From b59c98765ef5a04969abd9af2e6ae531c0cfb04e Mon Sep 17 00:00:00 2001
From: Roy Wetherall <roy.wetherall@alfresco.com>
Date: Wed, 6 Mar 2013 07:53:17 +0000
Subject: [PATCH] RM-618: User with 'ManageRules' capability can not manage
 rules.

  * added some debug to help when trying to diagnose permission deny issues
  * system folder created by the rule service was not a file plan component, so permissions where failing when accessing them as a pure RM user
  * file plan component added as required
  * ManageRules capability needed a filling condition (this may cause the manage rules button to be disabled .. this is another issue and will be addressed shortly .. work around by assigning user filling on file plan for now)
  * added extended method security for rule service .. currently defaults to alllow all, but will need to be closed down with ManageRules capability



git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@47624 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../rm-capabilities-rule-context.xml          |  5 +++
 .../extended-repository-context.xml           | 35 ++++++++++++++++++-
 .../security/rm-method-security.properties    | 29 ++++++++++++++-
 .../declarative/DeclarativeCapability.java    | 11 ++++++
 .../impl/ViewRecordsCapability.java           |  9 ++++-
 .../model/behaviour/RecordContainerType.java  | 28 +++++++++------
 6 files changed, 104 insertions(+), 13 deletions(-)

diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-rule-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-rule-context.xml
index e2b39bb2a2..bee709a5d7 100644
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-rule-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-rule-context.xml
@@ -9,6 +9,11 @@
       <property name="permission" value="ManageRules" />
       <property name="group"><ref bean="rulesGroup"/></property>
       <property name="index" value="10" />
+      <property name="conditions">
+         <map>
+            <entry key="capabilityCondition.filling" value="true"/>
+         </map>
+      </property>
    </bean>
 
 </beans>
\ No newline at end of file
diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml
index b130fa9090..2e82dcff34 100644
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml
@@ -202,5 +202,38 @@
     	</property>    
         
    </bean>
-    
+   
+    <bean id="RuleService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
+        <property name="authenticationManager"><ref bean="authenticationManager"/></property>
+        <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
+        <property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property>
+        <property name="objectDefinitionSource">
+            <value>
+                org.alfresco.service.cmr.rule.RuleService.getRuleTypes=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getRuleType=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.enableRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.disableRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.isEnabled=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.rulesEnabled=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.disableRule=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.enableRule=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.disableRuleType=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.enableRuleType=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.isRuleTypeEnabled=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.hasRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.countRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getRule=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.saveRule=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.setRulePosition=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.removeRule=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.removeAllRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getOwningNodeRef=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.isLinkedToRuleNode=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getLinkedToRuleNode=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getLinkedFromRuleNodes=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.*=ACL_DENY
+            </value>
+        </property>
+    </bean>    
 </beans>    
\ No newline at end of file
diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-method-security.properties b/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-method-security.properties
index 21346a144a..9a8963c20e 100644
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-method-security.properties
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-method-security.properties
@@ -175,4 +175,31 @@ rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.setPermiss
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.setInheritParentPermissions=RM.Capability.0
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.getInheritParentPermissions=RM_ALLOW 
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.clearPermission=RM.Capability.0 
-rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.*=RM_DENY 
\ No newline at end of file
+rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.*=RM_DENY 
+
+## Rule Service
+
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getRuleTypes=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getRuleType=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.enableRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.disableRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.isEnabled=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.rulesEnabled=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.disableRule=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.enableRule=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.disableRuleType=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.enableRuleType=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.isRuleTypeEnabled=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.hasRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.countRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getRule=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.saveRule=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.setRulePosition=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.removeRule=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.removeAllRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getOwningNodeRef=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.isLinkedToRuleNode=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getLinkedToRuleNode=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getLinkedFromRuleNodes=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.*=RM_DENY
\ No newline at end of file
diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/DeclarativeCapability.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/DeclarativeCapability.java
index 1fff14583b..8b2950e029 100644
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/DeclarativeCapability.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/DeclarativeCapability.java
@@ -31,6 +31,8 @@ import org.alfresco.module.org_alfresco_module_rm.capability.AbstractCapability;
 import org.alfresco.module.org_alfresco_module_rm.capability.Capability;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.security.AccessStatus;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.BeansException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
@@ -43,6 +45,9 @@ import org.springframework.context.ApplicationContextAware;
 public class DeclarativeCapability extends AbstractCapability 
                                    implements ApplicationContextAware
 {
+    /** Logger */
+    protected static Log logger = LogFactory.getLog(DeclarativeCapability.class);
+    
     /** Application Context */
     protected ApplicationContext applicationContext;
     
@@ -304,6 +309,12 @@ public class DeclarativeCapability extends AbstractCapability
         // Last chance for child implementations to veto/change the result
         result = onEvaluate(nodeRef, result);
         
+        // log access denied to help with debug
+        if (logger.isDebugEnabled() == true && AccessDecisionVoter.ACCESS_DENIED == result)
+        {
+            logger.debug("Capability " + getName() + " returned an Access Denied result during evaluation of node " + nodeRef.toString());
+        }
+        
         return result;
     }
     
diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/impl/ViewRecordsCapability.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/impl/ViewRecordsCapability.java
index e00aba7985..4f1cdad10b 100644
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/impl/ViewRecordsCapability.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/impl/ViewRecordsCapability.java
@@ -36,8 +36,15 @@ public final class ViewRecordsCapability extends DeclarativeCapability
             {
                 return checkRmRead(nodeRef);
             }
+            else
+            {
+                if (logger.isDebugEnabled() == true)
+                {
+                    logger.debug("View Records capability abstains, because node is not a file plan component. (nodeRef=" + nodeRef.toString() + ")");
+                }
+            }
         }
-
+        
         return AccessDecisionVoter.ACCESS_ABSTAIN;
     }
 }
\ No newline at end of file
diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/model/behaviour/RecordContainerType.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/model/behaviour/RecordContainerType.java
index a0b7e0133c..ebed90b439 100644
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/model/behaviour/RecordContainerType.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/model/behaviour/RecordContainerType.java
@@ -123,18 +123,26 @@ public class RecordContainerType implements RecordsManagementModel,
         // We only care about "folder" or sub-types
         if (dictionaryService.isSubClass(childType, ContentModel.TYPE_FOLDER) == true)
         {       
-            // We need to automatically cast the created folder to RM type if it is a plain folder
-            // This occurs if the RM folder has been created via IMap, WebDav, etc
-            if (nodeService.hasAspect(child, ASPECT_FILE_PLAN_COMPONENT) == false)
+            if (dictionaryService.isSubClass(childType, ContentModel.TYPE_SYSTEM_FOLDER) == true)
+            {
+                // this is a rule container, make sure it is an file plan component
+                nodeService.addAspect(child, ASPECT_FILE_PLAN_COMPONENT, null);
+            }
+            else
             {                
-                // TODO it may not always be a record folder ... perhaps if the current user is a admin it would be a record category?? 
-                
-                // Assume any created folder is a rma:recordFolder
-                nodeService.setType(child, TYPE_RECORD_FOLDER);     
-            }                           
+                // We need to automatically cast the created folder to RM type if it is a plain folder
+                // This occurs if the RM folder has been created via IMap, WebDav, etc
+                if (nodeService.hasAspect(child, ASPECT_FILE_PLAN_COMPONENT) == false)
+                {                
+                    // TODO it may not always be a record folder ... perhaps if the current user is a admin it would be a record category?? 
+                    
+                    // Assume any created folder is a rma:recordFolder
+                    nodeService.setType(child, TYPE_RECORD_FOLDER);     
+                }                           
 
-            // Catch all to generate the rm id (assuming it doesn't already have one!)
-            setIdenifierProperty(child);
+                // Catch all to generate the rm id (assuming it doesn't already have one!)
+                setIdenifierProperty(child);
+            }
             
         }
     }