mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-08-14 17:58:59 +00:00
Merged HEAD (5.2) to 5.2.N (5.2.1)
126524 jkaabimofrad: Merged FILE-FOLDER-API (5.2.0) to HEAD (5.2)
123056 jvonka: (Quick) Shared Links API - find links (fix 500 -> 401 if not authenticated)
- add more -ve tests to check methods that require auth return 401 if unauthenticated
RA-777
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@126868 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Ancuta Morarasu
@@ -129,7 +129,6 @@ public class PublicApiDeclarativeRegistry extends DeclarativeRegistry
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
// TODO - review (experimental)
|
|
||||||
match = super.findWebScript(method, uri);
|
match = super.findWebScript(method, uri);
|
||||||
|
|
||||||
Map<String, String> templateVars = match.getTemplateVars();
|
Map<String, String> templateVars = match.getTemplateVars();
|
||||||
@@ -139,29 +138,42 @@ public class PublicApiDeclarativeRegistry extends DeclarativeRegistry
|
|||||||
// NOTE: noAuth currently only exposed for GET
|
// NOTE: noAuth currently only exposed for GET
|
||||||
Api api = determineApi(templateVars);
|
Api api = determineApi(templateVars);
|
||||||
|
|
||||||
// TODO can we avoid locating resource more than once ?
|
// TODO can we avoid locating resource more than once (or at least provide a common code to determine the GET resourceAction) ?
|
||||||
ResourceWithMetadata rwm = locator.locateResource(api, templateVars, HttpMethod.valueOf(method));
|
ResourceWithMetadata rwm = locator.locateResource(api, templateVars, HttpMethod.valueOf(method));
|
||||||
|
|
||||||
Class resAction = null;
|
Class resAction = null;
|
||||||
|
|
||||||
|
String entityId = templateVars.get(ResourceLocator.ENTITY_ID);
|
||||||
|
|
||||||
switch (rwm.getMetaData().getType())
|
switch (rwm.getMetaData().getType())
|
||||||
{
|
{
|
||||||
case ENTITY:
|
case ENTITY:
|
||||||
// TODO check params for entity id (for now - assume there is)
|
if (StringUtils.isNotBlank(entityId))
|
||||||
if (EntityResourceAction.ReadById.class.isAssignableFrom(rwm.getResource().getClass()))
|
|
||||||
{
|
{
|
||||||
resAction = EntityResourceAction.ReadById.class;
|
if (EntityResourceAction.ReadById.class.isAssignableFrom(rwm.getResource().getClass()))
|
||||||
|
{
|
||||||
|
resAction = EntityResourceAction.ReadById.class;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
if (EntityResourceAction.Read.class.isAssignableFrom(rwm.getResource().getClass()))
|
||||||
|
{
|
||||||
|
resAction = EntityResourceAction.Read.class;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case PROPERTY:
|
case PROPERTY:
|
||||||
// TODO check params for entity id (for now - assume there is)
|
if (StringUtils.isNotBlank(entityId))
|
||||||
if (BinaryResourceAction.Read.class.isAssignableFrom(rwm.getResource().getClass()))
|
|
||||||
{
|
{
|
||||||
resAction = BinaryResourceAction.Read.class;
|
if (BinaryResourceAction.Read.class.isAssignableFrom(rwm.getResource().getClass()))
|
||||||
}
|
{
|
||||||
else if (RelationshipResourceBinaryAction.Read.class.isAssignableFrom(rwm.getResource().getClass()))
|
resAction = BinaryResourceAction.Read.class;
|
||||||
{
|
}
|
||||||
resAction = RelationshipResourceBinaryAction.Read.class;
|
else if (RelationshipResourceBinaryAction.Read.class.isAssignableFrom(rwm.getResource().getClass()))
|
||||||
|
{
|
||||||
|
resAction = RelationshipResourceBinaryAction.Read.class;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
|
|||||||
@@ -268,8 +268,6 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
|
|||||||
assertEquals("attachment; filename=\"" + fileName1 + "\"; filename*=UTF-8''" + fileName1 + "", response.getHeaders().get("Content-Disposition"));
|
assertEquals("attachment; filename=\"" + fileName1 + "\"; filename*=UTF-8''" + fileName1 + "", response.getHeaders().get("Content-Disposition"));
|
||||||
|
|
||||||
|
|
||||||
response = getSingle(QuickShareLinkEntityResource.class, null, shared1Id + "/content", null, 30);
|
|
||||||
|
|
||||||
// -ve test - unauth access to get shared link file content - without Content-Disposition header (attachment=false) - header ignored (plain text is not in white list)
|
// -ve test - unauth access to get shared link file content - without Content-Disposition header (attachment=false) - header ignored (plain text is not in white list)
|
||||||
params = new HashMap<>();
|
params = new HashMap<>();
|
||||||
params.put("attachment", "false");
|
params.put("attachment", "false");
|
||||||
@@ -336,6 +334,9 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
|
|||||||
// -ve test - user1 cannot delete shared link
|
// -ve test - user1 cannot delete shared link
|
||||||
delete(URL_SHARED_LINKS, user1, shared1Id, 403);
|
delete(URL_SHARED_LINKS, user1, shared1Id, 403);
|
||||||
|
|
||||||
|
// -ve test - unauthenticated
|
||||||
|
delete(URL_SHARED_LINKS, null, shared1Id, 401);
|
||||||
|
|
||||||
// -ve test - delete - cannot delete non-existent link
|
// -ve test - delete - cannot delete non-existent link
|
||||||
delete(URL_SHARED_LINKS, user1, "dummy", 404);
|
delete(URL_SHARED_LINKS, user1, "dummy", 404);
|
||||||
}
|
}
|
||||||
@@ -346,6 +347,8 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
|
|||||||
// As user 1 ...
|
// As user 1 ...
|
||||||
|
|
||||||
// -ve test - try to create again (different user, that has read permission) - already exists
|
// -ve test - try to create again (different user, that has read permission) - already exists
|
||||||
|
body = new HashMap<>();
|
||||||
|
body.put("nodeId", d1Id);
|
||||||
post(URL_SHARED_LINKS, user1, toJsonAsStringNonNull(body), 409);
|
post(URL_SHARED_LINKS, user1, toJsonAsStringNonNull(body), 409);
|
||||||
|
|
||||||
// -ve - create - missing nodeId
|
// -ve - create - missing nodeId
|
||||||
@@ -367,6 +370,11 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
|
|||||||
body = new HashMap<>();
|
body = new HashMap<>();
|
||||||
body.put("nodeId", d2Id);
|
body.put("nodeId", d2Id);
|
||||||
post(URL_SHARED_LINKS, user2, toJsonAsStringNonNull(body), 403);
|
post(URL_SHARED_LINKS, user2, toJsonAsStringNonNull(body), 403);
|
||||||
|
|
||||||
|
// -ve test - unauthenticated
|
||||||
|
body = new HashMap<>();
|
||||||
|
body.put("nodeId", d1Id);
|
||||||
|
post(URL_SHARED_LINKS, null, toJsonAsStringNonNull(body), 401);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -510,6 +518,10 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
|
|||||||
assertEquals(d2Id, sharedLinks.get(0).getNodeId());
|
assertEquals(d2Id, sharedLinks.get(0).getNodeId());
|
||||||
|
|
||||||
|
|
||||||
|
// -ve test - unauthenticated
|
||||||
|
getAll(URL_SHARED_LINKS, null, paging, params, 401);
|
||||||
|
|
||||||
|
|
||||||
// delete the shared links
|
// delete the shared links
|
||||||
delete(URL_SHARED_LINKS, user1, shared1Id, 204);
|
delete(URL_SHARED_LINKS, user1, shared1Id, 204);
|
||||||
delete(URL_SHARED_LINKS, user2, shared2Id, 204);
|
delete(URL_SHARED_LINKS, user2, shared2Id, 204);
|
||||||
|
|||||||
Reference in New Issue
Block a user