mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-08-07 17:49:17 +00:00
RM-1661 (Performance on setting permissions at a high category level)
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.1.0.x@88087 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Tuna Aksoy
@@ -341,6 +341,7 @@
|
||||
<property name="kinds">
|
||||
<set>
|
||||
<value>FILE_PLAN</value>
|
||||
<value>RECORD</value>
|
||||
<value>RECORD_CATEGORY</value>
|
||||
<value>RECORD_FOLDER</value>
|
||||
<value>UNFILED_RECORD_CONTAINER</value>
|
||||
|
||||
@@ -370,7 +370,6 @@ public class FilePlanServiceImpl extends ServiceBaseImpl
|
||||
getPermissionService().setPermission(container, allRoles, RMPermissionModel.READ_RECORDS, true);
|
||||
getPermissionService().setPermission(container, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.READ_RECORDS, true);
|
||||
getPermissionService().setPermission(container, ExtendedWriterDynamicAuthority.EXTENDED_WRITER, RMPermissionModel.FILING, true);
|
||||
getPermissionService().setPermission(container, "Administrator", RMPermissionModel.FILING, true);
|
||||
|
||||
// TODO set the admin users to have filing permissions on the unfiled container!!!
|
||||
// TODO we will need to be able to get a list of the admin roles from the service
|
||||
|
||||
@@ -18,6 +18,8 @@
|
||||
*/
|
||||
package org.alfresco.module.org_alfresco_module_rm.security;
|
||||
|
||||
import static org.apache.commons.lang.BooleanUtils.isTrue;
|
||||
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
@@ -156,35 +158,31 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl
|
||||
/**
|
||||
* @param childAssocRef
|
||||
*/
|
||||
public void onCreateRMContainer(ChildAssociationRef childAssocRef)
|
||||
public void onCreateRMContainer(final ChildAssociationRef childAssocRef)
|
||||
{
|
||||
final NodeRef recordCategory = childAssocRef.getChildRef();
|
||||
setUpPermissions(recordCategory);
|
||||
|
||||
// Pull any permissions found on the parent (ie the record category)
|
||||
final NodeRef parentNodeRef = childAssocRef.getParentRef();
|
||||
if (parentNodeRef != null && nodeService.exists(parentNodeRef) == true)
|
||||
if (parentNodeRef != null && nodeService.exists(parentNodeRef))
|
||||
{
|
||||
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>()
|
||||
{
|
||||
public Object doWork()
|
||||
{
|
||||
boolean fillingOnly = false;
|
||||
if (filePlanService.isFilePlan(parentNodeRef) == true)
|
||||
{
|
||||
fillingOnly = true;
|
||||
}
|
||||
NodeRef recordCategory = childAssocRef.getChildRef();
|
||||
boolean isParentNodeFilePlan = filePlanService.isFilePlan(parentNodeRef);
|
||||
setUpPermissions(recordCategory, isParentNodeFilePlan);
|
||||
|
||||
// since this is not a root category, inherit from parent
|
||||
if (isParentNodeFilePlan)
|
||||
{
|
||||
Set<AccessPermission> perms = permissionService.getAllSetPermissions(parentNodeRef);
|
||||
for (AccessPermission perm : perms)
|
||||
{
|
||||
if (fillingOnly == false ||
|
||||
RMPermissionModel.FILING.equals(perm.getPermission()) == true)
|
||||
if (RMPermissionModel.FILING.equals(perm.getPermission()))
|
||||
{
|
||||
AccessStatus accessStatus = perm.getAccessStatus();
|
||||
boolean allow = false;
|
||||
if (AccessStatus.ALLOWED.equals(accessStatus) == true)
|
||||
if (AccessStatus.ALLOWED.equals(accessStatus))
|
||||
{
|
||||
allow = true;
|
||||
}
|
||||
@@ -195,9 +193,11 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl
|
||||
allow);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
}, AuthenticationUtil.getSystemUserName());
|
||||
}
|
||||
}
|
||||
@@ -214,7 +214,8 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl
|
||||
|
||||
// Pull any permissions found on the parent (ie the record category)
|
||||
final NodeRef catNodeRef = childAssocRef.getParentRef();
|
||||
if (nodeService.exists(catNodeRef) == true)
|
||||
if (!permissionService.getInheritParentPermissions(folderNodeRef) &&
|
||||
nodeService.exists(catNodeRef))
|
||||
{
|
||||
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>()
|
||||
{
|
||||
@@ -223,8 +224,8 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl
|
||||
Set<AccessPermission> perms = permissionService.getAllSetPermissions(catNodeRef);
|
||||
for (AccessPermission perm : perms)
|
||||
{
|
||||
if (ExtendedReaderDynamicAuthority.EXTENDED_READER.equals(perm.getAuthority()) == false &&
|
||||
ExtendedWriterDynamicAuthority.EXTENDED_WRITER.equals(perm.getAuthority()) == false)
|
||||
if (!ExtendedReaderDynamicAuthority.EXTENDED_READER.equals(perm.getAuthority()) &&
|
||||
!ExtendedWriterDynamicAuthority.EXTENDED_WRITER.equals(perm.getAuthority()))
|
||||
{
|
||||
AccessStatus accessStatus = perm.getAccessStatus();
|
||||
boolean allow = false;
|
||||
@@ -326,11 +327,13 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl
|
||||
{
|
||||
setUpPermissions(record);
|
||||
|
||||
if (!permissionService.getInheritParentPermissions(record))
|
||||
{
|
||||
Set<AccessPermission> perms = permissionService.getAllSetPermissions(parent);
|
||||
for (AccessPermission perm : perms)
|
||||
{
|
||||
if (ExtendedReaderDynamicAuthority.EXTENDED_READER.equals(perm.getAuthority()) == false &&
|
||||
ExtendedWriterDynamicAuthority.EXTENDED_WRITER.equals(perm.getAuthority()) == false)
|
||||
if (!ExtendedReaderDynamicAuthority.EXTENDED_READER.equals(perm.getAuthority()) &&
|
||||
!ExtendedWriterDynamicAuthority.EXTENDED_WRITER.equals(perm.getAuthority()))
|
||||
{
|
||||
AccessStatus accessStatus = perm.getAccessStatus();
|
||||
boolean allow = false;
|
||||
@@ -345,7 +348,7 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl
|
||||
allow);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -407,14 +410,19 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl
|
||||
*/
|
||||
public void setUpPermissions(final NodeRef nodeRef)
|
||||
{
|
||||
if (nodeService.exists(nodeRef) == true)
|
||||
setUpPermissions(nodeRef, null);
|
||||
}
|
||||
|
||||
private void setUpPermissions(final NodeRef nodeRef, final Boolean isParentNodeFilePlan)
|
||||
{
|
||||
if (nodeService.exists(nodeRef))
|
||||
{
|
||||
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>()
|
||||
{
|
||||
public Object doWork()
|
||||
{
|
||||
// break inheritance
|
||||
permissionService.setInheritParentPermissions(nodeRef, false);
|
||||
permissionService.setInheritParentPermissions(nodeRef, isInheritanceAllowed(nodeRef, isParentNodeFilePlan));
|
||||
|
||||
// set extended reader permissions
|
||||
permissionService.setPermission(nodeRef, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.READ_RECORDS, true);
|
||||
@@ -426,6 +434,11 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl
|
||||
}
|
||||
}
|
||||
|
||||
private boolean isInheritanceAllowed(NodeRef nodeRef, Boolean isParentNodeFilePlan)
|
||||
{
|
||||
return !(isFilePlan(nodeRef) || isHold(nodeRef) || isTransfer(nodeRef) || (isRecordCategory(nodeRef) && isTrue(isParentNodeFilePlan)));
|
||||
}
|
||||
|
||||
/**
|
||||
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#setPermission(org.alfresco.service.cmr.repository.NodeRef, java.lang.String, java.lang.String, boolean)
|
||||
*/
|
||||
@@ -439,20 +452,16 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl
|
||||
{
|
||||
public Boolean doWork() throws Exception
|
||||
{
|
||||
if (filePlanService.isFilePlan(nodeRef) == true)
|
||||
if (filePlanService.isFilePlan(nodeRef) ||
|
||||
filePlanService.isFilePlanContainer(nodeRef) ||
|
||||
recordsManagementService.isRecordFolder(nodeRef) ||
|
||||
recordService.isRecord(nodeRef))
|
||||
{
|
||||
setPermissionDown(nodeRef, authority, permission);
|
||||
}
|
||||
else if (filePlanService.isFilePlanContainer(nodeRef) == true ||
|
||||
recordsManagementService.isRecordFolder(nodeRef) == true ||
|
||||
recordService.isRecord(nodeRef) == true)
|
||||
{
|
||||
setReadPermissionUp(nodeRef, authority);
|
||||
setPermissionDown(nodeRef, authority, permission);
|
||||
}
|
||||
else
|
||||
{
|
||||
if (logger.isWarnEnabled() == true)
|
||||
if (logger.isWarnEnabled())
|
||||
{
|
||||
logger.warn("Setting permissions for this node is not supported. (nodeRef=" + nodeRef + ", authority=" + authority + ", permission=" + permission + ")");
|
||||
}
|
||||
@@ -463,38 +472,6 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl
|
||||
}, AuthenticationUtil.getSystemUserName());
|
||||
}
|
||||
|
||||
/**
|
||||
* Helper method to set the read permission up the hierarchy
|
||||
*
|
||||
* @param nodeRef node reference
|
||||
* @param authority authority
|
||||
*/
|
||||
private void setReadPermissionUp(NodeRef nodeRef, String authority)
|
||||
{
|
||||
NodeRef parent = nodeService.getPrimaryParent(nodeRef).getParentRef();
|
||||
if (parent != null && filePlanService.isFilePlanComponent(parent) == true)
|
||||
{
|
||||
setReadPermissionUpImpl(parent, authority);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Helper method used to set the read permission up the hierarchy
|
||||
*
|
||||
* @param nodeRef node reference
|
||||
* @param authority authority
|
||||
*/
|
||||
private void setReadPermissionUpImpl(NodeRef nodeRef, String authority)
|
||||
{
|
||||
setPermissionImpl(nodeRef, authority, RMPermissionModel.READ_RECORDS);
|
||||
|
||||
NodeRef parent = nodeService.getPrimaryParent(nodeRef).getParentRef();
|
||||
if (parent != null && filePlanService.isFilePlanComponent(parent) == true)
|
||||
{
|
||||
setReadPermissionUpImpl(parent, authority);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Helper method to set the permission down the hierarchy
|
||||
*
|
||||
@@ -503,32 +480,30 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl
|
||||
* @param permission permission
|
||||
*/
|
||||
private void setPermissionDown(NodeRef nodeRef, String authority, String permission)
|
||||
{
|
||||
// skip out node's that inherit (for example hold and transfer)
|
||||
if (permissionService.getInheritParentPermissions(nodeRef) == false)
|
||||
{
|
||||
// set permissions
|
||||
setPermissionImpl(nodeRef, authority, permission);
|
||||
|
||||
if (filePlanService.isFilePlanContainer(nodeRef) == true ||
|
||||
recordsManagementService.isRecordFolder(nodeRef) == true)
|
||||
// skip out node's that inherit (for example hold and transfer)
|
||||
if (!permissionService.getInheritParentPermissions(nodeRef) &&
|
||||
(filePlanService.isFilePlanContainer(nodeRef) ||
|
||||
recordsManagementService.isRecordFolder(nodeRef)))
|
||||
{
|
||||
List<ChildAssociationRef> assocs = nodeService.getChildAssocs(nodeRef, ContentModel.ASSOC_CONTAINS, RegexQNamePattern.MATCH_ALL);
|
||||
for (ChildAssociationRef assoc : assocs)
|
||||
{
|
||||
NodeRef child = assoc.getChildRef();
|
||||
if (filePlanService.isFilePlanContainer(child) == true ||
|
||||
recordsManagementService.isRecordFolder(child) == true ||
|
||||
recordService.isRecord(child) == true ||
|
||||
instanceOf(child, TYPE_HOLD) == true ||
|
||||
instanceOf(child, TYPE_TRANSFER) == true)
|
||||
if (filePlanService.isFilePlanContainer(child) ||
|
||||
recordsManagementService.isRecordFolder(child) ||
|
||||
recordService.isRecord(child) ||
|
||||
instanceOf(child, TYPE_HOLD) ||
|
||||
instanceOf(child, TYPE_TRANSFER))
|
||||
{
|
||||
setPermissionDown(child, authority, permission);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the permission, taking into account that filing is a superset of read
|
||||
@@ -556,31 +531,29 @@ public class FilePlanPermissionServiceImpl extends ServiceBaseImpl
|
||||
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>()
|
||||
{
|
||||
public Boolean doWork() throws Exception
|
||||
{
|
||||
// can't delete permissions if inherited (eg hold and transfer containers)
|
||||
if (permissionService.getInheritParentPermissions(nodeRef) == false)
|
||||
{
|
||||
// Delete permission on this node
|
||||
permissionService.deletePermission(nodeRef, authority, permission);
|
||||
|
||||
if (filePlanService.isFilePlanContainer(nodeRef) == true ||
|
||||
recordsManagementService.isRecordFolder(nodeRef) == true)
|
||||
// can't delete permissions if inherited (eg hold and transfer containers)
|
||||
if (!permissionService.getInheritParentPermissions(nodeRef) &&
|
||||
(filePlanService.isFilePlanContainer(nodeRef) ||
|
||||
recordsManagementService.isRecordFolder(nodeRef)))
|
||||
{
|
||||
List<ChildAssociationRef> assocs = nodeService.getChildAssocs(nodeRef, ContentModel.ASSOC_CONTAINS, RegexQNamePattern.MATCH_ALL);
|
||||
for (ChildAssociationRef assoc : assocs)
|
||||
{
|
||||
NodeRef child = assoc.getChildRef();
|
||||
if (filePlanService.isFilePlanContainer(child) == true ||
|
||||
recordsManagementService.isRecordFolder(child) == true ||
|
||||
recordService.isRecord(child) == true||
|
||||
instanceOf(child, TYPE_HOLD) == true ||
|
||||
instanceOf(child, TYPE_TRANSFER) == true)
|
||||
if (filePlanService.isFilePlanContainer(child) ||
|
||||
recordsManagementService.isRecordFolder(child) ||
|
||||
recordService.isRecord(child)||
|
||||
instanceOf(child, TYPE_HOLD) ||
|
||||
instanceOf(child, TYPE_TRANSFER))
|
||||
{
|
||||
deletePermission(child, authority, permission);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
@@ -222,7 +222,7 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase
|
||||
assertPermissions(userName,
|
||||
AccessStatus.ALLOWED, // fileplan read
|
||||
AccessStatus.DENIED, // fileplan file
|
||||
AccessStatus.ALLOWED, // category read
|
||||
AccessStatus.DENIED, // category read
|
||||
AccessStatus.DENIED, // category file
|
||||
AccessStatus.ALLOWED, // record folder read
|
||||
AccessStatus.ALLOWED, // record folder file
|
||||
@@ -234,7 +234,7 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase
|
||||
assertPermissions(userName,
|
||||
AccessStatus.ALLOWED, // fileplan read
|
||||
AccessStatus.DENIED, // fileplan file
|
||||
AccessStatus.ALLOWED, // category read
|
||||
AccessStatus.DENIED, // category read
|
||||
AccessStatus.DENIED, // category file
|
||||
AccessStatus.DENIED, // record folder read
|
||||
AccessStatus.DENIED, // record folder file
|
||||
@@ -264,9 +264,9 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase
|
||||
assertPermissions(userName,
|
||||
AccessStatus.ALLOWED, // fileplan read
|
||||
AccessStatus.DENIED, // fileplan file
|
||||
AccessStatus.ALLOWED, // category read
|
||||
AccessStatus.DENIED, // category read
|
||||
AccessStatus.DENIED, // category file
|
||||
AccessStatus.ALLOWED, // record folder read
|
||||
AccessStatus.DENIED, // record folder read
|
||||
AccessStatus.DENIED, // record folder file
|
||||
AccessStatus.ALLOWED, // record read
|
||||
AccessStatus.ALLOWED); // record file
|
||||
@@ -276,9 +276,9 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase
|
||||
assertPermissions(userName,
|
||||
AccessStatus.ALLOWED, // fileplan read
|
||||
AccessStatus.DENIED, // fileplan file
|
||||
AccessStatus.ALLOWED, // category read
|
||||
AccessStatus.DENIED, // category read
|
||||
AccessStatus.DENIED, // category file
|
||||
AccessStatus.ALLOWED, // record folder read
|
||||
AccessStatus.DENIED, // record folder read
|
||||
AccessStatus.DENIED, // record folder file
|
||||
AccessStatus.DENIED, // record read
|
||||
AccessStatus.DENIED); // record file
|
||||
@@ -364,7 +364,7 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase
|
||||
assertPermissions(userOne,
|
||||
AccessStatus.ALLOWED, // fileplan read
|
||||
AccessStatus.DENIED, // fileplan file
|
||||
AccessStatus.ALLOWED, // category read
|
||||
AccessStatus.DENIED, // category read
|
||||
AccessStatus.DENIED, // category file
|
||||
AccessStatus.ALLOWED, // record folder read
|
||||
AccessStatus.ALLOWED, // record folder file
|
||||
@@ -383,7 +383,7 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase
|
||||
assertPermissions(userTwo,
|
||||
AccessStatus.ALLOWED, // fileplan read
|
||||
AccessStatus.DENIED, // fileplan file
|
||||
AccessStatus.ALLOWED, // category read
|
||||
AccessStatus.DENIED, // category read
|
||||
AccessStatus.DENIED, // category file
|
||||
AccessStatus.DENIED, // record folder read
|
||||
AccessStatus.DENIED, // record folder file
|
||||
@@ -402,9 +402,9 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase
|
||||
assertPermissions(userThree,
|
||||
AccessStatus.ALLOWED, // fileplan read
|
||||
AccessStatus.DENIED, // fileplan file
|
||||
AccessStatus.ALLOWED, // category read
|
||||
AccessStatus.DENIED, // category read
|
||||
AccessStatus.DENIED, // category file
|
||||
AccessStatus.ALLOWED, // record folder read
|
||||
AccessStatus.DENIED, // record folder read
|
||||
AccessStatus.DENIED, // record folder file
|
||||
AccessStatus.ALLOWED, // record read
|
||||
AccessStatus.ALLOWED); // record file
|
||||
@@ -433,7 +433,7 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase
|
||||
assertPermissions(userOne,
|
||||
AccessStatus.ALLOWED, // fileplan read
|
||||
AccessStatus.DENIED, // fileplan file
|
||||
AccessStatus.ALLOWED, // category read
|
||||
AccessStatus.DENIED, // category read
|
||||
AccessStatus.DENIED, // category file
|
||||
AccessStatus.ALLOWED, // record folder read
|
||||
AccessStatus.ALLOWED, // record folder file
|
||||
@@ -452,7 +452,7 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase
|
||||
assertPermissions(userTwo,
|
||||
AccessStatus.ALLOWED, // fileplan read
|
||||
AccessStatus.DENIED, // fileplan file
|
||||
AccessStatus.ALLOWED, // category read
|
||||
AccessStatus.DENIED, // category read
|
||||
AccessStatus.DENIED, // category file
|
||||
AccessStatus.DENIED, // record folder read
|
||||
AccessStatus.DENIED, // record folder file
|
||||
@@ -471,9 +471,9 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase
|
||||
assertPermissions(userThree,
|
||||
AccessStatus.ALLOWED, // fileplan read
|
||||
AccessStatus.DENIED, // fileplan file
|
||||
AccessStatus.ALLOWED, // category read
|
||||
AccessStatus.DENIED, // category read
|
||||
AccessStatus.DENIED, // category file
|
||||
AccessStatus.ALLOWED, // record folder read
|
||||
AccessStatus.DENIED, // record folder read
|
||||
AccessStatus.DENIED, // record folder file
|
||||
AccessStatus.ALLOWED, // record read
|
||||
AccessStatus.ALLOWED); // record file
|
||||
@@ -482,7 +482,7 @@ public class FilePlanPermissionServiceImplTest extends BaseRMTestCase
|
||||
@Override
|
||||
public Void run()
|
||||
{
|
||||
assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(otherFolder, RMPermissionModel.READ_RECORDS));
|
||||
assertEquals(AccessStatus.DENIED, permissionService.hasPermission(otherFolder, RMPermissionModel.READ_RECORDS));
|
||||
assertEquals(AccessStatus.DENIED, permissionService.hasPermission(otherFolder, RMPermissionModel.FILING));
|
||||
return null;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user