inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-31 17:39:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into feature/RM-4615_TAS_Binary_Request_Handler

Browse Source
This commit is contained in:
Kristijan Conkas
2017-01-26 09:42:04 +00:00
parent bf802dae55 4fac165cdb
commit afbcdb03a8
4 changed files with 131 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/module-context.xml
View File

@@ -78,6 +78,7 @@
<bean id="recordsManagementPermissionPostProcessor" class="org.alfresco.module.org_alfresco_module_rm.permission.RecordsManagementPermissionPostProcessor" parent="parentPermissionPostProcessor"> <bean id="recordsManagementPermissionPostProcessor" class="org.alfresco.module.org_alfresco_module_rm.permission.RecordsManagementPermissionPostProcessor" parent="parentPermissionPostProcessor">
<property name="nodeService" ref="nodeService"/> <property name="nodeService" ref="nodeService"/>
<property name="permissionService" ref="permissionService"/> <property name="permissionService" ref="permissionService"/>
<property name="permissionModel" ref="permissionsModelDAO"/>
</bean> </bean>
<!-- Import RM model --> <!-- Import RM model -->

98
rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/permission/RecordsManagementPermissionPostProcessor.java
View File

@@ -31,6 +31,8 @@ import java.util.List;
import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel; import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel; import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
import org.alfresco.repo.security.permissions.PermissionReference;
import org.alfresco.repo.security.permissions.impl.model.PermissionModel;
import org.alfresco.repo.security.permissions.processor.impl.PermissionPostProcessorBaseImpl; import org.alfresco.repo.security.permissions.processor.impl.PermissionPostProcessorBaseImpl;
import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService; import org.alfresco.service.cmr.repository.NodeService;
@@ -45,41 +47,75 @@ import org.alfresco.service.cmr.security.PermissionService;
*/ */
public class RecordsManagementPermissionPostProcessor extends PermissionPostProcessorBaseImpl public class RecordsManagementPermissionPostProcessor extends PermissionPostProcessorBaseImpl
{ {
/** node service */ /** node service */
private NodeService nodeService; private NodeService nodeService;
public void setNodeService(NodeService nodeService) {this.nodeService=nodeService;} public void setNodeService(NodeService nodeService) {this.nodeService=nodeService;}
/** permission service */ /** permission service */
private PermissionService permissionService; private PermissionService permissionService;
public void setPermissionService(PermissionService permissionService) {this.permissionService=permissionService;} public void setPermissionService(PermissionService permissionService) {this.permissionService=permissionService;}
/** /** The permission model DAO. */
* @see org.alfresco.repo.security.permissions.processor.PermissionPostProcessor#process(org.alfresco.service.cmr.security.AccessStatus, org.alfresco.service.cmr.repository.NodeRef, java.lang.String) private PermissionModel permissionModel;
*/ public void setPermissionModel(PermissionModel permissionModel) {this.permissionModel=permissionModel;}
@Override
public AccessStatus process(AccessStatus accessStatus, NodeRef nodeRef, String perm, /**
List configuredReadPermissions, List configuredFilePermissions) * @see org.alfresco.repo.security.permissions.processor.PermissionPostProcessor#process(org.alfresco.service.cmr.security.AccessStatus, org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
{ */
AccessStatus result = accessStatus; @Override
if (AccessStatus.DENIED.equals(accessStatus) && public AccessStatus process(AccessStatus accessStatus, NodeRef nodeRef, String perm,
List<String> configuredReadPermissions, List<String> configuredFilePermissions)
{
AccessStatus result = accessStatus;
if (AccessStatus.DENIED.equals(accessStatus) &&
nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT)) nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT))
{ {
// if read denied on rm artifact // if read denied on rm artifact
if (PermissionService.READ.equals(perm) || configuredReadPermissions.contains(perm)) if (PermissionService.READ.equals(perm) || isPermissionContained(perm, configuredReadPermissions))
{ {
// check for read record // check for read record
result = permissionService.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS); result = permissionService.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS);
} }
// if write deinied on rm artificat // if write denied on rm artifact
else if (PermissionService.WRITE.equals(perm) || configuredFilePermissions.contains(perm)) else if (PermissionService.WRITE.equals(perm) || isPermissionContained(perm, configuredFilePermissions))
{ {
// check for file record // check for file record
result = permissionService.hasPermission(nodeRef, RMPermissionModel.FILE_RECORDS); result = permissionService.hasPermission(nodeRef, RMPermissionModel.FILE_RECORDS);
} }
} }
return result; return result;
} }
/**
* Check if a given permission is implied by a list of permission groups.
*
* @param perm The name of the permission in question.
* @param configuredPermissions The list of permission group names.
* @return true if the permission is contained or implied by the list of permissions.
*/
private boolean isPermissionContained(String perm, List<String> configuredPermissions)
{
// Check if the permission is explicitly in the list
if (configuredPermissions.contains(perm))
{
return true;
}
// Check if the permission is implied by one from the list.
for (String configuredPermission : configuredPermissions)
{
// TODO: Here we are assuming the permission name is unique across all contexts (but I think we're doing that in the properties file anyway).
PermissionReference permissionReference = permissionModel.getPermissionReference(null, configuredPermission);
for (PermissionReference granteePermission : permissionModel.getGranteePermissions(permissionReference))
{
if (granteePermission.getName().equals(perm))
{
return true;
}
}
}
return false;
}
} }

2
rm-community/rm-community-repo/source/java/org/alfresco/repo/security/permissions/processor/PermissionPostProcessor.java
View File

@@ -52,5 +52,5 @@ public interface PermissionPostProcessor
* @return {@link AccessStatus} * @return {@link AccessStatus}
*/ */
AccessStatus process(AccessStatus accessStatus, NodeRef nodeRef, String perm, AccessStatus process(AccessStatus accessStatus, NodeRef nodeRef, String perm,
List configuredReadPermissions, List configuredFilePermissions); List<String> configuredReadPermissions, List<String> configuredFilePermissions);
} }

66
rm-community/rm-community-repo/unit-test/java/org/alfresco/module/org_alfresco_module_rm/permission/RecordsManagementPermissionPostProcessorUnitTest.java
View File

@@ -28,8 +28,8 @@
package org.alfresco.module.org_alfresco_module_rm.permission; package org.alfresco.module.org_alfresco_module_rm.permission;
import static java.util.Arrays.asList; import static java.util.Arrays.asList;
import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertEquals;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when; import static org.mockito.Mockito.when;
import java.util.List; import java.util.List;
@@ -37,6 +37,8 @@ import java.util.List;
import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel; import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel; import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
import org.alfresco.module.org_alfresco_module_rm.test.util.AlfMock; import org.alfresco.module.org_alfresco_module_rm.test.util.AlfMock;
import org.alfresco.repo.security.permissions.PermissionReference;
import org.alfresco.repo.security.permissions.impl.model.PermissionModel;
import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService; import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.security.AccessStatus; import org.alfresco.service.cmr.security.AccessStatus;
@@ -47,20 +49,26 @@ import org.mockito.InjectMocks;
import org.mockito.Mock; import org.mockito.Mock;
import org.mockito.MockitoAnnotations; import org.mockito.MockitoAnnotations;
import com.google.common.collect.Sets;
/** /**
* Unit tests for {@link RecordsManagementPermissionPostProcessor}. * Unit tests for {@link RecordsManagementPermissionPostProcessor}.
* *
* @author David Webster * @author David Webster
* @author Tom Page
* @since 2.4.1 * @since 2.4.1
*/ */
public class RecordsManagementPermissionPostProcessorUnitTest public class RecordsManagementPermissionPostProcessorUnitTest
{ {
@InjectMocks
private RecordsManagementPermissionPostProcessor recordsManagementPermissionPostProcessor = new RecordsManagementPermissionPostProcessor();
private @InjectMocks @Mock
RecordsManagementPermissionPostProcessor recordsManagementPermissionPostProcessor = new RecordsManagementPermissionPostProcessor(); private NodeService mockNodeService;
@Mock
private @Mock NodeService nodeService; private PermissionService mockPermissionService;
private @Mock PermissionService permissionService; @Mock
private PermissionModel mockPermissionModel;
@Before @Before
public void setup() public void setup()
@@ -83,9 +91,9 @@ public class RecordsManagementPermissionPostProcessorUnitTest
List<String> configuredReadPermissions = asList("ReadProperties", "ReadChildren", perm); List<String> configuredReadPermissions = asList("ReadProperties", "ReadChildren", perm);
List<String> configuredFilePermissions = asList("WriteProperties", "AddChildren"); List<String> configuredFilePermissions = asList("WriteProperties", "AddChildren");
when(nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT)) when(mockNodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT))
.thenReturn(true); .thenReturn(true);
when(permissionService.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS)) when(mockPermissionService.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS))
.thenReturn(AccessStatus.ALLOWED); .thenReturn(AccessStatus.ALLOWED);
AccessStatus result = recordsManagementPermissionPostProcessor.process(accessStatus, nodeRef, perm, configuredReadPermissions, configuredFilePermissions); AccessStatus result = recordsManagementPermissionPostProcessor.process(accessStatus, nodeRef, perm, configuredReadPermissions, configuredFilePermissions);
@@ -108,13 +116,51 @@ public class RecordsManagementPermissionPostProcessorUnitTest
List<String> configuredReadPermissions = asList("ReadProperties", "ReadChildren"); List<String> configuredReadPermissions = asList("ReadProperties", "ReadChildren");
List<String> configuredFilePermissions = asList("WriteProperties", "AddChildren"); List<String> configuredFilePermissions = asList("WriteProperties", "AddChildren");
when(nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT)) when(mockNodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT))
.thenReturn(true); .thenReturn(true);
when(permissionService.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS)) when(mockPermissionService.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS))
.thenReturn(AccessStatus.ALLOWED); .thenReturn(AccessStatus.ALLOWED);
AccessStatus result = recordsManagementPermissionPostProcessor.process(accessStatus, nodeRef, perm, configuredReadPermissions, configuredFilePermissions); AccessStatus result = recordsManagementPermissionPostProcessor.process(accessStatus, nodeRef, perm, configuredReadPermissions, configuredFilePermissions);
assertEquals(AccessStatus.DENIED, result); assertEquals(AccessStatus.DENIED, result);
} }
/**
* Test that the permission groups configured in the global properties file imply descendant permission groups.
* <p>
* Given a configured permission is an ancestor of another permission P
* And the post processor checks if the user has P
* Then the post processor says that they do.
*/
@Test
public void permissionInherittedFromConfiguredGroup()
{
NodeRef nodeRef = new NodeRef("node://ref/");
// permissions do not include perm created above
List<String> configuredReadPermissions = asList();
List<String> configuredFilePermissions = asList("WriteProperties");
when(mockNodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT))
.thenReturn(true);
when(mockPermissionService.hasPermission(nodeRef, RMPermissionModel.FILE_RECORDS))
.thenReturn(AccessStatus.ALLOWED);
// Set up "WriteProperties" to imply three other permission groups.
PermissionReference mockWritePropsPermRef = mock(PermissionReference.class);
when(mockPermissionModel.getPermissionReference(null, "WriteProperties")).thenReturn(mockWritePropsPermRef);
PermissionReference childOne = mock(PermissionReference.class);
when(childOne.getName()).thenReturn("Not this one");
PermissionReference childTwo = mock(PermissionReference.class);
when(childTwo.getName()).thenReturn("This is the requested permission");
PermissionReference childThree = mock(PermissionReference.class);
when(childThree.getName()).thenReturn("Not this one either");
when(mockPermissionModel.getGranteePermissions(mockWritePropsPermRef)).thenReturn(Sets.newHashSet(childOne, childTwo, childThree));
// Call the method under test.
AccessStatus result = recordsManagementPermissionPostProcessor.process(AccessStatus.DENIED, nodeRef,
"This is the requested permission", configuredReadPermissions, configuredFilePermissions);
assertEquals(AccessStatus.ALLOWED, result);
}
} }