RM-618: User with 'ManageRules' capability can not manage rules.

* added some debug to help when trying to diagnose permission deny issues * system folder created by the rule service was not a file plan component, so permissions where failing when accessing them as a pure RM user * file plan component added as required * ManageRules capability needed a filling condition (this may cause the manage rules button to be disabled .. this is another issue and will be addressed shortly .. work around by assigning user filling on file plan for now) * added extended method security for rule service .. currently defaults to alllow all, but will need to be closed down with ManageRules capability git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@47624 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-10-08 14:51:49 +00:00 · 2013-03-06 07:53:17 +00:00
parent f2d02f3f31
commit b59c98765e
6 changed files with 104 additions and 13 deletions
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-rule-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-rule-context.xml
@@ -9,6 +9,11 @@
      <property name="permission" value="ManageRules" />
      <property name="group"><ref bean="rulesGroup"/></property>
      <property name="index" value="10" />
+      <property name="conditions">
+         <map>
+            <entry key="capabilityCondition.filling" value="true"/>
+         </map>
+      </property>
   </bean>

 </beans>
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml
@@ -202,5 +202,38 @@
    	</property>    
        
   </bean>
-    
+   
+    <bean id="RuleService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
+        <property name="authenticationManager"><ref bean="authenticationManager"/></property>
+        <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
+        <property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property>
+        <property name="objectDefinitionSource">
+            <value>
+                org.alfresco.service.cmr.rule.RuleService.getRuleTypes=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getRuleType=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.enableRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.disableRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.isEnabled=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.rulesEnabled=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.disableRule=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.enableRule=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.disableRuleType=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.enableRuleType=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.isRuleTypeEnabled=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.hasRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.countRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getRule=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.saveRule=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.setRulePosition=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.removeRule=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.removeAllRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getOwningNodeRef=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.isLinkedToRuleNode=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getLinkedToRuleNode=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getLinkedFromRuleNodes=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.*=ACL_DENY
+            </value>
+        </property>
+    </bean>    
 </beans>    
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-method-security.properties
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-method-security.properties
@@ -175,4 +175,31 @@ rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.setPermiss
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.setInheritParentPermissions=RM.Capability.0
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.getInheritParentPermissions=RM_ALLOW 
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.clearPermission=RM.Capability.0 
-rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.*=RM_DENY 
+rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.*=RM_DENY 
+
+## Rule Service
+
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getRuleTypes=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getRuleType=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.enableRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.disableRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.isEnabled=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.rulesEnabled=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.disableRule=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.enableRule=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.disableRuleType=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.enableRuleType=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.isRuleTypeEnabled=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.hasRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.countRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getRule=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.saveRule=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.setRulePosition=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.removeRule=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.removeAllRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getOwningNodeRef=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.isLinkedToRuleNode=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getLinkedToRuleNode=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getLinkedFromRuleNodes=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.*=RM_DENY