namespace service
*/ */
@@ -115,6 +130,22 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
this.namespaceService = namespaceService; this.namespaceService = namespaceService;
} }
/**
* @param securityService records management security service
*/
public void setSecurityService(RecordsManagementSecurityService securityService)
{
this.securityService = securityService;
}
/**
* @param recordsManagementService records management service
*/
public void setRecordsManagementService(RecordsManagementService recordsManagementService)
{
this.recordsManagementService = recordsManagementService;
}
/** /**
* Init method * Init method
*/ */
@@ -213,15 +244,19 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{ {
boolean result = false; boolean result = false;
for (Capability capability : artifact.getCapabilities()) NodeRef filePlan = recordsManagementService.getFilePlan(nodeRef);
if (filePlan != null)
{ {
AccessStatus accessStatus = capabilityService.getCapabilityAccessState(nodeRef, capability.getName()); Set<Role> roles = securityService.getRolesByUser(filePlan, AuthenticationUtil.getFullyAuthenticatedUser());
if (AccessStatus.ALLOWED.equals(accessStatus) == true) for (Role role : roles)
{
if (Collections.disjoint(role.getCapabilities(), artifact.getCapilityNames()) == false)
{ {
result = true; result = true;
break; break;
} }
} }
}
return result; return result;
} }
@@ -279,6 +314,8 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
*/ */
@Override @Override
public void beforeAddAspect(NodeRef nodeRef, QName aspect) public void beforeAddAspect(NodeRef nodeRef, QName aspect)
{
if (enabled == true)
{ {
if (AuthenticationUtil.getFullyAuthenticatedUser() != null && if (AuthenticationUtil.getFullyAuthenticatedUser() != null &&
AuthenticationUtil.isRunAsUserTheSystemUser() == false && AuthenticationUtil.isRunAsUserTheSystemUser() == false &&
@@ -293,12 +330,15 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
" from the node " + nodeRef.toString()); " from the node " + nodeRef.toString());
} }
} }
}
/** /**
* @see org.alfresco.repo.node.NodeServicePolicies.BeforeRemoveAspectPolicy#beforeRemoveAspect(org.alfresco.service.cmr.repository.NodeRef, org.alfresco.service.namespace.QName) * @see org.alfresco.repo.node.NodeServicePolicies.BeforeRemoveAspectPolicy#beforeRemoveAspect(org.alfresco.service.cmr.repository.NodeRef, org.alfresco.service.namespace.QName)
*/ */
@Override @Override
public void beforeRemoveAspect(NodeRef nodeRef, QName aspect) public void beforeRemoveAspect(NodeRef nodeRef, QName aspect)
{
if (enabled == true)
{ {
if (AuthenticationUtil.getFullyAuthenticatedUser() != null && if (AuthenticationUtil.getFullyAuthenticatedUser() != null &&
AuthenticationUtil.isRunAsUserTheSystemUser() == false && AuthenticationUtil.isRunAsUserTheSystemUser() == false &&
@@ -313,12 +353,15 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
" from the node " + nodeRef.toString()); " from the node " + nodeRef.toString());
} }
} }
}
/** /**
* @see org.alfresco.repo.node.NodeServicePolicies.OnUpdatePropertiesPolicy#onUpdateProperties(org.alfresco.service.cmr.repository.NodeRef, java.util.Map, java.util.Map) * @see org.alfresco.repo.node.NodeServicePolicies.OnUpdatePropertiesPolicy#onUpdateProperties(org.alfresco.service.cmr.repository.NodeRef, java.util.Map, java.util.Map)
*/ */
@Override @Override
public void onUpdateProperties(NodeRef nodeRef, Map<QName, Serializable> before, Map<QName, Serializable> after) public void onUpdateProperties(NodeRef nodeRef, Map<QName, Serializable> before, Map<QName, Serializable> after)
{
if (enabled == true)
{ {
if (AuthenticationUtil.getFullyAuthenticatedUser() != null && if (AuthenticationUtil.getFullyAuthenticatedUser() != null &&
AuthenticationUtil.isRunAsUserTheSystemUser() == false && AuthenticationUtil.isRunAsUserTheSystemUser() == false &&
@@ -328,9 +371,8 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
{ {
if (isProtectedProperty(property) == true) if (isProtectedProperty(property) == true)
{ {
ProtectedProperty protectedProperty = getProtectedProperty(property); // always allow if this is the first time we are setting the protected property
if ((before == null || before.isEmpty() || before.get(property) == null) && if (before == null || before.isEmpty() || before.get(property) == null)
protectedProperty.isAllwaysAllowNew() == true)
{ {
return; return;
} }
@@ -349,3 +391,4 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
} }
} }
} }
}

21
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/model/security/ProtectedModelArtifact.java
View File

@@ -18,6 +18,7 @@
*/ */
package org.alfresco.module.org_alfresco_module_rm.model.security; package org.alfresco.module.org_alfresco_module_rm.model.security;
import java.util.HashSet;
import java.util.Set; import java.util.Set;
import org.alfresco.module.org_alfresco_module_rm.capability.Capability; import org.alfresco.module.org_alfresco_module_rm.capability.Capability;
@@ -25,7 +26,7 @@ import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName; import org.alfresco.service.namespace.QName;
/** /**
* * Protected model artifact class.
* *
* @author Roy Wetherall * @author Roy Wetherall
* @since 2.1 * @since 2.1
@@ -38,10 +39,14 @@ public abstract class ProtectedModelArtifact
/** Namespace service */ /** Namespace service */
private NamespaceService namespaceService; private NamespaceService namespaceService;
/** Qualified name of the model artifact */
private QName name; private QName name;
/** Set of capabilities */
private Set<Capability> capabilities; private Set<Capability> capabilities;
private Set<String> capabilityNames;
public void setNamespaceService(NamespaceService namespaceService) public void setNamespaceService(NamespaceService namespaceService)
{ {
this.namespaceService = namespaceService; this.namespaceService = namespaceService;
@@ -77,4 +82,18 @@ public abstract class ProtectedModelArtifact
{ {
return capabilities; return capabilities;
} }
public Set<String> getCapilityNames()
{
if (capabilityNames == null && capabilities != null)
{
capabilityNames = new HashSet<String>(capabilities.size());
for (Capability capability : capabilities)
{
capabilityNames.add(capability.getName());
}
}
return capabilityNames;
}
} }

4
rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/ServicesTestSuite.java
View File

@@ -23,7 +23,9 @@ import junit.framework.TestSuite;
import org.alfresco.module.org_alfresco_module_rm.test.service.DataSetServiceImplTest; import org.alfresco.module.org_alfresco_module_rm.test.service.DataSetServiceImplTest;
import org.alfresco.module.org_alfresco_module_rm.test.service.DispositionServiceImplTest; import org.alfresco.module.org_alfresco_module_rm.test.service.DispositionServiceImplTest;
import org.alfresco.module.org_alfresco_module_rm.test.service.ExtendedSecurityServiceImplTest;
import org.alfresco.module.org_alfresco_module_rm.test.service.FreezeServiceImplTest; import org.alfresco.module.org_alfresco_module_rm.test.service.FreezeServiceImplTest;
import org.alfresco.module.org_alfresco_module_rm.test.service.ModelSecurityServiceImplTest;
import org.alfresco.module.org_alfresco_module_rm.test.service.RecordServiceImplTest; import org.alfresco.module.org_alfresco_module_rm.test.service.RecordServiceImplTest;
import org.alfresco.module.org_alfresco_module_rm.test.service.RecordsManagementActionServiceImplTest; import org.alfresco.module.org_alfresco_module_rm.test.service.RecordsManagementActionServiceImplTest;
import org.alfresco.module.org_alfresco_module_rm.test.service.RecordsManagementAdminServiceImplTest; import org.alfresco.module.org_alfresco_module_rm.test.service.RecordsManagementAdminServiceImplTest;
@@ -48,6 +50,8 @@ public class ServicesTestSuite extends TestSuite
public static Test suite() public static Test suite()
{ {
TestSuite suite = new TestSuite(); TestSuite suite = new TestSuite();
suite.addTestSuite(ExtendedSecurityServiceImplTest.class);
suite.addTestSuite(ModelSecurityServiceImplTest.class);
suite.addTestSuite(RecordsManagementServiceImplTest.class); suite.addTestSuite(RecordsManagementServiceImplTest.class);
suite.addTestSuite(DispositionServiceImplTest.class); suite.addTestSuite(DispositionServiceImplTest.class);
suite.addTestSuite(RecordsManagementActionServiceImplTest.class); suite.addTestSuite(RecordsManagementActionServiceImplTest.class);

19
rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/ModelSecurityServiceImplTest.java
View File

@@ -45,6 +45,8 @@ public class ModelSecurityServiceImplTest extends BaseRMTestCase
/** Model security service */ /** Model security service */
private ModelSecurityService modelSecurityService; private ModelSecurityService modelSecurityService;
private boolean enabled;
/** /**
* @see org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase#isUserTest() * @see org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase#isUserTest()
*/ */
@@ -77,6 +79,19 @@ public class ModelSecurityServiceImplTest extends BaseRMTestCase
protected void setupTestDataImpl() protected void setupTestDataImpl()
{ {
super.setupTestDataImpl(); super.setupTestDataImpl();
enabled = modelSecurityService.isEnabled();
modelSecurityService.setEnabled(true);
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase#tearDownImpl()
*/
@Override
protected void tearDownImpl()
{
super.tearDownImpl();
modelSecurityService.setEnabled(enabled);
} }
/** /**
@@ -195,6 +210,8 @@ public class ModelSecurityServiceImplTest extends BaseRMTestCase
assertNotNull(protectedProperty); assertNotNull(protectedProperty);
assertNotNull(protectedProperty.getQName()); assertNotNull(protectedProperty.getQName());
assertNotNull(protectedProperty.getCapabilities()); assertNotNull(protectedProperty.getCapabilities());
}
});
doTestInTransaction(new VoidTest() doTestInTransaction(new VoidTest()
{ {
@@ -213,8 +230,6 @@ public class ModelSecurityServiceImplTest extends BaseRMTestCase
assertFalse(modelSecurityService.canEditProtectedProperty(rmFolder, CUSTOM_PROTECTED_PROPERTY)); assertFalse(modelSecurityService.canEditProtectedProperty(rmFolder, CUSTOM_PROTECTED_PROPERTY));
} }
}, powerUserName); }, powerUserName);
}
});
doTestInTransaction(new VoidTest() doTestInTransaction(new VoidTest()
{ {