RM-618: User with 'ManageRules' capability can not manage rules.

* added some debug to help when trying to diagnose permission deny issues
  * system folder created by the rule service was not a file plan component, so permissions where failing when accessing them as a pure RM user
  * file plan component added as required
  * ManageRules capability needed a filling condition (this may cause the manage rules button to be disabled .. this is another issue and will be addressed shortly .. work around by assigning user filling on file plan for now)
  * added extended method security for rule service .. currently defaults to alllow all, but will need to be closed down with ManageRules capability



git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@47624 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-rule-context.xml

@@ -9,6 +9,11 @@
       <property name="permission" value="ManageRules" />
       <property name="group"><ref bean="rulesGroup"/></property>
       <property name="index" value="10" />
+      <property name="conditions">
+         <map>
+            <entry key="capabilityCondition.filling" value="true"/>
+         </map>
+      </property>
    </bean>
 
 </beans>

rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml

@@ -203,4 +203,37 @@
         
    </bean>
    
+    <bean id="RuleService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
+        <property name="authenticationManager"><ref bean="authenticationManager"/></property>
+        <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
+        <property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property>
+        <property name="objectDefinitionSource">
+            <value>
+                org.alfresco.service.cmr.rule.RuleService.getRuleTypes=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getRuleType=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.enableRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.disableRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.isEnabled=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.rulesEnabled=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.disableRule=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.enableRule=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.disableRuleType=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.enableRuleType=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.isRuleTypeEnabled=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.hasRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.countRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getRule=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.saveRule=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.setRulePosition=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.removeRule=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.removeAllRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getOwningNodeRef=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.isLinkedToRuleNode=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getLinkedToRuleNode=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getLinkedFromRuleNodes=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.*=ACL_DENY
+            </value>
+        </property>
+    </bean>    
 </beans>    

rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-method-security.properties

@@ -176,3 +176,30 @@ rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.setInherit
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.getInheritParentPermissions=RM_ALLOW 
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.clearPermission=RM.Capability.0 
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.*=RM_DENY 
+
+## Rule Service
+
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getRuleTypes=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getRuleType=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.enableRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.disableRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.isEnabled=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.rulesEnabled=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.disableRule=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.enableRule=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.disableRuleType=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.enableRuleType=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.isRuleTypeEnabled=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.hasRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.countRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getRule=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.saveRule=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.setRulePosition=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.removeRule=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.removeAllRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getOwningNodeRef=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.isLinkedToRuleNode=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getLinkedToRuleNode=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getLinkedFromRuleNodes=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.*=RM_DENY

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/DeclarativeCapability.java

@@ -31,6 +31,8 @@ import org.alfresco.module.org_alfresco_module_rm.capability.AbstractCapability;
 import org.alfresco.module.org_alfresco_module_rm.capability.Capability;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.security.AccessStatus;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.BeansException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
@@ -43,6 +45,9 @@ import org.springframework.context.ApplicationContextAware;
 public class DeclarativeCapability extends AbstractCapability 
                                    implements ApplicationContextAware
 {
+    /** Logger */
+    protected static Log logger = LogFactory.getLog(DeclarativeCapability.class);
+    
     /** Application Context */
     protected ApplicationContext applicationContext;
     
@@ -304,6 +309,12 @@ public class DeclarativeCapability extends AbstractCapability
         // Last chance for child implementations to veto/change the result
         result = onEvaluate(nodeRef, result);
         
+        // log access denied to help with debug
+        if (logger.isDebugEnabled() == true && AccessDecisionVoter.ACCESS_DENIED == result)
+        {
+            logger.debug("Capability " + getName() + " returned an Access Denied result during evaluation of node " + nodeRef.toString());
+        }
+        
         return result;
     }
     

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/impl/ViewRecordsCapability.java

@@ -36,6 +36,13 @@ public final class ViewRecordsCapability extends DeclarativeCapability
             {
                 return checkRmRead(nodeRef);
             }
+            else
+            {
+                if (logger.isDebugEnabled() == true)
+                {
+                    logger.debug("View Records capability abstains, because node is not a file plan component. (nodeRef=" + nodeRef.toString() + ")");
+                }
+            }
         }
         
         return AccessDecisionVoter.ACCESS_ABSTAIN;

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/model/behaviour/RecordContainerType.java

@@ -122,6 +122,13 @@ public class RecordContainerType implements RecordsManagementModel,
         
         // We only care about "folder" or sub-types
         if (dictionaryService.isSubClass(childType, ContentModel.TYPE_FOLDER) == true)
+        {       
+            if (dictionaryService.isSubClass(childType, ContentModel.TYPE_SYSTEM_FOLDER) == true)
+            {
+                // this is a rule container, make sure it is an file plan component
+                nodeService.addAspect(child, ASPECT_FILE_PLAN_COMPONENT, null);
+            }
+            else
             {                
                 // We need to automatically cast the created folder to RM type if it is a plain folder
                 // This occurs if the RM folder has been created via IMap, WebDav, etc
@@ -135,6 +142,7 @@ public class RecordContainerType implements RecordsManagementModel,
 
                 // Catch all to generate the rm id (assuming it doesn't already have one!)
                 setIdenifierProperty(child);
+            }
             
         }
     }