mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-07-31 17:39:05 +00:00
RM: Fallout from previous model security service changes
* we don't need to evaluate the capabilites, just need to know if the user 'has' the capability * added ebable/disable * disabled for now since code refactor is complete, but we need to think some more about what (and why) some properties and aspects are protected git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@44230 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Roy Wetherall
@@ -550,10 +550,12 @@
|
||||
<bean id="modelSecurityService"
|
||||
class="org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityServiceImpl"
|
||||
init-method="init">
|
||||
<property name="enabled" value="false" />
|
||||
<property name="policyComponent" ref="policyComponent" />
|
||||
<property name="nodeService" ref="NodeService" />
|
||||
<property name="capabilityService" ref="CapabilityService" />
|
||||
<property name="namespaceService" ref="namespaceService" />
|
||||
<property name="securityService" ref="RecordsManagementSecurityService" />
|
||||
<property name="recordsManagementService" ref="RecordsManagementService" />
|
||||
</bean>
|
||||
|
||||
<bean id="ModelSecurityService" class="org.springframework.aop.framework.ProxyFactoryBean">
|
||||
|
||||
@@ -31,6 +31,20 @@ import org.alfresco.service.namespace.QName;
|
||||
*/
|
||||
public interface ModelSecurityService
|
||||
{
|
||||
/**
|
||||
* Sets whether model security is enabled or not.
|
||||
*
|
||||
* @param enabled
|
||||
*/
|
||||
void setEnabled(boolean enabled);
|
||||
|
||||
/**
|
||||
* Indicates whether model security is enabled or not.
|
||||
*
|
||||
* @return
|
||||
*/
|
||||
boolean isEnabled();
|
||||
|
||||
/**
|
||||
* Registers a protected model artifact with the service.
|
||||
*
|
||||
|
||||
@@ -24,9 +24,11 @@ import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.Capability;
|
||||
import org.alfresco.module.org_alfresco_module_rm.RecordsManagementService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
|
||||
import org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.security.Role;
|
||||
import org.alfresco.repo.node.NodeServicePolicies;
|
||||
import org.alfresco.repo.policy.JavaBehaviour;
|
||||
import org.alfresco.repo.policy.PolicyComponent;
|
||||
@@ -34,7 +36,6 @@ import org.alfresco.repo.policy.Behaviour.NotificationFrequency;
|
||||
import org.alfresco.repo.security.authentication.AuthenticationUtil;
|
||||
import org.alfresco.service.cmr.repository.NodeRef;
|
||||
import org.alfresco.service.cmr.repository.NodeService;
|
||||
import org.alfresco.service.cmr.security.AccessStatus;
|
||||
import org.alfresco.service.namespace.NamespaceService;
|
||||
import org.alfresco.service.namespace.QName;
|
||||
import org.alfresco.util.EqualsHelper;
|
||||
@@ -54,18 +55,24 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
|
||||
NodeServicePolicies.BeforeRemoveAspectPolicy,
|
||||
NodeServicePolicies.OnUpdatePropertiesPolicy
|
||||
{
|
||||
/** Indicates whether model security is enabled or not */
|
||||
private boolean enabled = true;
|
||||
|
||||
/** Policy component */
|
||||
private PolicyComponent policyComponent;
|
||||
|
||||
/** Node service */
|
||||
private NodeService nodeService;
|
||||
|
||||
/** Capability service */
|
||||
private CapabilityService capabilityService;
|
||||
|
||||
/** Namespace service */
|
||||
private NamespaceService namespaceService;
|
||||
|
||||
/** Security service */
|
||||
private RecordsManagementSecurityService securityService;
|
||||
|
||||
/** Records management service */
|
||||
private RecordsManagementService recordsManagementService;
|
||||
|
||||
/** Map of protected properties keyed by name */
|
||||
private Map<QName, ProtectedProperty> protectedProperties = new HashMap<QName, ProtectedProperty>(21);
|
||||
|
||||
@@ -83,6 +90,22 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
|
||||
"onUpdateProperties",
|
||||
NotificationFrequency.EVERY_EVENT);
|
||||
|
||||
/**
|
||||
* @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#setEnabled(boolean)
|
||||
*/
|
||||
public void setEnabled(boolean enabled)
|
||||
{
|
||||
this.enabled = enabled;
|
||||
}
|
||||
|
||||
/**
|
||||
* @see org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService#isEnabled()
|
||||
*/
|
||||
public boolean isEnabled()
|
||||
{
|
||||
return enabled;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param policyComponent policy component
|
||||
*/
|
||||
@@ -99,14 +122,6 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
|
||||
this.nodeService = nodeService;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param capabilityService capability service
|
||||
*/
|
||||
public void setCapabilityService(CapabilityService capabilityService)
|
||||
{
|
||||
this.capabilityService = capabilityService;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param namespaceService namespace service
|
||||
*/
|
||||
@@ -115,6 +130,22 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
|
||||
this.namespaceService = namespaceService;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param securityService records management security service
|
||||
*/
|
||||
public void setSecurityService(RecordsManagementSecurityService securityService)
|
||||
{
|
||||
this.securityService = securityService;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param recordsManagementService records management service
|
||||
*/
|
||||
public void setRecordsManagementService(RecordsManagementService recordsManagementService)
|
||||
{
|
||||
this.recordsManagementService = recordsManagementService;
|
||||
}
|
||||
|
||||
/**
|
||||
* Init method
|
||||
*/
|
||||
@@ -213,15 +244,19 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
|
||||
{
|
||||
boolean result = false;
|
||||
|
||||
for (Capability capability : artifact.getCapabilities())
|
||||
NodeRef filePlan = recordsManagementService.getFilePlan(nodeRef);
|
||||
if (filePlan != null)
|
||||
{
|
||||
AccessStatus accessStatus = capabilityService.getCapabilityAccessState(nodeRef, capability.getName());
|
||||
if (AccessStatus.ALLOWED.equals(accessStatus) == true)
|
||||
Set<Role> roles = securityService.getRolesByUser(filePlan, AuthenticationUtil.getFullyAuthenticatedUser());
|
||||
for (Role role : roles)
|
||||
{
|
||||
if (Collections.disjoint(role.getCapabilities(), artifact.getCapilityNames()) == false)
|
||||
{
|
||||
result = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return result;
|
||||
}
|
||||
@@ -279,6 +314,8 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
|
||||
*/
|
||||
@Override
|
||||
public void beforeAddAspect(NodeRef nodeRef, QName aspect)
|
||||
{
|
||||
if (enabled == true)
|
||||
{
|
||||
if (AuthenticationUtil.getFullyAuthenticatedUser() != null &&
|
||||
AuthenticationUtil.isRunAsUserTheSystemUser() == false &&
|
||||
@@ -293,12 +330,15 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
|
||||
" from the node " + nodeRef.toString());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @see org.alfresco.repo.node.NodeServicePolicies.BeforeRemoveAspectPolicy#beforeRemoveAspect(org.alfresco.service.cmr.repository.NodeRef, org.alfresco.service.namespace.QName)
|
||||
*/
|
||||
@Override
|
||||
public void beforeRemoveAspect(NodeRef nodeRef, QName aspect)
|
||||
{
|
||||
if (enabled == true)
|
||||
{
|
||||
if (AuthenticationUtil.getFullyAuthenticatedUser() != null &&
|
||||
AuthenticationUtil.isRunAsUserTheSystemUser() == false &&
|
||||
@@ -313,12 +353,15 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
|
||||
" from the node " + nodeRef.toString());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @see org.alfresco.repo.node.NodeServicePolicies.OnUpdatePropertiesPolicy#onUpdateProperties(org.alfresco.service.cmr.repository.NodeRef, java.util.Map, java.util.Map)
|
||||
*/
|
||||
@Override
|
||||
public void onUpdateProperties(NodeRef nodeRef, Map<QName, Serializable> before, Map<QName, Serializable> after)
|
||||
{
|
||||
if (enabled == true)
|
||||
{
|
||||
if (AuthenticationUtil.getFullyAuthenticatedUser() != null &&
|
||||
AuthenticationUtil.isRunAsUserTheSystemUser() == false &&
|
||||
@@ -328,9 +371,8 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
|
||||
{
|
||||
if (isProtectedProperty(property) == true)
|
||||
{
|
||||
ProtectedProperty protectedProperty = getProtectedProperty(property);
|
||||
if ((before == null || before.isEmpty() || before.get(property) == null) &&
|
||||
protectedProperty.isAllwaysAllowNew() == true)
|
||||
// always allow if this is the first time we are setting the protected property
|
||||
if (before == null || before.isEmpty() || before.get(property) == null)
|
||||
{
|
||||
return;
|
||||
}
|
||||
@@ -349,3 +391,4 @@ public class ModelSecurityServiceImpl implements ModelSecurityService,
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -18,6 +18,7 @@
|
||||
*/
|
||||
package org.alfresco.module.org_alfresco_module_rm.model.security;
|
||||
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.Capability;
|
||||
@@ -25,7 +26,7 @@ import org.alfresco.service.namespace.NamespaceService;
|
||||
import org.alfresco.service.namespace.QName;
|
||||
|
||||
/**
|
||||
*
|
||||
* Protected model artifact class.
|
||||
*
|
||||
* @author Roy Wetherall
|
||||
* @since 2.1
|
||||
@@ -38,10 +39,14 @@ public abstract class ProtectedModelArtifact
|
||||
/** Namespace service */
|
||||
private NamespaceService namespaceService;
|
||||
|
||||
/** Qualified name of the model artifact */
|
||||
private QName name;
|
||||
|
||||
/** Set of capabilities */
|
||||
private Set<Capability> capabilities;
|
||||
|
||||
private Set<String> capabilityNames;
|
||||
|
||||
public void setNamespaceService(NamespaceService namespaceService)
|
||||
{
|
||||
this.namespaceService = namespaceService;
|
||||
@@ -77,4 +82,18 @@ public abstract class ProtectedModelArtifact
|
||||
{
|
||||
return capabilities;
|
||||
}
|
||||
|
||||
public Set<String> getCapilityNames()
|
||||
{
|
||||
if (capabilityNames == null && capabilities != null)
|
||||
{
|
||||
capabilityNames = new HashSet<String>(capabilities.size());
|
||||
for (Capability capability : capabilities)
|
||||
{
|
||||
capabilityNames.add(capability.getName());
|
||||
}
|
||||
}
|
||||
|
||||
return capabilityNames;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -23,7 +23,9 @@ import junit.framework.TestSuite;
|
||||
|
||||
import org.alfresco.module.org_alfresco_module_rm.test.service.DataSetServiceImplTest;
|
||||
import org.alfresco.module.org_alfresco_module_rm.test.service.DispositionServiceImplTest;
|
||||
import org.alfresco.module.org_alfresco_module_rm.test.service.ExtendedSecurityServiceImplTest;
|
||||
import org.alfresco.module.org_alfresco_module_rm.test.service.FreezeServiceImplTest;
|
||||
import org.alfresco.module.org_alfresco_module_rm.test.service.ModelSecurityServiceImplTest;
|
||||
import org.alfresco.module.org_alfresco_module_rm.test.service.RecordServiceImplTest;
|
||||
import org.alfresco.module.org_alfresco_module_rm.test.service.RecordsManagementActionServiceImplTest;
|
||||
import org.alfresco.module.org_alfresco_module_rm.test.service.RecordsManagementAdminServiceImplTest;
|
||||
@@ -48,6 +50,8 @@ public class ServicesTestSuite extends TestSuite
|
||||
public static Test suite()
|
||||
{
|
||||
TestSuite suite = new TestSuite();
|
||||
suite.addTestSuite(ExtendedSecurityServiceImplTest.class);
|
||||
suite.addTestSuite(ModelSecurityServiceImplTest.class);
|
||||
suite.addTestSuite(RecordsManagementServiceImplTest.class);
|
||||
suite.addTestSuite(DispositionServiceImplTest.class);
|
||||
suite.addTestSuite(RecordsManagementActionServiceImplTest.class);
|
||||
|
||||
@@ -45,6 +45,8 @@ public class ModelSecurityServiceImplTest extends BaseRMTestCase
|
||||
/** Model security service */
|
||||
private ModelSecurityService modelSecurityService;
|
||||
|
||||
private boolean enabled;
|
||||
|
||||
/**
|
||||
* @see org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase#isUserTest()
|
||||
*/
|
||||
@@ -77,6 +79,19 @@ public class ModelSecurityServiceImplTest extends BaseRMTestCase
|
||||
protected void setupTestDataImpl()
|
||||
{
|
||||
super.setupTestDataImpl();
|
||||
|
||||
enabled = modelSecurityService.isEnabled();
|
||||
modelSecurityService.setEnabled(true);
|
||||
}
|
||||
|
||||
/**
|
||||
* @see org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase#tearDownImpl()
|
||||
*/
|
||||
@Override
|
||||
protected void tearDownImpl()
|
||||
{
|
||||
super.tearDownImpl();
|
||||
modelSecurityService.setEnabled(enabled);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -195,6 +210,8 @@ public class ModelSecurityServiceImplTest extends BaseRMTestCase
|
||||
assertNotNull(protectedProperty);
|
||||
assertNotNull(protectedProperty.getQName());
|
||||
assertNotNull(protectedProperty.getCapabilities());
|
||||
}
|
||||
});
|
||||
|
||||
doTestInTransaction(new VoidTest()
|
||||
{
|
||||
@@ -213,8 +230,6 @@ public class ModelSecurityServiceImplTest extends BaseRMTestCase
|
||||
assertFalse(modelSecurityService.canEditProtectedProperty(rmFolder, CUSTOM_PROTECTED_PROPERTY));
|
||||
}
|
||||
}, powerUserName);
|
||||
}
|
||||
});
|
||||
|
||||
doTestInTransaction(new VoidTest()
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user