mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-10-08 14:51:49 +00:00
RM-1972: Methods with invalid policy are granted access
* invalid policy defintions now throw exception .. previously they just granted! * invalid capability definitions now throw exception .. previously they abstained with no message * reference to RM.Write removed and replaced with RM.Create or more appropriate permission check * adjustments to hold capabilities since they wheren't being exercised as we thought * ManageAccessRights no longer checks for frozen .. you should be able to manage the permissions of an object if it's frozen and you have the capability * Unit tests for new code and adjustments * Tweaks to existing integration tests where required git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.3@97786 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Roy Wetherall
@@ -14,17 +14,20 @@
|
||||
<property name="filePlanService" ref="FilePlanService" />
|
||||
<property name="dispositionService" ref="DispositionService" />
|
||||
<property name="recordFolderService" ref="recordFolderService" />
|
||||
<property name="transactionalResourceHelper" ref="rm.transactionalResourceHelper" />
|
||||
</bean>
|
||||
|
||||
<bean id="capabilityCondition.frozen"
|
||||
parent="capabilityCondition.base"
|
||||
class="org.alfresco.module.org_alfresco_module_rm.capability.declarative.condition.FrozenCapabilityCondition">
|
||||
<property name="holdService" ref="HoldService" />
|
||||
</bean>
|
||||
|
||||
<bean id="capabilityCondition.frozenOrFrozenChildren"
|
||||
parent="capabilityCondition.base"
|
||||
class="org.alfresco.module.org_alfresco_module_rm.capability.declarative.condition.FrozenCapabilityCondition">
|
||||
<property name="checkChildren" value="true" />
|
||||
<property name="holdService" ref="HoldService" />
|
||||
</bean>
|
||||
|
||||
<bean id="capabilityCondition.frozenOrHold"
|
||||
@@ -215,5 +218,10 @@
|
||||
<property name="includedInHold" value="true"/>
|
||||
<property name="holdService" ref="HoldService" />
|
||||
</bean>
|
||||
|
||||
<bean id="capabilityCondition.hasFillingOnHoldContainer"
|
||||
parent="capabilityCondition.base"
|
||||
class="org.alfresco.module.org_alfresco_module_rm.capability.declarative.condition.FillingOnHoldContainerCapabilityCondition">
|
||||
</bean>
|
||||
|
||||
</beans>
|
||||
@@ -11,12 +11,13 @@
|
||||
<property name="permission" value="CreateHold"/>
|
||||
<property name="kinds">
|
||||
<list>
|
||||
<value>FILE_PLAN</value> <!-- required because the create hold method is parameterized by file plan -->
|
||||
<value>HOLD_CONTAINER</value>
|
||||
</list>
|
||||
</property>
|
||||
<property name="conditions">
|
||||
<map>
|
||||
<entry key="capabilityCondition.filling" value="true"/>
|
||||
<entry key="capabilityCondition.hasFillingOnHoldContainer" value="true"/>
|
||||
</map>
|
||||
</property>
|
||||
<property name="group"><ref bean="holdControlsGroup"/></property>
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
<property name="index" value="30" />
|
||||
</bean>
|
||||
|
||||
<!-- controls user and gropus role assignments -->
|
||||
<!-- controls user and gropus role assignments -->
|
||||
<bean id="rmManageAccessControlsCapability"
|
||||
parent="declarativeCapability">
|
||||
<property name="name" value="ManageAccessControls" />
|
||||
@@ -31,13 +31,13 @@
|
||||
<property name="index" value="40" />
|
||||
</bean>
|
||||
|
||||
<!-- controls an entities permissions -->
|
||||
<bean id="rmManageAccessRightsCapability"
|
||||
parent="declarativeCapability">
|
||||
<property name="name" value="ManageAccessRights"/>
|
||||
<property name="permission" value="ManageAccessRights"/>
|
||||
<property name="conditions">
|
||||
<map>
|
||||
<entry key="capabilityCondition.frozen" value="false"/>
|
||||
<entry key="capabilityCondition.filling" value="true"/>
|
||||
</map>
|
||||
</property>
|
||||
|
||||
@@ -5,6 +5,12 @@
|
||||
|
||||
<!-- Authentication Helper -->
|
||||
<bean name="rm.authenticationUtil" class="org.alfresco.module.org_alfresco_module_rm.util.AuthenticationUtil"/>
|
||||
|
||||
<!-- Transactional Resouce Helper -->
|
||||
<bean name="rm.transactionalResourceHelper" class="org.alfresco.module.org_alfresco_module_rm.util.TransactionalResourceHelper" />
|
||||
|
||||
<!-- Alfresco Transaction Support Helper -->
|
||||
<bean name="rm.alfrescoTransactionSupport" class="org.alfresco.module.org_alfresco_module_rm.util.AlfrescoTransactionSupport" />
|
||||
|
||||
<!-- Import extended repository context -->
|
||||
|
||||
|
||||
@@ -115,14 +115,14 @@
|
||||
org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.getNodeRefPath=RM.Read.0
|
||||
org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.getFilePlan=RM.Read.0,AFTER_RM.FilterNode
|
||||
org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.getFilePlans=RM_ALLOW
|
||||
org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.createFilePlan=RM.WRITE.0
|
||||
org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.createFilePlan=RM.Create.0
|
||||
org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.getAllContained=RM.Read.0,AFTER_RM.FilterNode
|
||||
org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.getContainedRecordCategories=RM.Read.0,AFTER_RM.FilterNode
|
||||
org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.getContainedRecordFolders=RM.Read.0,AFTER_RM.FilterNode
|
||||
org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.createRecordCategory=RM.Write.0
|
||||
org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.createRecordCategory=RM.Create.0
|
||||
org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.isRecordFolderDeclared=RM.Read.0
|
||||
org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.isRecordFolderClosed=RM.Read.0
|
||||
org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.createRecordFolder=RM.Write.0
|
||||
org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.createRecordFolder=RM.Create.0
|
||||
org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.getRecords=RM.Read.0,AFTER_RM.FilterNode
|
||||
org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.getRecordFolders=RM.Read.0,AFTER_RM.FilterNode
|
||||
org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.getRecordMetaDataAspects=RM_ALLOW
|
||||
|
||||
@@ -96,7 +96,8 @@
|
||||
depends-on="CapabilityService">
|
||||
<property name="namespacePrefixResolver" ref="namespaceService"/>
|
||||
<property name="capabilityService" ref="capabilityService"/>
|
||||
|
||||
<property name='transactionalResourceHelper' ref="rm.transactionalResourceHelper" />
|
||||
<property name='alfrescoTransactionSupport' ref="rm.alfrescoTransactionSupport" />
|
||||
</bean>
|
||||
|
||||
<!-- ======================= -->
|
||||
|
||||
@@ -418,11 +418,11 @@
|
||||
org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.getFilePlanBySiteId=RM_ALLOW,AFTER_RM.FilterNode
|
||||
org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.existsUnfiledContainer=RM.Read.0
|
||||
org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.getUnfiledContainer=RM.Read.0,AFTER_RM.FilterNode
|
||||
org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.createUnfiledContainer=RM.Write.0
|
||||
org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.createUnfiledContainer=RM.Create.0
|
||||
org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.getHoldContainer=RM.Read.0,AFTER_RM.FilterNode
|
||||
org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.createHoldContainer=RM.Write.0
|
||||
org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.createHoldContainer=RM.Create.0
|
||||
org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.getTransferContainer=RM.Read.0,AFTER_RM.FilterNode
|
||||
org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.createTransferContainer=RM.Write.0
|
||||
org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.createTransferContainer=RM.Create.0
|
||||
org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.createFilePlan=RM_ALLOW
|
||||
org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.getNodeRefPath=RM.Read.0
|
||||
org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.isFilePlanContainer=RM_ALLOW
|
||||
@@ -430,7 +430,7 @@
|
||||
org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.getAllContained=RM.Read.0,AFTER_RM.FilterNode
|
||||
org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.getContainedRecordCategories=RM.Read.0,AFTER_RM.FilterNode
|
||||
org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.getContainedRecordFolders=RM.Read.0,AFTER_RM.FilterNode
|
||||
org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.createRecordCategory=RM.Write.0
|
||||
org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.createRecordCategory=RM.Create.0
|
||||
org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.*=RM_DENY
|
||||
]]>
|
||||
</value>
|
||||
@@ -538,8 +538,8 @@
|
||||
<property name="objectDefinitionSource">
|
||||
<value>
|
||||
<![CDATA[
|
||||
org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.setupFilePlanRoles=RM.Write.0
|
||||
org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.tearDownFilePlanRoles=RM.Write.0
|
||||
org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.setupFilePlanRoles=RM_ALLOW
|
||||
org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.tearDownFilePlanRoles=RM_ALLOW
|
||||
org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.getRoles=RM_ALLOW
|
||||
org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.getRolesByUser=RM_ALLOW
|
||||
org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.getRole=RM_ALLOW
|
||||
@@ -1023,10 +1023,10 @@
|
||||
org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService.isRecordFolder=RM.Read.0
|
||||
org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService.isRecordFolderDeclared=RM.Read.0
|
||||
org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService.isRecordFolderClosed=RM.Read.0
|
||||
org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService.createRecordFolder=RM.Write.0
|
||||
org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService.createRecordFolder=RM.Create.0
|
||||
org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService.getRecordFolders=RM.Read.0,AFTER_RM.FilterNode
|
||||
org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService.setupRecordFolder=RM.Read.0
|
||||
org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService.closeRecordFolder=RM.Write.0
|
||||
org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService.closeRecordFolder=RM_CAP.0.rma:filePlanComponent.CloseFolders
|
||||
org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService.*=RM_DENY
|
||||
]]>
|
||||
</value>
|
||||
@@ -1167,7 +1167,7 @@
|
||||
<value>
|
||||
<![CDATA[
|
||||
org.alfresco.module.org_alfresco_module_rm.record.InplaceRecordService.hideRecord=RM_ALLOW
|
||||
org.alfresco.module.org_alfresco_module_rm.record.InplaceRecordService.moveRecord=RM.Write.0
|
||||
org.alfresco.module.org_alfresco_module_rm.record.InplaceRecordService.moveRecord=RM.Create.0
|
||||
org.alfresco.module.org_alfresco_module_rm.record.InplaceRecordService.*=RM_DENY
|
||||
]]>
|
||||
</value>
|
||||
@@ -1523,15 +1523,15 @@
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.getHold=RM.Read.0,AFTER_RM.FilterNode
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.heldBy=RM.Read.0,AFTER_RM.FilterNode
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.getHeld=RM.Read.0,AFTER_RM.FilterNode
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.createHold=RM.Read.0
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.createHold=RM_CAP.0.rma:filePlanComponent.CreateHold
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.getHoldReason=RM.Read.0
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.setHoldReason=RM.Write.0
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.deleteHold=RM.Write.0
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.addToHold=RM.Write.0
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.addToHolds=RM.Write.0
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.removeFromHold=RM.Write.0
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.removeFromHolds=RM.Write.0
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.removeFromAllHolds=RM.Write.0
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.setHoldReason=RM_CAP.0.rma:filePlanComponent.EditHold
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.deleteHold=RM_CAP.0.rma:filePlanComponent.DeleteHold
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.addToHold=RM_CAP.0.rma:filePlanComponent.AddToHold
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.addToHolds=RM_CAP.0.rma:filePlanComponent.AddToHold
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.removeFromHold=RM_CAP.0.rma:filePlanComponent.RemoveFromHold
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.removeFromHolds=RM_CAP.0.rma:filePlanComponent.RemoveFromHold
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.removeFromAllHolds=RM_ALLOW
|
||||
org.alfresco.module.org_alfresco_module_rm.hold.HoldService.*=RM_DENY
|
||||
]]>
|
||||
</value>
|
||||
|
||||
Reference in New Issue
Block a user