diff --git a/source/java/org/alfresco/rest/api/PublicApiDeclarativeRegistry.java b/source/java/org/alfresco/rest/api/PublicApiDeclarativeRegistry.java index 8ecebd355a..ff6ee9b5b8 100644 --- a/source/java/org/alfresco/rest/api/PublicApiDeclarativeRegistry.java +++ b/source/java/org/alfresco/rest/api/PublicApiDeclarativeRegistry.java @@ -129,7 +129,6 @@ public class PublicApiDeclarativeRegistry extends DeclarativeRegistry } else { - // TODO - review (experimental) match = super.findWebScript(method, uri); Map templateVars = match.getTemplateVars(); @@ -139,29 +138,42 @@ public class PublicApiDeclarativeRegistry extends DeclarativeRegistry // NOTE: noAuth currently only exposed for GET Api api = determineApi(templateVars); - // TODO can we avoid locating resource more than once ? + // TODO can we avoid locating resource more than once (or at least provide a common code to determine the GET resourceAction) ? ResourceWithMetadata rwm = locator.locateResource(api, templateVars, HttpMethod.valueOf(method)); Class resAction = null; + String entityId = templateVars.get(ResourceLocator.ENTITY_ID); + switch (rwm.getMetaData().getType()) { case ENTITY: - // TODO check params for entity id (for now - assume there is) - if (EntityResourceAction.ReadById.class.isAssignableFrom(rwm.getResource().getClass())) + if (StringUtils.isNotBlank(entityId)) { - resAction = EntityResourceAction.ReadById.class; + if (EntityResourceAction.ReadById.class.isAssignableFrom(rwm.getResource().getClass())) + { + resAction = EntityResourceAction.ReadById.class; + } + } + else + { + if (EntityResourceAction.Read.class.isAssignableFrom(rwm.getResource().getClass())) + { + resAction = EntityResourceAction.Read.class; + } } break; case PROPERTY: - // TODO check params for entity id (for now - assume there is) - if (BinaryResourceAction.Read.class.isAssignableFrom(rwm.getResource().getClass())) + if (StringUtils.isNotBlank(entityId)) { - resAction = BinaryResourceAction.Read.class; - } - else if (RelationshipResourceBinaryAction.Read.class.isAssignableFrom(rwm.getResource().getClass())) - { - resAction = RelationshipResourceBinaryAction.Read.class; + if (BinaryResourceAction.Read.class.isAssignableFrom(rwm.getResource().getClass())) + { + resAction = BinaryResourceAction.Read.class; + } + else if (RelationshipResourceBinaryAction.Read.class.isAssignableFrom(rwm.getResource().getClass())) + { + resAction = RelationshipResourceBinaryAction.Read.class; + } } break; default: diff --git a/source/test-java/org/alfresco/rest/api/tests/SharedLinkApiTest.java b/source/test-java/org/alfresco/rest/api/tests/SharedLinkApiTest.java index e38826b31b..069cd0fdbe 100644 --- a/source/test-java/org/alfresco/rest/api/tests/SharedLinkApiTest.java +++ b/source/test-java/org/alfresco/rest/api/tests/SharedLinkApiTest.java @@ -268,8 +268,6 @@ public class SharedLinkApiTest extends AbstractBaseApiTest assertEquals("attachment; filename=\"" + fileName1 + "\"; filename*=UTF-8''" + fileName1 + "", response.getHeaders().get("Content-Disposition")); - response = getSingle(QuickShareLinkEntityResource.class, null, shared1Id + "/content", null, 30); - // -ve test - unauth access to get shared link file content - without Content-Disposition header (attachment=false) - header ignored (plain text is not in white list) params = new HashMap<>(); params.put("attachment", "false"); @@ -336,6 +334,9 @@ public class SharedLinkApiTest extends AbstractBaseApiTest // -ve test - user1 cannot delete shared link delete(URL_SHARED_LINKS, user1, shared1Id, 403); + // -ve test - unauthenticated + delete(URL_SHARED_LINKS, null, shared1Id, 401); + // -ve test - delete - cannot delete non-existent link delete(URL_SHARED_LINKS, user1, "dummy", 404); } @@ -346,6 +347,8 @@ public class SharedLinkApiTest extends AbstractBaseApiTest // As user 1 ... // -ve test - try to create again (different user, that has read permission) - already exists + body = new HashMap<>(); + body.put("nodeId", d1Id); post(URL_SHARED_LINKS, user1, toJsonAsStringNonNull(body), 409); // -ve - create - missing nodeId @@ -367,6 +370,11 @@ public class SharedLinkApiTest extends AbstractBaseApiTest body = new HashMap<>(); body.put("nodeId", d2Id); post(URL_SHARED_LINKS, user2, toJsonAsStringNonNull(body), 403); + + // -ve test - unauthenticated + body = new HashMap<>(); + body.put("nodeId", d1Id); + post(URL_SHARED_LINKS, null, toJsonAsStringNonNull(body), 401); } @@ -510,6 +518,10 @@ public class SharedLinkApiTest extends AbstractBaseApiTest assertEquals(d2Id, sharedLinks.get(0).getNodeId()); + // -ve test - unauthenticated + getAll(URL_SHARED_LINKS, null, paging, params, 401); + + // delete the shared links delete(URL_SHARED_LINKS, user1, shared1Id, 204); delete(URL_SHARED_LINKS, user2, shared2Id, 204);