Merged HEAD (5.2) to 5.2.N (5.2.1)

126524 jkaabimofrad: Merged FILE-FOLDER-API (5.2.0) to HEAD (5.2)
      123056 jvonka: (Quick) Shared Links API - find links (fix 500 -> 401 if not authenticated)
      - add more -ve tests to check methods that require auth return 401 if unauthenticated
      RA-777


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@126868 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

source/java/org/alfresco/rest/api/PublicApiDeclarativeRegistry.java

@@ -129,7 +129,6 @@ public class PublicApiDeclarativeRegistry extends DeclarativeRegistry
             }
             else
             {
-                // TODO - review (experimental)
                 match = super.findWebScript(method, uri);
 
                 Map<String, String> templateVars = match.getTemplateVars();
@@ -139,29 +138,42 @@ public class PublicApiDeclarativeRegistry extends DeclarativeRegistry
                     // NOTE: noAuth currently only exposed for GET
                     Api api = determineApi(templateVars);
 
-                    // TODO can we avoid locating resource more than once ?
+                    // TODO can we avoid locating resource more than once (or at least provide a common code to determine the GET resourceAction) ?
                     ResourceWithMetadata rwm = locator.locateResource(api, templateVars, HttpMethod.valueOf(method));
 
                     Class resAction = null;
 
+                    String entityId = templateVars.get(ResourceLocator.ENTITY_ID);
+
                     switch (rwm.getMetaData().getType())
                     {
                         case ENTITY:
-                            // TODO check params for entity id (for now - assume there is)
-                            if (EntityResourceAction.ReadById.class.isAssignableFrom(rwm.getResource().getClass()))
+                            if (StringUtils.isNotBlank(entityId))
                             {
-                                resAction = EntityResourceAction.ReadById.class;
+                                if (EntityResourceAction.ReadById.class.isAssignableFrom(rwm.getResource().getClass()))
+                                {
+                                    resAction = EntityResourceAction.ReadById.class;
+                                }
+                            }
+                            else
+                            {
+                                if (EntityResourceAction.Read.class.isAssignableFrom(rwm.getResource().getClass()))
+                                {
+                                    resAction = EntityResourceAction.Read.class;
+                                }
                             }
                             break;
                         case PROPERTY:
-                            // TODO check params for entity id (for now - assume there is)
-                            if (BinaryResourceAction.Read.class.isAssignableFrom(rwm.getResource().getClass()))
+                            if (StringUtils.isNotBlank(entityId))
                             {
-                                resAction = BinaryResourceAction.Read.class;
-                            }
-                            else if (RelationshipResourceBinaryAction.Read.class.isAssignableFrom(rwm.getResource().getClass()))
-                            {
-                                resAction = RelationshipResourceBinaryAction.Read.class;
+                                if (BinaryResourceAction.Read.class.isAssignableFrom(rwm.getResource().getClass()))
+                                {
+                                    resAction = BinaryResourceAction.Read.class;
+                                }
+                                else if (RelationshipResourceBinaryAction.Read.class.isAssignableFrom(rwm.getResource().getClass()))
+                                {
+                                    resAction = RelationshipResourceBinaryAction.Read.class;
+                                }
                             }
                             break;
                         default:

source/test-java/org/alfresco/rest/api/tests/SharedLinkApiTest.java

@@ -268,8 +268,6 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
         assertEquals("attachment; filename=\"" + fileName1 + "\"; filename*=UTF-8''" + fileName1 + "", response.getHeaders().get("Content-Disposition"));
 
 
-        response = getSingle(QuickShareLinkEntityResource.class, null, shared1Id + "/content", null, 30);
-
         // -ve test - unauth access to get shared link file content - without Content-Disposition header (attachment=false) - header ignored (plain text is not in white list)
         params = new HashMap<>();
         params.put("attachment", "false");
@@ -336,6 +334,9 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
             // -ve test - user1 cannot delete shared link
             delete(URL_SHARED_LINKS, user1, shared1Id, 403);
 
+            // -ve test - unauthenticated
+            delete(URL_SHARED_LINKS, null, shared1Id, 401);
+
             // -ve test - delete - cannot delete non-existent link
             delete(URL_SHARED_LINKS, user1, "dummy", 404);
         }
@@ -346,6 +347,8 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
             // As user 1 ...
 
             // -ve test - try to create again (different user, that has read permission) - already exists
+            body = new HashMap<>();
+            body.put("nodeId", d1Id);
             post(URL_SHARED_LINKS, user1, toJsonAsStringNonNull(body), 409);
 
             // -ve - create - missing nodeId
@@ -367,6 +370,11 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
             body = new HashMap<>();
             body.put("nodeId", d2Id);
             post(URL_SHARED_LINKS, user2, toJsonAsStringNonNull(body), 403);
+
+            // -ve test - unauthenticated
+            body = new HashMap<>();
+            body.put("nodeId", d1Id);
+            post(URL_SHARED_LINKS, null, toJsonAsStringNonNull(body), 401);
         }
 
 
@@ -510,6 +518,10 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
         assertEquals(d2Id, sharedLinks.get(0).getNodeId());
 
 
+        // -ve test - unauthenticated
+        getAll(URL_SHARED_LINKS, null, paging, params, 401);
+
+
         // delete the shared links
         delete(URL_SHARED_LINKS, user1, shared1Id, 204);
         delete(URL_SHARED_LINKS, user2, shared2Id, 204);