From ad7fc8b22e82ce806c8a33ed0f98cdc4f20a4179 Mon Sep 17 00:00:00 2001
From: Andrei Rebegea <andrei.rebegea@ness.com>
Date: Wed, 14 Jun 2017 16:58:48 +0000
Subject: [PATCH] Merged 5.2.N (5.2.2) to HEAD (5.2)    134747 cturlica:
 REPO-1305: Delete a group       - restrict delete group to group authority

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@137354 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../java/org/alfresco/rest/api/impl/GroupsImpl.java   | 11 +++++++++++
 .../org/alfresco/rest/api/tests/GroupsTest.java       |  9 ++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/source/java/org/alfresco/rest/api/impl/GroupsImpl.java b/source/java/org/alfresco/rest/api/impl/GroupsImpl.java
index fec271aaae..7d3c5fcace 100644
--- a/source/java/org/alfresco/rest/api/impl/GroupsImpl.java
+++ b/source/java/org/alfresco/rest/api/impl/GroupsImpl.java
@@ -528,6 +528,11 @@ public class GroupsImpl implements Groups
 
     public void delete(String groupId, Parameters parameters)
     {
+        if (!isGroupAuthority(groupId))
+        {
+            throw new InvalidArgumentException("Invalid group id: " + groupId);
+        }
+
         // Get cascade param - default false (if not provided).
         boolean cascade = Boolean.valueOf(parameters.getParameter(PARAM_CASCADE));
 
@@ -741,4 +746,10 @@ public class GroupsImpl implements Groups
 
         return (name != null && authorityService.authorityExists(name));
     }
+
+    private boolean isGroupAuthority(String authorityName)
+    {
+        AuthorityType authorityType = AuthorityType.getAuthorityType(authorityName);
+        return AuthorityType.GROUP.equals(authorityType) || AuthorityType.EVERYONE.equals(authorityType);
+    }
 }
diff --git a/source/test-java/org/alfresco/rest/api/tests/GroupsTest.java b/source/test-java/org/alfresco/rest/api/tests/GroupsTest.java
index b59b02dbaa..f4f5e96299 100644
--- a/source/test-java/org/alfresco/rest/api/tests/GroupsTest.java
+++ b/source/test-java/org/alfresco/rest/api/tests/GroupsTest.java
@@ -1011,7 +1011,14 @@ public class GroupsTest extends AbstractSingleNetworkSiteTest
         {
             setRequestContext(networkOne.getId(), networkAdmin, DEFAULT_ADMIN_PWD);
 
-            groupsProxy.deleteGroup("admin", false, HttpServletResponse.SC_CONFLICT);
+            groupsProxy.deleteGroup("GROUP_EVERYONE", false, HttpServletResponse.SC_CONFLICT);
+        }
+
+        // Trying to delete a person.
+        {
+            setRequestContext(networkOne.getId(), networkAdmin, DEFAULT_ADMIN_PWD);
+
+            groupsProxy.deleteGroup(user1, false, HttpServletResponse.SC_BAD_REQUEST);
         }
 
         {