diff --git a/rm-community/rm-community-repo/source/java/org/alfresco/repo/security/permissions/impl/ExtendedPermissionServiceImpl.java b/rm-community/rm-community-repo/source/java/org/alfresco/repo/security/permissions/impl/ExtendedPermissionServiceImpl.java index 7c1e196544..27a5fd4f7e 100644 --- a/rm-community/rm-community-repo/source/java/org/alfresco/repo/security/permissions/impl/ExtendedPermissionServiceImpl.java +++ b/rm-community/rm-community-repo/source/java/org/alfresco/repo/security/permissions/impl/ExtendedPermissionServiceImpl.java @@ -55,17 +55,15 @@ import org.alfresco.util.PropertyCheck; import org.springframework.context.ApplicationEvent; /** - * Extends the core permission service implementation allowing the consideration of the read records - * permission. + * Extends the core permission service implementation allowing the consideration of the read records permission. *

* This is required for SOLR support. * * @author Roy Wetherall */ -public class ExtendedPermissionServiceImpl extends PermissionServiceImpl - implements ExtendedPermissionService +public class ExtendedPermissionServiceImpl extends PermissionServiceImpl implements ExtendedPermissionService { - /** Writers simple cache */ + /** Writers simple cache */ protected SimpleCache> writersCache; /** File plan service */ @@ -97,12 +95,12 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl /** * Sets the permission processor registry * - * @param permissionProcessorRegistry the permissions processor registry + * @param permissionProcessorRegistry the permissions processor registry */ public void setPermissionProcessorRegistry(PermissionProcessorRegistry permissionProcessorRegistry) { - this.permissionProcessorRegistry = permissionProcessorRegistry; - } + this.permissionProcessorRegistry = permissionProcessorRegistry; + } /** * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#setAnyDenyDenies(boolean) @@ -113,7 +111,7 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl super.setAnyDenyDenies(anyDenyDenies); if (writersCache != null) { - writersCache.clear(); + writersCache.clear(); } } @@ -136,43 +134,40 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl } /** - * Override to deal with the possibility of hard coded permission checks in core code. + * Override to deal with the possibility of hard coded permission checks in core code. Note: Eventually we need to + * merge the RM permission model into the core to make this more robust. * - * Note: Eventually we need to merge the RM permission model into the core to make this more rebust. - * - * @see org.alfresco.repo.security.permissions.impl.ExtendedPermissionService#hasPermission(org.alfresco.service.cmr.repository.NodeRef, java.lang.String) + * @see org.alfresco.repo.security.permissions.impl.ExtendedPermissionService#hasPermission(org.alfresco.service.cmr.repository.NodeRef, + * java.lang.String) */ @Override public AccessStatus hasPermission(NodeRef nodeRef, String perm) { - AccessStatus result = AccessStatus.UNDETERMINED; - if (nodeService.exists(nodeRef)) + AccessStatus result = AccessStatus.UNDETERMINED; + if (nodeService.exists(nodeRef)) + { + + // permission pre-processors + List preProcessors = permissionProcessorRegistry.getPermissionPreProcessors(); + for (PermissionPreProcessor preProcessor : preProcessors) { + // pre process permission + result = preProcessor.process(nodeRef, perm); - // permission pre-processors - List preProcessors = permissionProcessorRegistry.getPermissionPreProcessors(); - for (PermissionPreProcessor preProcessor : preProcessors) - { - // pre process permission - result = preProcessor.process(nodeRef, perm); + // veto if denied + if (AccessStatus.DENIED.equals(result)) { return result; } + } - // veto if denied - if (AccessStatus.DENIED.equals(result)) - { - return result; - } - } - - // evaluate permission + // evaluate permission result = hasPermissionImpl(nodeRef, perm); // permission post-processors List postProcessors = permissionProcessorRegistry.getPermissionPostProcessors(); for (PermissionPostProcessor postProcessor : postProcessors) { - // post process permission - result = postProcessor.process(result, nodeRef, perm); - } + // post process permission + result = postProcessor.process(result, nodeRef, perm); + } } return result; } @@ -182,13 +177,13 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl *

* Separation also convenient for unit testing. * - * @param nodeRef node reference - * @param perm permission - * @return {@link AccessStatus} access status result + * @param nodeRef node reference + * @param perm permission + * @return {@link AccessStatus} access status result */ protected AccessStatus hasPermissionImpl(NodeRef nodeRef, String perm) { - return super.hasPermission(nodeRef, perm); + return super.hasPermission(nodeRef, perm); } /** @@ -201,17 +196,14 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl // test denied - if(anyDenyDenies) + if (anyDenyDenies) { Set aclReadersDenied = getReadersDenied(aclId); - for(String auth : aclReadersDenied) + for (String auth : aclReadersDenied) { - if(authorities.contains(auth)) - { - return AccessStatus.DENIED; - } + if (authorities.contains(auth)) { return AccessStatus.DENIED; } } } @@ -219,12 +211,9 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl // test acl readers Set aclReaders = getReaders(aclId); - for(String auth : aclReaders) + for (String auth : aclReaders) { - if(authorities.contains(auth)) - { - return AccessStatus.ALLOWED; - } + if (authorities.contains(auth)) { return AccessStatus.ALLOWED; } } return AccessStatus.DENIED; @@ -237,16 +226,10 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl public Set getReaders(Long aclId) { AccessControlList acl = aclDaoComponent.getAccessControlList(aclId); - if (acl == null) - { - return Collections.emptySet(); - } + if (acl == null) { return Collections.emptySet(); } - Set aclReaders = readersCache.get((Serializable)acl.getProperties()); - if (aclReaders != null) - { - return aclReaders; - } + Set aclReaders = readersCache.get((Serializable) acl.getProperties()); + if (aclReaders != null) { return aclReaders; } HashSet assigned = new HashSet(); HashSet readers = new HashSet(); @@ -259,7 +242,8 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl for (String authority : assigned) { UnconditionalAclTest test = new UnconditionalAclTest(getPermissionReference(PermissionService.READ)); - UnconditionalAclTest rmTest = new UnconditionalAclTest(getPermissionReference(RMPermissionModel.READ_RECORDS)); + UnconditionalAclTest rmTest = new UnconditionalAclTest( + getPermissionReference(RMPermissionModel.READ_RECORDS)); if (test.evaluate(authority, aclId) || rmTest.evaluate(authority, aclId)) { readers.add(authority); @@ -267,7 +251,7 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl } aclReaders = Collections.unmodifiableSet(readers); - readersCache.put((Serializable)acl.getProperties(), aclReaders); + readersCache.put((Serializable) acl.getProperties(), aclReaders); return aclReaders; } @@ -281,15 +265,9 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl { AccessControlList acl = aclDaoComponent.getAccessControlList(aclId); - if (acl == null) - { - return Collections.emptySet(); - } + if (acl == null) { return Collections.emptySet(); } Set denied = readersDeniedCache.get(aclId); - if (denied != null) - { - return denied; - } + if (denied != null) { return denied; } denied = new HashSet(); Set assigned = new HashSet(); @@ -298,17 +276,19 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl assigned.add(ace.getAuthority()); } - for(String authority : assigned) + for (String authority : assigned) { - UnconditionalDeniedAclTest test = new UnconditionalDeniedAclTest(getPermissionReference(PermissionService.READ)); - UnconditionalDeniedAclTest rmTest = new UnconditionalDeniedAclTest(getPermissionReference(RMPermissionModel.READ_RECORDS)); - if(test.evaluate(authority, aclId) || rmTest.evaluate(authority, aclId)) + UnconditionalDeniedAclTest test = new UnconditionalDeniedAclTest( + getPermissionReference(PermissionService.READ)); + UnconditionalDeniedAclTest rmTest = new UnconditionalDeniedAclTest( + getPermissionReference(RMPermissionModel.READ_RECORDS)); + if (test.evaluate(authority, aclId) || rmTest.evaluate(authority, aclId)) { denied.add(authority); } } - readersDeniedCache.put((Serializable)acl.getProperties(), denied); + readersDeniedCache.put((Serializable) acl.getProperties(), denied); return denied; } @@ -319,16 +299,10 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl public Set getWriters(Long aclId) { AccessControlList acl = aclDaoComponent.getAccessControlList(aclId); - if (acl == null) - { - return Collections.emptySet(); - } + if (acl == null) { return Collections.emptySet(); } - Set aclWriters = writersCache.get((Serializable)acl.getProperties()); - if (aclWriters != null) - { - return aclWriters; - } + Set aclWriters = writersCache.get((Serializable) acl.getProperties()); + if (aclWriters != null) { return aclWriters; } HashSet assigned = new HashSet(); HashSet readers = new HashSet(); @@ -348,20 +322,23 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl } aclWriters = Collections.unmodifiableSet(readers); - writersCache.put((Serializable)acl.getProperties(), aclWriters); + writersCache.put((Serializable) acl.getProperties(), aclWriters); return aclWriters; } /** - * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#setInheritParentPermissions(org.alfresco.service.cmr.repository.NodeRef, boolean) + * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#setInheritParentPermissions(org.alfresco.service.cmr.repository.NodeRef, + * boolean) */ @Override public void setInheritParentPermissions(final NodeRef nodeRef, boolean inheritParentPermissions) { final String adminRole = getAdminRole(nodeRef); - if (nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT) && isNotBlank(adminRole) && !inheritParentPermissions) + if (nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT) && isNotBlank(adminRole) + && !inheritParentPermissions) { - setPermission(nodeRef, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.READ_RECORDS, true); + setPermission(nodeRef, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.READ_RECORDS, + true); setPermission(nodeRef, ExtendedWriterDynamicAuthority.EXTENDED_WRITER, RMPermissionModel.FILING, true); setPermission(nodeRef, adminRole, RMPermissionModel.FILING, true); } @@ -374,7 +351,8 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl NodeRef filePlan = getFilePlanService().getFilePlan(nodeRef); if (filePlan != null) { - adminRole = authorityService.getName(AuthorityType.GROUP, FilePlanRoleService.ROLE_ADMIN + filePlan.getId()); + adminRole = authorityService.getName(AuthorityType.GROUP, + FilePlanRoleService.ROLE_ADMIN + filePlan.getId()); } return adminRole; }