RM-618: User with 'ManageRules' capability can not manage rules.

* added some debug to help when trying to diagnose permission deny issues * system folder created by the rule service was not a file plan component, so permissions where failing when accessing them as a pure RM user * file plan component added as required * ManageRules capability needed a filling condition (this may cause the manage rules button to be disabled .. this is another issue and will be addressed shortly .. work around by assigning user filling on file plan for now) * added extended method security for rule service .. currently defaults to alllow all, but will need to be closed down with ManageRules capability git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@47624 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-07-31 17:39:05 +00:00 · 2013-03-06 07:53:17 +00:00
parent f2d02f3f31
commit b59c98765e
6 changed files with 104 additions and 13 deletions
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/DeclarativeCapability.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/DeclarativeCapability.java
@@ -31,6 +31,8 @@ import org.alfresco.module.org_alfresco_module_rm.capability.AbstractCapability;
 import org.alfresco.module.org_alfresco_module_rm.capability.Capability;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.security.AccessStatus;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.BeansException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
@@ -43,6 +45,9 @@ import org.springframework.context.ApplicationContextAware;
 public class DeclarativeCapability extends AbstractCapability 
                                   implements ApplicationContextAware
 {
+    /** Logger */
+    protected static Log logger = LogFactory.getLog(DeclarativeCapability.class);
+    
    /** Application Context */
    protected ApplicationContext applicationContext;
    
@@ -304,6 +309,12 @@ public class DeclarativeCapability extends AbstractCapability
        // Last chance for child implementations to veto/change the result
        result = onEvaluate(nodeRef, result);
        
+        // log access denied to help with debug
+        if (logger.isDebugEnabled() == true && AccessDecisionVoter.ACCESS_DENIED == result)
+        {
+            logger.debug("Capability " + getName() + " returned an Access Denied result during evaluation of node " + nodeRef.toString());
+        }
+        
        return result;
    }
    
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/impl/ViewRecordsCapability.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/impl/ViewRecordsCapability.java
@@ -36,8 +36,15 @@ public final class ViewRecordsCapability extends DeclarativeCapability
            {
                return checkRmRead(nodeRef);
            }
+            else
+            {
+                if (logger.isDebugEnabled() == true)
+                {
+                    logger.debug("View Records capability abstains, because node is not a file plan component. (nodeRef=" + nodeRef.toString() + ")");
+                }
+            }
        }
-
+        
        return AccessDecisionVoter.ACCESS_ABSTAIN;
    }
 }
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/model/behaviour/RecordContainerType.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/model/behaviour/RecordContainerType.java
@@ -123,18 +123,26 @@ public class RecordContainerType implements RecordsManagementModel,
        // We only care about "folder" or sub-types
        if (dictionaryService.isSubClass(childType, ContentModel.TYPE_FOLDER) == true)
        {       
-            // We need to automatically cast the created folder to RM type if it is a plain folder
-            // This occurs if the RM folder has been created via IMap, WebDav, etc
-            if (nodeService.hasAspect(child, ASPECT_FILE_PLAN_COMPONENT) == false)
+            if (dictionaryService.isSubClass(childType, ContentModel.TYPE_SYSTEM_FOLDER) == true)
+            {
+                // this is a rule container, make sure it is an file plan component
+                nodeService.addAspect(child, ASPECT_FILE_PLAN_COMPONENT, null);
+            }
+            else
            {                
-                // TODO it may not always be a record folder ... perhaps if the current user is a admin it would be a record category?? 
-                
-                // Assume any created folder is a rma:recordFolder
-                nodeService.setType(child, TYPE_RECORD_FOLDER);     
-            }                           
+                // We need to automatically cast the created folder to RM type if it is a plain folder
+                // This occurs if the RM folder has been created via IMap, WebDav, etc
+                if (nodeService.hasAspect(child, ASPECT_FILE_PLAN_COMPONENT) == false)
+                {                
+                    // TODO it may not always be a record folder ... perhaps if the current user is a admin it would be a record category?? 
+                    
+                    // Assume any created folder is a rma:recordFolder
+                    nodeService.setType(child, TYPE_RECORD_FOLDER);     
+                }                           

-            // Catch all to generate the rm id (assuming it doesn't already have one!)
-            setIdenifierProperty(child);
+                // Catch all to generate the rm id (assuming it doesn't already have one!)
+                setIdenifierProperty(child);
+            }
            
        }
    }