RM-1972: Methods with invalid policy are granted access

* invalid policy defintions now throw exception .. previously they just granted! * invalid capability definitions now throw exception .. previously they abstained with no message * reference to RM.Write removed and replaced with RM.Create or more appropriate permission check * adjustments to hold capabilities since they wheren't being exercised as we thought * ManageAccessRights no longer checks for frozen .. you should be able to manage the permissions of an object if it's frozen and you have the capability * Unit tests for new code and adjustments * Tweaks to existing integration tests where required git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.3@97786 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-07-31 17:39:05 +00:00 · 2015-02-23 23:02:09 +00:00
parent 8ed56c8d91
commit ca1f697f45
25 changed files with 965 additions and 63 deletions
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-condition-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-condition-context.xml
@@ -14,17 +14,20 @@
        <property name="filePlanService" ref="FilePlanService" />
        <property name="dispositionService" ref="DispositionService" />
        <property name="recordFolderService" ref="recordFolderService" />
        <property name="transactionalResourceHelper" ref="rm.transactionalResourceHelper" />
    </bean>
    <bean id="capabilityCondition.frozen"
          parent="capabilityCondition.base"
          class="org.alfresco.module.org_alfresco_module_rm.capability.declarative.condition.FrozenCapabilityCondition">
       <property name="holdService" ref="HoldService" />
    </bean>
    <bean id="capabilityCondition.frozenOrFrozenChildren"
          parent="capabilityCondition.base"
          class="org.alfresco.module.org_alfresco_module_rm.capability.declarative.condition.FrozenCapabilityCondition">
    	<property name="checkChildren" value="true" />
       <property name="holdService" ref="HoldService" />
    </bean>
    <bean id="capabilityCondition.frozenOrHold"
@@ -215,5 +218,10 @@
      <property name="includedInHold" value="true"/>
      <property name="holdService" ref="HoldService" />
   </bean>
   <bean id="capabilityCondition.hasFillingOnHoldContainer"
         parent="capabilityCondition.base"
         class="org.alfresco.module.org_alfresco_module_rm.capability.declarative.condition.FillingOnHoldContainerCapabilityCondition">
   </bean>
 </beans>
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-freeze-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-freeze-context.xml
@@ -11,12 +11,13 @@
      <property name="permission" value="CreateHold"/>
      <property name="kinds">
         <list>
            <value>FILE_PLAN</value>      <!-- required because the create hold method is parameterized by file plan -->
            <value>HOLD_CONTAINER</value>
         </list>
      </property>
      <property name="conditions">
         <map>
-            <entry key="capabilityCondition.filling" value="true"/>
+            <entry key="capabilityCondition.hasFillingOnHoldContainer" value="true"/>
         </map>
      </property>
      <property name="group"><ref bean="holdControlsGroup"/></property>
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-security-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-security-context.xml
@@ -22,7 +22,7 @@
      <property name="index" value="30" />
   </bean>
-   <!--  controls user and gropus role assignments -->
+   <!-- controls user and gropus role assignments -->
   <bean id="rmManageAccessControlsCapability"
      parent="declarativeCapability">
      <property name="name" value="ManageAccessControls" />
@@ -31,13 +31,13 @@
      <property name="index" value="40" />
   </bean>
   <!-- controls an entities permissions -->
   <bean id="rmManageAccessRightsCapability"
      parent="declarativeCapability">
      <property name="name" value="ManageAccessRights"/>
      <property name="permission" value="ManageAccessRights"/>
      <property name="conditions">
         <map>
            <entry key="capabilityCondition.frozen" value="false"/>
            <entry key="capabilityCondition.filling" value="true"/>
         </map>
      </property>
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/module-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/module-context.xml
@@ -5,6 +5,12 @@
   <!--  Authentication Helper -->
   <bean name="rm.authenticationUtil" class="org.alfresco.module.org_alfresco_module_rm.util.AuthenticationUtil"/>
   <!-- Transactional Resouce Helper -->
   <bean name="rm.transactionalResourceHelper" class="org.alfresco.module.org_alfresco_module_rm.util.TransactionalResourceHelper" />
   <!--  Alfresco Transaction Support Helper -->
   <bean name="rm.alfrescoTransactionSupport" class="org.alfresco.module.org_alfresco_module_rm.util.AlfrescoTransactionSupport" />
   <!-- Import extended repository context -->
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-deprecated-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-deprecated-context.xml
@@ -115,14 +115,14 @@
                org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.getNodeRefPath=RM.Read.0
                org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.getFilePlan=RM.Read.0,AFTER_RM.FilterNode
                org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.getFilePlans=RM_ALLOW
-                org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.createFilePlan=RM.WRITE.0
+                org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.createFilePlan=RM.Create.0
                org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.getAllContained=RM.Read.0,AFTER_RM.FilterNode
                org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.getContainedRecordCategories=RM.Read.0,AFTER_RM.FilterNode
                org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.getContainedRecordFolders=RM.Read.0,AFTER_RM.FilterNode
-                org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.createRecordCategory=RM.Write.0
+                org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.createRecordCategory=RM.Create.0
                org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.isRecordFolderDeclared=RM.Read.0
                org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.isRecordFolderClosed=RM.Read.0
-                org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.createRecordFolder=RM.Write.0
+                org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.createRecordFolder=RM.Create.0
                org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.getRecords=RM.Read.0,AFTER_RM.FilterNode
                org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.getRecordFolders=RM.Read.0,AFTER_RM.FilterNode
                org.alfresco.module.org_alfresco_module_rm.RecordsManagementService.getRecordMetaDataAspects=RM_ALLOW
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-public-services-security-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-public-services-security-context.xml
@@ -96,7 +96,8 @@
          depends-on="CapabilityService">
        <property name="namespacePrefixResolver" ref="namespaceService"/>
        <property name="capabilityService" ref="capabilityService"/>
-
+        <property name='transactionalResourceHelper' ref="rm.transactionalResourceHelper" />
        <property name='alfrescoTransactionSupport' ref="rm.alfrescoTransactionSupport" />
    </bean>
    <!-- ======================= -->
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml
@@ -418,11 +418,11 @@
                org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.getFilePlanBySiteId=RM_ALLOW,AFTER_RM.FilterNode
                org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.existsUnfiledContainer=RM.Read.0
                org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.getUnfiledContainer=RM.Read.0,AFTER_RM.FilterNode
-                org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.createUnfiledContainer=RM.Write.0
+                org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.createUnfiledContainer=RM.Create.0
                org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.getHoldContainer=RM.Read.0,AFTER_RM.FilterNode
-                org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.createHoldContainer=RM.Write.0
+                org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.createHoldContainer=RM.Create.0
                org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.getTransferContainer=RM.Read.0,AFTER_RM.FilterNode
-                org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.createTransferContainer=RM.Write.0
+                org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.createTransferContainer=RM.Create.0
                org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.createFilePlan=RM_ALLOW
                org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.getNodeRefPath=RM.Read.0
                org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.isFilePlanContainer=RM_ALLOW
@@ -430,7 +430,7 @@
                org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.getAllContained=RM.Read.0,AFTER_RM.FilterNode
                org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.getContainedRecordCategories=RM.Read.0,AFTER_RM.FilterNode
                org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.getContainedRecordFolders=RM.Read.0,AFTER_RM.FilterNode
-                org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.createRecordCategory=RM.Write.0
+                org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.createRecordCategory=RM.Create.0
                org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService.*=RM_DENY
                ]]>
            </value>
@@ -538,8 +538,8 @@
        <property name="objectDefinitionSource">
            <value>
               <![CDATA[
-                org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.setupFilePlanRoles=RM.Write.0
+                org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.setupFilePlanRoles=RM_ALLOW
-                org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.tearDownFilePlanRoles=RM.Write.0
+                org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.tearDownFilePlanRoles=RM_ALLOW
                org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.getRoles=RM_ALLOW
                org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.getRolesByUser=RM_ALLOW
                org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.getRole=RM_ALLOW
@@ -1023,10 +1023,10 @@
                org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService.isRecordFolder=RM.Read.0
                org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService.isRecordFolderDeclared=RM.Read.0
                org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService.isRecordFolderClosed=RM.Read.0
-                org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService.createRecordFolder=RM.Write.0
+                org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService.createRecordFolder=RM.Create.0
                org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService.getRecordFolders=RM.Read.0,AFTER_RM.FilterNode
                org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService.setupRecordFolder=RM.Read.0
-                org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService.closeRecordFolder=RM.Write.0
+                org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService.closeRecordFolder=RM_CAP.0.rma:filePlanComponent.CloseFolders
                org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService.*=RM_DENY
                ]]>
            </value>
@@ -1167,7 +1167,7 @@
         <value>
            <![CDATA[
               org.alfresco.module.org_alfresco_module_rm.record.InplaceRecordService.hideRecord=RM_ALLOW
-               org.alfresco.module.org_alfresco_module_rm.record.InplaceRecordService.moveRecord=RM.Write.0
+               org.alfresco.module.org_alfresco_module_rm.record.InplaceRecordService.moveRecord=RM.Create.0
               org.alfresco.module.org_alfresco_module_rm.record.InplaceRecordService.*=RM_DENY
            ]]>
         </value>
@@ -1523,15 +1523,15 @@
 			   org.alfresco.module.org_alfresco_module_rm.hold.HoldService.getHold=RM.Read.0,AFTER_RM.FilterNode
 			   org.alfresco.module.org_alfresco_module_rm.hold.HoldService.heldBy=RM.Read.0,AFTER_RM.FilterNode
 			   org.alfresco.module.org_alfresco_module_rm.hold.HoldService.getHeld=RM.Read.0,AFTER_RM.FilterNode
-			   org.alfresco.module.org_alfresco_module_rm.hold.HoldService.createHold=RM.Read.0
+			   org.alfresco.module.org_alfresco_module_rm.hold.HoldService.createHold=RM_CAP.0.rma:filePlanComponent.CreateHold
 			   org.alfresco.module.org_alfresco_module_rm.hold.HoldService.getHoldReason=RM.Read.0
-			   org.alfresco.module.org_alfresco_module_rm.hold.HoldService.setHoldReason=RM.Write.0
+			   org.alfresco.module.org_alfresco_module_rm.hold.HoldService.setHoldReason=RM_CAP.0.rma:filePlanComponent.EditHold
-			   org.alfresco.module.org_alfresco_module_rm.hold.HoldService.deleteHold=RM.Write.0
+			   org.alfresco.module.org_alfresco_module_rm.hold.HoldService.deleteHold=RM_CAP.0.rma:filePlanComponent.DeleteHold
-			   org.alfresco.module.org_alfresco_module_rm.hold.HoldService.addToHold=RM.Write.0
+			   org.alfresco.module.org_alfresco_module_rm.hold.HoldService.addToHold=RM_CAP.0.rma:filePlanComponent.AddToHold
-			   org.alfresco.module.org_alfresco_module_rm.hold.HoldService.addToHolds=RM.Write.0
+			   org.alfresco.module.org_alfresco_module_rm.hold.HoldService.addToHolds=RM_CAP.0.rma:filePlanComponent.AddToHold
-			   org.alfresco.module.org_alfresco_module_rm.hold.HoldService.removeFromHold=RM.Write.0
+			   org.alfresco.module.org_alfresco_module_rm.hold.HoldService.removeFromHold=RM_CAP.0.rma:filePlanComponent.RemoveFromHold
-			   org.alfresco.module.org_alfresco_module_rm.hold.HoldService.removeFromHolds=RM.Write.0
+			   org.alfresco.module.org_alfresco_module_rm.hold.HoldService.removeFromHolds=RM_CAP.0.rma:filePlanComponent.RemoveFromHold
-			   org.alfresco.module.org_alfresco_module_rm.hold.HoldService.removeFromAllHolds=RM.Write.0
+			   org.alfresco.module.org_alfresco_module_rm.hold.HoldService.removeFromAllHolds=RM_ALLOW
               org.alfresco.module.org_alfresco_module_rm.hold.HoldService.*=RM_DENY
            ]]>
         </value>
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMEntryVoter.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMEntryVoter.java
@@ -29,12 +29,13 @@ import net.sf.acegisecurity.Authentication;
 import net.sf.acegisecurity.ConfigAttribute;
 import net.sf.acegisecurity.vote.AccessDecisionVoter;
 import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.module.org_alfresco_module_rm.capability.policy.ConfigAttributeDefinition;
 import org.alfresco.module.org_alfresco_module_rm.capability.policy.Policy;
 import org.alfresco.module.org_alfresco_module_rm.security.RMMethodSecurityInterceptor;
 import org.alfresco.module.org_alfresco_module_rm.util.AlfrescoTransactionSupport;
 import org.alfresco.module.org_alfresco_module_rm.util.TransactionalResourceHelper;
 import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
 import org.alfresco.repo.transaction.TransactionalResourceHelper;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.namespace.NamespacePrefixResolver;
 import org.aopalliance.intercept.MethodInvocation;
@@ -59,6 +60,12 @@ public class RMEntryVoter extends RMSecurityCommon
    /** Capability Service */
    private CapabilityService capabilityService;
    /** Transactional Resource Helper */
    private TransactionalResourceHelper transactionalResourceHelper;
    /** Alfresco transaction support */
    private AlfrescoTransactionSupport alfrescoTransactionSupport;
    /** Policy map */
    private Map<String, Policy> policies = new HashMap<String, Policy>();
@@ -78,6 +85,22 @@ public class RMEntryVoter extends RMSecurityCommon
    {
        this.nspr = nspr;
    }
    /**
     * @param transactionalResourceHelper   transactional resource helper
     */
    public void setTransactionalResourceHelper(TransactionalResourceHelper transactionalResourceHelper)
    {
        this.transactionalResourceHelper = transactionalResourceHelper;
    }
    /**
     * @param alfrescoTransactionSupport    alfresco transaction support helper
     */
    public void setAlfrescoTransactionSupport(AlfrescoTransactionSupport alfrescoTransactionSupport)
    {
        this.alfrescoTransactionSupport = alfrescoTransactionSupport;
    }
    /**
     * Register a policy the voter
@@ -130,7 +153,7 @@ public class RMEntryVoter extends RMSecurityCommon
    	MethodInvocation mi = (MethodInvocation)object;
-    	if (TransactionalResourceHelper.isResourcePresent("voting"))
+    	if (transactionalResourceHelper.isResourcePresent("voting"))
    	{
    		if (logger.isDebugEnabled())
            {
@@ -144,7 +167,7 @@ public class RMEntryVoter extends RMSecurityCommon
            logger.debug("Method: " + mi.getMethod().getDeclaringClass().getName() + "." + mi.getMethod().getName());
        }
-    	AlfrescoTransactionSupport.bindResource("voting", true);
+    	alfrescoTransactionSupport.bindResource("voting", true);
    	try
    	{
 	        // The system user can do anything
@@ -165,8 +188,15 @@ public class RMEntryVoter extends RMSecurityCommon
 	            return AccessDecisionVoter.ACCESS_ABSTAIN;
 	        }
 	        // check we have an instance of a method invocation
 	        if (!(object instanceof MethodInvocation))
 	        {
 	            // we expect a method invocation
 	            throw new AlfrescoRuntimeException("Passed object is not an instance of MethodInvocation as expected.");
 	        }
 	        // get information about the method
 	        MethodInvocation invocation = (MethodInvocation) object;
 	        Method method = invocation.getMethod();
 	        Class[] params = method.getParameterTypes();
@@ -273,7 +303,7 @@ public class RMEntryVoter extends RMSecurityCommon
    	}
    	finally
    	{
-    		AlfrescoTransactionSupport.unbindResource("voting");
+    		alfrescoTransactionSupport.unbindResource("voting");
    	}
        // all voted to allow
@@ -281,11 +311,12 @@ public class RMEntryVoter extends RMSecurityCommon
    }
    /**
     * Check the capability
     *
-     * @param invocation
+     * @param invocation    method invocation
-     * @param params
+     * @param params        parameters
-     * @param cad
+     * @param cad           config definition
-     * @return
+     * @return int          evaluation result
     */
    @SuppressWarnings("rawtypes")
 	private int checkCapability(MethodInvocation invocation, Class[] params, ConfigAttributeDefinition cad)
@@ -298,29 +329,33 @@ public class RMEntryVoter extends RMSecurityCommon
        Capability capability = capabilityService.getCapability(cad.getRequired().getName());
        if (capability == null)
        {
-            return AccessDecisionVoter.ACCESS_DENIED;
+            throw new AlfrescoRuntimeException("The capability '" + cad.getRequired().getName() + "' set on method '" + invocation.getMethod().getName() + "' does not exist.");
        }
        return capability.hasPermissionRaw(testNodeRef);
    }
    /**
     * Evaluate policy to determine access
     *
-     * @param invocation
+     * @param  invocation   invocation information
-     * @param params
+     * @param  params       parameters
-     * @param cad
+     * @param  cad          configuration attribute definition
-     * @return
+     * @return int          policy evaluation
     */
    @SuppressWarnings("rawtypes")
 	private int checkPolicy(MethodInvocation invocation, Class[] params, ConfigAttributeDefinition cad)
    {
        // try to get the policy
        Policy policy = policies.get(cad.getPolicyName());
        if (policy == null)
        {
-            return AccessDecisionVoter.ACCESS_GRANTED;
+            // throw an exception if the policy is invalid
            throw new AlfrescoRuntimeException("The policy '" + cad.getPolicyName() + "' set on the method '" + invocation.getMethod().getName() + "' does not exist.");
        }
        else
        {
            // evaluate the policy
            return policy.evaluate(invocation, params, cad);
        }
    }
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/AbstractCapabilityCondition.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/AbstractCapabilityCondition.java
@@ -26,8 +26,8 @@ import org.alfresco.module.org_alfresco_module_rm.freeze.FreezeService;
 import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
 import org.alfresco.module.org_alfresco_module_rm.record.RecordService;
 import org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderService;
 import org.alfresco.module.org_alfresco_module_rm.util.TransactionalResourceHelper;
 import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.transaction.TransactionalResourceHelper;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.security.PermissionService;
@@ -56,6 +56,9 @@ public abstract class AbstractCapabilityCondition implements CapabilityCondition
    protected FilePlanService filePlanService;
    protected DispositionService dispositionService;
    protected RecordFolderService recordFolderService;
    /** transaction resource helper */
    private TransactionalResourceHelper transactionalResourceHelper;
    /**
     * @param recordService     record service
@@ -112,6 +115,14 @@ public abstract class AbstractCapabilityCondition implements CapabilityCondition
    {
        this.recordFolderService = recordFolderService;
    }
    /**
     * @param transactionalResourceHelper transactional resource helper
     */
    public void setTransactionalResourceHelper(TransactionalResourceHelper transactionalResourceHelper)
    {
        this.transactionalResourceHelper = transactionalResourceHelper;
    }
    /**
     * @see org.alfresco.module.org_alfresco_module_rm.capability.declarative.CapabilityCondition#getName()
@@ -131,7 +142,7 @@ public abstract class AbstractCapabilityCondition implements CapabilityCondition
        boolean result = false;
        // check transaction cache
-        Map<String, Boolean> map = TransactionalResourceHelper.getMap(KEY_EVALUATE);
+        Map<String, Boolean> map = transactionalResourceHelper.getMap(KEY_EVALUATE);
        String key = getName() + "|" + nodeRef.toString() + "|" + AuthenticationUtil.getRunAsUser();
        if (map.containsKey(key))
        {
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/condition/FillingOnHoldContainerCapabilityCondition.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/condition/FillingOnHoldContainerCapabilityCondition.java
@@ -0,0 +1,60 @@
 /*
 * Copyright (C) 2005-2014 Alfresco Software Limited.
 *
 * This file is part of Alfresco
 *
 * Alfresco is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * Alfresco is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
 */
 package org.alfresco.module.org_alfresco_module_rm.capability.declarative.condition;
 import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
 import org.alfresco.module.org_alfresco_module_rm.capability.declarative.AbstractCapabilityCondition;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.security.AccessStatus;
 /**
 * Filling capability for hold condition.
 * 
 * @author Roy Wetherall
 * @since 2.3
 */
 public class FillingOnHoldContainerCapabilityCondition extends AbstractCapabilityCondition
 {
    /**
     * @see org.alfresco.module.org_alfresco_module_rm.capability.declarative.CapabilityCondition#evaluate(org.alfresco.service.cmr.repository.NodeRef)
     */
    @Override
    public boolean evaluateImpl(NodeRef nodeRef)
    {
        boolean result = false;
        NodeRef holdContainer = nodeRef;      
        // if we have a file plan, go get the hold container
        if (filePlanService.isFilePlan(nodeRef) == true)
        {
            holdContainer = filePlanService.getHoldContainer(nodeRef);
        }
        // ensure we are dealing with a hold container
        if (TYPE_HOLD_CONTAINER.equals(nodeService.getType(holdContainer)))
        {        
            if (permissionService.hasPermission(holdContainer, RMPermissionModel.FILE_RECORDS) != AccessStatus.DENIED)
            {
                result = true;
            }
        }
        return result;     
    }
 }
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/condition/FrozenCapabilityCondition.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/condition/FrozenCapabilityCondition.java
@@ -19,27 +19,57 @@
 package org.alfresco.module.org_alfresco_module_rm.capability.declarative.condition;
 import org.alfresco.module.org_alfresco_module_rm.capability.declarative.AbstractCapabilityCondition;
 import org.alfresco.module.org_alfresco_module_rm.hold.HoldService;
 import org.alfresco.service.cmr.repository.NodeRef;
 /**
 * Indicates whether an item is held or not.
 * <p>
 * A hold object is by definition considered to be held.
 * 
 * @author Roy Wetherall
 */
 public class FrozenCapabilityCondition extends AbstractCapabilityCondition
 {
-private boolean checkChildren = false;
+    /** indicates whether children should be checked */
    private boolean checkChildren = false;
    /** hold service */
    private HoldService holdService;
    /**
     * @param checkChildren true to check children, false otherwise
     */
    public void setCheckChildren(boolean checkChildren)
    {
        this.checkChildren = checkChildren;
    }
    /**
     * @param holdService   hold service
     */
    public void setHoldService(HoldService holdService)
    {
        this.holdService = holdService;
    }
    @Override
    public boolean evaluateImpl(NodeRef nodeRef)
    {
-        boolean result = freezeService.isFrozen(nodeRef);
+        boolean result = false;
-        if (!result && checkChildren)
+        
        // check whether we are working with a hold or not
        if (holdService.isHold(nodeRef))
        {
-            result = freezeService.hasFrozenChildren(nodeRef);
+            result = true;
        }
        else
        {
            result = freezeService.isFrozen(nodeRef);
            if (!result && checkChildren)
            {
                result = freezeService.hasFrozenChildren(nodeRef);
            }
        }
        return result;
    }
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/condition/HoldCapabilityCondition.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/condition/HoldCapabilityCondition.java
@@ -62,16 +62,23 @@ public class HoldCapabilityCondition extends AbstractCapabilityCondition
    {
        boolean result = false;
-        List<NodeRef> holds = holdService.heldBy(nodeRef, includedInHold);
+        if (holdService.isHold(nodeRef))
        for (NodeRef hold : holds)
        {
-            // return true as soon as we find one hold we have filling permission on
+            result = AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, RMPermissionModel.FILING));
-            if (AccessStatus.ALLOWED.equals(permissionService.hasPermission(hold, RMPermissionModel.FILING)))
+        }
        else
        {
            List<NodeRef> holds = holdService.heldBy(nodeRef, includedInHold);
            for (NodeRef hold : holds)
            {
-                result = true;
+                // return true as soon as we find one hold we have filling permission on
-                break;
+                if (AccessStatus.ALLOWED.equals(permissionService.hasPermission(hold, RMPermissionModel.FILING)))
                {
                    result = true;
                    break;
                }
            }
-        }        
+        }
        return result;
    }
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/disposition/DispositionServiceImpl.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/disposition/DispositionServiceImpl.java
@@ -969,7 +969,7 @@ public class DispositionServiceImpl extends    ServiceBaseImpl
     * @see org.alfresco.module.org_alfresco_module_rm.disposition.DispositionService#cutoffDisposableItem(NodeRef)
     */
    @Override
-    public void cutoffDisposableItem(NodeRef nodeRef)
+    public void cutoffDisposableItem(final NodeRef nodeRef)
    {
        ParameterCheck.mandatory("nodeRef", nodeRef);
@@ -1001,7 +1001,15 @@ public class DispositionServiceImpl extends    ServiceBaseImpl
                if (recordFolderService.isRecordFolder(nodeRef) &&
                    !recordFolderService.isRecordFolderClosed(nodeRef))
                {
-                    recordFolderService.closeRecordFolder(nodeRef);
+                    // runAs system so that we can close a record that has already been cutoff
                    authenticationUtil.runAsSystem(new RunAsWork<Void>()
                    {
                        public Void doWork() throws Exception
                        {
                            recordFolderService.closeRecordFolder(nodeRef);
                            return null;
                        }
                    });                    
                }
            }
            else
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/RMMethodSecurityInterceptor.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/RMMethodSecurityInterceptor.java
@@ -39,7 +39,7 @@ public class RMMethodSecurityInterceptor extends MethodSecurityInterceptor
    {
        public String name;
        public AccessStatus status;
-        public Map<String, Boolean> conditions = new HashMap<String, Boolean>();
+        public Map<String, Boolean> conditions = new HashMap<String, Boolean>();        
    }
    /**
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/util/AlfrescoTransactionSupport.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/util/AlfrescoTransactionSupport.java
@@ -0,0 +1,45 @@
 /*
 * Copyright (C) 2005-2014 Alfresco Software Limited.
 *
 * This file is part of Alfresco
 *
 * Alfresco is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * Alfresco is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
 */
 package org.alfresco.module.org_alfresco_module_rm.util;
 /**
 * Alfresco Transaction Support delegation bean.
 * 
 * @author Roy Wetherall
 * @since 2.3
 * @see org.alfresco.repo.transaction.AlfrescoTransactionSupport
 */
 public class AlfrescoTransactionSupport
 {
    /**
     * @see org.alfresco.repo.transaction.AlfrescoTransactionSupport#bindResource(Object, Object)
     */
    public void bindResource(Object key, Object resource)
    {
        org.alfresco.repo.transaction.AlfrescoTransactionSupport.bindResource(key, resource);
    }
    /**
     * @see org.alfresco.repo.transaction.AlfrescoTransactionSupport#unbindResource(Object)
     */
    public void unbindResource(Object key)
    {
        org.alfresco.repo.transaction.AlfrescoTransactionSupport.unbindResource(key);
    }
 }
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/util/TransactionalResourceHelper.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/util/TransactionalResourceHelper.java
@@ -0,0 +1,106 @@
 /*
 * Copyright (C) 2005-2014 Alfresco Software Limited.
 *
 * This file is part of Alfresco
 *
 * Alfresco is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * Alfresco is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
 */
 package org.alfresco.module.org_alfresco_module_rm.util;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.TreeSet;
 /**
 * Delegate spring bean for TransactionResourceHelper
 * 
 * @author Roy Wetherall
 * @since 2.3
 * @see org.alfresco.repo.transaction.TransactionalResourceHelper
 */
 public class TransactionalResourceHelper
 {
    /**
     * @see org.alfresco.repo.transaction.TransactionalResourceHelper#getCount(Object)
     */
    public int getCount(Object resourceKey)
    {
        return org.alfresco.repo.transaction.TransactionalResourceHelper.getCount(resourceKey);
    }
    /**
     * @see org.alfresco.repo.transaction.TransactionalResourceHelper#getCount(Object)
     */
    public void resetCount(Object resourceKey)
    {
        org.alfresco.repo.transaction.TransactionalResourceHelper.resetCount(resourceKey);
    }
    /**
     * @see org.alfresco.repo.transaction.TransactionalResourceHelper#incrementCount(Object)
     */
    public int incrementCount(Object resourceKey)
    {
        return org.alfresco.repo.transaction.TransactionalResourceHelper.incrementCount(resourceKey);
    }
    /**
     * @see org.alfresco.repo.transaction.TransactionalResourceHelper#decrementCount(Object, boolean)
     */
    public int decrementCount(Object resourceKey, boolean allowNegative)
    {
        return org.alfresco.repo.transaction.TransactionalResourceHelper.decrementCount(resourceKey, allowNegative);
    }
    /**
     * @see org.alfresco.repo.transaction.TransactionalResourceHelper#getCount(Object)
     */
    public boolean isResourcePresent(Object resourceKey)
    {
        return org.alfresco.repo.transaction.TransactionalResourceHelper.isResourcePresent(resourceKey);
    }
    /**
     * @see org.alfresco.repo.transaction.TransactionalResourceHelper#getMap(Object)
     */
    public <K,V> Map<K,V> getMap(Object resourceKey)
    {
        return org.alfresco.repo.transaction.TransactionalResourceHelper.getMap(resourceKey);
    }
    /**
     * @see org.alfresco.repo.transaction.TransactionalResourceHelper#getSet(Object)
     */
    public <V> Set<V> getSet(Object resourceKey)
    {
        return org.alfresco.repo.transaction.TransactionalResourceHelper.getSet(resourceKey);
    }
    /**
     * @see org.alfresco.repo.transaction.TransactionalResourceHelper#getTreeSet(Object)
     */
    public <V> TreeSet<V> getTreeSet(Object resourceKey)
    {
        return org.alfresco.repo.transaction.TransactionalResourceHelper.getTreeSet(resourceKey);
    }
    /**
     * @see org.alfresco.repo.transaction.TransactionalResourceHelper#getList(Object)
     */
    public <V> List<V> getList(Object resourceKey)
    {
        return org.alfresco.repo.transaction.TransactionalResourceHelper.getList(resourceKey);
    }
 }
--- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/integration/hold/CreateHoldTest.java
+++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/integration/hold/CreateHoldTest.java
@@ -96,7 +96,9 @@ public class CreateHoldTest extends BaseRMTestCase
                {
                    public Void doWork() throws Exception
                    {
                        // ensure the user has the correct permission to create the hold
                        filePlanPermissionService.setPermission(holdsContainer, testUser, FILING);
                        return null;
                    }
                }, getAdminUserName());
--- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/integration/issue/RM1030Test.java
+++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/integration/issue/RM1030Test.java
@@ -19,7 +19,9 @@
 package org.alfresco.module.org_alfresco_module_rm.test.integration.issue;
 import java.util.List;
 import java.util.Set;
 import org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService;
 import org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase;
 import org.alfresco.service.cmr.repository.NodeRef;
@@ -45,6 +47,12 @@ public class RM1030Test extends BaseRMTestCase
            @Override
            public NodeRef run()
            {
                Set<String> auths = filePlanRoleService.getAllAssignedToRole(filePlan, FilePlanRoleService.ROLE_ADMIN);
                for (String auth : auths)
                {
                    System.out.println(auth);
                }
                // show there are no holds when we start
                List<NodeRef> holds = holdService.getHolds(filePlan);
                assertNotNull(holds);
--- a/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/capability/RMEntryVoterUnitTest.java
+++ b/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/capability/RMEntryVoterUnitTest.java
@@ -0,0 +1,153 @@
 /*
 * Copyright (C) 2005-2014 Alfresco Software Limited.
 *
 * This file is part of Alfresco
 *
 * Alfresco is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * Alfresco is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
 */
 package org.alfresco.module.org_alfresco_module_rm.capability;
 import static org.mockito.Matchers.any;
 import static org.mockito.Matchers.eq;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 import java.lang.reflect.Method;
 import java.util.Iterator;
 import net.sf.acegisecurity.Authentication;
 import net.sf.acegisecurity.ConfigAttribute;
 import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.module.org_alfresco_module_rm.capability.policy.ConfigAttributeDefinition;
 import org.alfresco.module.org_alfresco_module_rm.capability.policy.Policy;
 import org.alfresco.module.org_alfresco_module_rm.test.util.BaseUnitTest;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.aopalliance.intercept.MethodInvocation;
 import org.junit.Test;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 /**
 * RM entry voter unit test
 * 
 * @author Roy Wetherall
 * @since 2.3
 */
 public class RMEntryVoterUnitTest extends BaseUnitTest
 {
    private static final String POLICY_NAME = "myPolicy";
    /** RM Entry */
    private @InjectMocks RMEntryVoter entryVoter;
    /** Mocked policy */
    private @Mock Policy mockedPolicy;
    /**
     * Given that we have provided an invalid policy
     * When I evaluate the voter
     * Then an AlfrescoRuntimeException is thrown
     */
    @Test
    public void invalidPolicy() throws Exception
    {
        // given I am providing an invalid policy for a method
        Authentication mockedAuthentication = mock(Authentication.class);
        MethodInvocation mockedMethodInvocation = createMethodInvoation("myTestMethod", NodeRef.class);
        net.sf.acegisecurity.ConfigAttributeDefinition mockedConfigDef = createConfigDefinition("RM.invalid");
        // I expect an Alfresco Runtime Exception
        exception.expect(AlfrescoRuntimeException.class);
        // call vote
        entryVoter.vote(mockedAuthentication, mockedMethodInvocation, mockedConfigDef);    
    }
    /**
     * Given that I have provided a valid policy
     * When I evaluate the voter
     * Then the corresponding policy will be evaluated
     */
    @Test
    public void validPolicy() throws Exception
    {
        when(mockedPolicy.getName())
            .thenReturn(POLICY_NAME);
        entryVoter.registerPolicy(mockedPolicy);
        //  mock calling details
        Authentication mockedAuthentication = mock(Authentication.class);
        MethodInvocation mockedMethodInvocation = createMethodInvoation("myTestMethod", NodeRef.class);
        net.sf.acegisecurity.ConfigAttributeDefinition mockedConfigDef = createConfigDefinition("RM." + POLICY_NAME);
        // call vote
        entryVoter.vote(mockedAuthentication, mockedMethodInvocation, mockedConfigDef);
        // verify that the policy was executed
        verify(mockedPolicy, times(1)).evaluate(eq(mockedMethodInvocation), any(Class[].class), any(ConfigAttributeDefinition.class));
    }
    /**
     * Helper method to create configuration object
     */
    @SuppressWarnings("rawtypes")
    private net.sf.acegisecurity.ConfigAttributeDefinition createConfigDefinition(String value)
    {
        net.sf.acegisecurity.ConfigAttributeDefinition mockedConfig = mock(net.sf.acegisecurity.ConfigAttributeDefinition.class);
        ConfigAttribute mockedConfigAttr = mock(ConfigAttribute.class);        
        when(mockedConfigAttr.getAttribute())
            .thenReturn(value);
        Iterator mockedIter = mock(Iterator.class);
        when(mockedIter.hasNext())
            .thenReturn(true)
            .thenReturn(false);
        when(mockedIter.next())
            .thenReturn(mockedConfigAttr);
        when(mockedConfig.getConfigAttributes())
            .thenReturn(mockedIter);
        return mockedConfig;        
    }
    /**
     * Helper method to create method invocation mock
     */
    private MethodInvocation createMethodInvoation(String methodName, Class<?> ... parameterTypes)
        throws Exception
    {
        // mock method invocation
        MethodInvocation mockedMethodInvocation = mock(MethodInvocation.class);
        // get method object .. assumed to be a method on this object
        Method method = RMEntryVoterUnitTest.class.getMethod(methodName, parameterTypes);
        when(mockedMethodInvocation.getMethod())
            .thenReturn(method);
        return mockedMethodInvocation;
    }
    /** ========= Test methods ======== */
    public void myTestMethod(NodeRef nodeRef)
    {
        // does nothing
    }
 }
--- a/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/condition/CapabilityDeclarativeConditionSuite.java
+++ b/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/condition/CapabilityDeclarativeConditionSuite.java
@@ -0,0 +1,40 @@
 /*
 * Copyright (C) 2005-2014 Alfresco Software Limited.
 *
 * This file is part of Alfresco
 *
 * Alfresco is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * Alfresco is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
 */
 package org.alfresco.module.org_alfresco_module_rm.capability.declarative.condition;
 import org.junit.runner.RunWith;
 import org.junit.runners.Suite;
 import org.junit.runners.Suite.SuiteClasses;
 /**
 * capability.declarative.condition unit test suite
 *
 * @author Roy Wetherall
 * @since 2.3
 */
@RunWith(Suite.class)
@SuiteClasses(
 {
    HoldCapabilityConditionUnitTest.class,
    FillingOnHoldContainerCapabilityConditionUnitTest.class,
    FrozenCapabilityConditionUnitTest.class
 })
 public class CapabilityDeclarativeConditionSuite
 {
 }
--- a/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/condition/FillingOnHoldContainerCapabilityConditionUnitTest.java
+++ b/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/condition/FillingOnHoldContainerCapabilityConditionUnitTest.java
@@ -0,0 +1,141 @@
 /*
 * Copyright (C) 2005-2014 Alfresco Software Limited.
 *
 * This file is part of Alfresco
 *
 * Alfresco is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * Alfresco is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
 */
 package org.alfresco.module.org_alfresco_module_rm.capability.declarative.condition;
 import static org.mockito.Mockito.*;
 import static org.junit.Assert.*;
 import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
 import org.alfresco.module.org_alfresco_module_rm.test.util.BaseUnitTest;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.security.AccessStatus;
 import org.junit.Before;
 import org.junit.Test;
 import org.mockito.InjectMocks;
 /**
 * Filling on hold container capability condition unit test
 * 
 * @author Roy Wetherall
 * @since 2.3
 */
 public class FillingOnHoldContainerCapabilityConditionUnitTest extends BaseUnitTest
 {
    /** evaluator */
    private @InjectMocks FillingOnHoldContainerCapabilityCondition condition;
    /**
     * @see org.alfresco.module.org_alfresco_module_rm.test.util.BaseUnitTest#before()
     */
    @Before
    @Override
    public void before() throws Exception
    {
        super.before();
    }
    /**
     * Given hold container node
     * And no filling permission
     * When evaluate
     * Then false
     */
    @Test
    public void noFillingOnHoldContainer()
    {
        NodeRef holdContainer = generateNodeRef(TYPE_HOLD_CONTAINER);
        when(mockedFilePlanService.isFilePlan(holdContainer))
            .thenReturn(false);
        when(mockedPermissionService.hasPermission(holdContainer, RMPermissionModel.FILE_RECORDS))
            .thenReturn(AccessStatus.DENIED);
        assertFalse(condition.evaluateImpl(holdContainer));
    }
    /**
     * Given hold container node
     * And filling permission
     * When evaluate
     * Then true
     */
    @Test
    public void fillingOnHoldContainer()
    {
        NodeRef holdContainer = generateNodeRef(TYPE_HOLD_CONTAINER);
        when(mockedFilePlanService.isFilePlan(holdContainer))
            .thenReturn(false);
        when(mockedPermissionService.hasPermission(holdContainer, RMPermissionModel.FILE_RECORDS))
            .thenReturn(AccessStatus.ALLOWED);
        assertTrue(condition.evaluateImpl(holdContainer));
    }
    /**
     * Given file-plan node
     * And no filling permission on hold container
     * When evaluate
     * Then false
     */
    @Test
    public void filePlanNoFilling()
    {
        NodeRef holdContainer = generateNodeRef(TYPE_HOLD_CONTAINER);
        when(mockedFilePlanService.getHoldContainer(filePlan))
            .thenReturn(holdContainer);
        when(mockedPermissionService.hasPermission(holdContainer, RMPermissionModel.FILE_RECORDS))
            .thenReturn(AccessStatus.DENIED);
        assertFalse(condition.evaluateImpl(holdContainer));
    }
    /**
     * Given file-plan node
     * And filling permission on hold container
     * When evaluate
     * Then true
     */
    @Test
    public void filePlanFilling()
    {
        NodeRef holdContainer = generateNodeRef(TYPE_HOLD_CONTAINER);
        when(mockedFilePlanService.getHoldContainer(filePlan))
            .thenReturn(holdContainer);
        when(mockedPermissionService.hasPermission(holdContainer, RMPermissionModel.FILE_RECORDS))
            .thenReturn(AccessStatus.ALLOWED);
        assertTrue(condition.evaluateImpl(holdContainer));
    }
    /**
     * Given unexpected node type
     * When evaluate
     * Then false
     */
    @Test
    public void unexpectedNode()
    {
        NodeRef unexpectedNode = generateNodeRef();
        when(mockedFilePlanService.isFilePlan(unexpectedNode))
            .thenReturn(false);
        when(mockedPermissionService.hasPermission(unexpectedNode, RMPermissionModel.FILE_RECORDS))
            .thenReturn(AccessStatus.ALLOWED);
        assertFalse(condition.evaluateImpl(unexpectedNode));
    }    
 }
--- a/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/condition/FrozenCapabilityConditionUnitTest.java
+++ b/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/condition/FrozenCapabilityConditionUnitTest.java
@@ -0,0 +1,232 @@
 /*
 * Copyright (C) 2005-2014 Alfresco Software Limited.
 *
 * This file is part of Alfresco
 *
 * Alfresco is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * Alfresco is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
 */
 package org.alfresco.module.org_alfresco_module_rm.capability.declarative.condition;
 import static org.junit.Assert.*;
 import static org.mockito.Mockito.*;
 import org.alfresco.module.org_alfresco_module_rm.test.util.BaseUnitTest;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.junit.Before;
 import org.junit.Test;
 import org.mockito.InjectMocks;
 /**
 * Frozen capability condition unit test
 * 
 * @author Roy Wetherall
 * @since 2.3
 */
 public class FrozenCapabilityConditionUnitTest extends BaseUnitTest
 {
    /** evaluator */
    private @InjectMocks FrozenCapabilityCondition condition;
    /**
     * @see org.alfresco.module.org_alfresco_module_rm.test.util.BaseUnitTest#before()
     */
    @Before
    @Override
    public void before() throws Exception
    {
        super.before();
    }
    /**
     * Given hold
     * When evaluate
     * Then true
     */
    @Test
    public void evaluateHold()
    {
        // is a hold
        NodeRef nodeRef = generateNodeRef();
        when(mockedHoldService.isHold(nodeRef))
            .thenReturn(true);        
        // evaluate
        assertTrue(condition.evaluate(nodeRef));
        // verify
        verify(mockedHoldService, times(1)).isHold(nodeRef);
        verify(mockedFreezeService, never()).isFrozen(nodeRef);
        verify(mockedFreezeService, never()).hasFrozenChildren(nodeRef);
    }
    /**
     * Given is frozen
     * And no check children
     * When evaluate
     * Then true
     */
    @Test
    public void frozenDontCheckChildren()
    {
        // is not a hold
        NodeRef nodeRef = generateNodeRef();
        when(mockedHoldService.isHold(nodeRef))
            .thenReturn(false);
        // dont check children
        condition.setCheckChildren(false);
        // is frozen
        when(mockedFreezeService.isFrozen(nodeRef))
            .thenReturn(true);
        // evaluate
        assertTrue(condition.evaluate(nodeRef));
        // verify
        verify(mockedHoldService, times(1)).isHold(nodeRef);
        verify(mockedFreezeService, times(1)).isFrozen(nodeRef);
        verify(mockedFreezeService, never()).hasFrozenChildren(nodeRef);
    }
    /**
     * Given is not frozen
     * And no check children
     * When evaluate
     * Then false
     */
    @Test
    public void notFrozenDontCheckChildren()
    {
        // is not a hold
        NodeRef nodeRef = generateNodeRef();
        when(mockedHoldService.isHold(nodeRef))
            .thenReturn(false);
        // dont check children
        condition.setCheckChildren(false);
        // is not frozen
        when(mockedFreezeService.isFrozen(nodeRef))
            .thenReturn(false);
        // evaluate
        assertFalse(condition.evaluate(nodeRef));
        // verify
        verify(mockedHoldService, times(1)).isHold(nodeRef);
        verify(mockedFreezeService, times(1)).isFrozen(nodeRef);
        verify(mockedFreezeService, never()).hasFrozenChildren(nodeRef);
    }
    /**
     * Given is frozen
     * And check children
     * When evaluate
     * Then true
     */
    @Test
    public void frozenCheckChildren()
    {
        // is not a hold
        NodeRef nodeRef = generateNodeRef();
        when(mockedHoldService.isHold(nodeRef))
            .thenReturn(false);
        // check children
        condition.setCheckChildren(true);
        // is frozen
        when(mockedFreezeService.isFrozen(nodeRef))
            .thenReturn(true);
        // evaluate
        assertTrue(condition.evaluate(nodeRef));
        // verify
        verify(mockedHoldService, times(1)).isHold(nodeRef);
        verify(mockedFreezeService, times(1)).isFrozen(nodeRef);
        verify(mockedFreezeService, never()).hasFrozenChildren(nodeRef);
    }
    /**
     * Given is not frozen
     * And check children
     * And children no frozen
     * When evaluate
     * Then false
     */
    @Test
    public void notFrozenCheckChildrenNotFrozen()
    {
        // is not a hold
        NodeRef nodeRef = generateNodeRef();
        when(mockedHoldService.isHold(nodeRef))
            .thenReturn(false);
        // check children
        condition.setCheckChildren(true);
        // is not frozen
        when(mockedFreezeService.isFrozen(nodeRef))
            .thenReturn(false);
        // children not frozen
        when(mockedFreezeService.hasFrozenChildren(nodeRef))
            .thenReturn(false);
        // evaluate
        assertFalse(condition.evaluate(nodeRef));
        // verify
        verify(mockedHoldService, times(1)).isHold(nodeRef);
        verify(mockedFreezeService, times(1)).isFrozen(nodeRef);
        verify(mockedFreezeService, times(1)).hasFrozenChildren(nodeRef);
    }
    /**
     * Given is not frozen
     * And check children
     * And children frozen
     * When evaluate
     * Then true
     */
    @Test
    public void notFrozenCheckChildrenFrozen()
    {
        // is not a hold
        NodeRef nodeRef = generateNodeRef();
        when(mockedHoldService.isHold(nodeRef))
            .thenReturn(false);
        // check children
        condition.setCheckChildren(true);
        // is not frozen
        when(mockedFreezeService.isFrozen(nodeRef))
            .thenReturn(false);
        // children frozen
        when(mockedFreezeService.hasFrozenChildren(nodeRef))
            .thenReturn(true);
        // evaluate
        assertTrue(condition.evaluate(nodeRef));
        // verify
        verify(mockedHoldService, times(1)).isHold(nodeRef);
        verify(mockedFreezeService, times(1)).isFrozen(nodeRef);
        verify(mockedFreezeService, times(1)).hasFrozenChildren(nodeRef);
    }
 }
--- a/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/condition/HoldCapabilityConditionUnitTest.java
+++ b/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/condition/HoldCapabilityConditionUnitTest.java
@@ -57,10 +57,10 @@ public class HoldCapabilityConditionUnitTest extends BaseUnitTest
    private List<NodeRef> holds;
    /** mocked objects */
-    @Mock(name="kinds") Set<FilePlanComponentKind> mockedKinds;
+    private @Mock(name="kinds") Set<FilePlanComponentKind> mockedKinds;
    /** evaluator */
-    @Spy @InjectMocks HoldCapabilityCondition evaluator;
+    private @Spy @InjectMocks HoldCapabilityCondition evaluator;
    /**
     * @see org.alfresco.module.org_alfresco_module_rm.test.util.BaseUnitTest#before()
--- a/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/test/AllUnitTestSuite.java
+++ b/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/test/AllUnitTestSuite.java
@@ -23,7 +23,8 @@ import org.alfresco.module.org_alfresco_module_rm.action.impl.FileReportActionUn
 import org.alfresco.module.org_alfresco_module_rm.action.impl.UnlinkFromActionUnitTest;
 import org.alfresco.module.org_alfresco_module_rm.bootstrap.BootstrapImporterModuleComponentUnitTest;
 import org.alfresco.module.org_alfresco_module_rm.bootstrap.RecordContributorsGroupBootstrapComponentUnitTest;
-import org.alfresco.module.org_alfresco_module_rm.capability.declarative.condition.HoldCapabilityConditionUnitTest;
+import org.alfresco.module.org_alfresco_module_rm.capability.RMEntryVoterUnitTest;
 import org.alfresco.module.org_alfresco_module_rm.capability.declarative.condition.CapabilityDeclarativeConditionSuite;
 import org.alfresco.module.org_alfresco_module_rm.forms.RecordsManagementTypeFormFilterUnitTest;
 import org.alfresco.module.org_alfresco_module_rm.hold.HoldServiceImplUnitTest;
 import org.alfresco.module.org_alfresco_module_rm.job.DispositionLifecycleJobExecuterUnitTest;
@@ -58,6 +59,7 @@ import org.junit.runners.Suite.SuiteClasses;
    DispositionLifecycleJobExecuterUnitTest.class,
    DictionaryBootstrapPostProcessorUnitTest.class,
    DateParameterProcessorUnitTest.class,
    RMEntryVoterUnitTest.class,
    // services
    RecordServiceImplUnitTest.class,
@@ -74,9 +76,6 @@ import org.junit.runners.Suite.SuiteClasses;
    HoldPostUnitTest.class,
    HoldPutUnitTest.class,
    // capability conditions
    HoldCapabilityConditionUnitTest.class,
    // action implementations
    FileReportActionUnitTest.class,
    UnlinkFromActionUnitTest.class,
@@ -91,7 +90,10 @@ import org.junit.runners.Suite.SuiteClasses;
    // bootstrap
    BootstrapImporterModuleComponentUnitTest.class,
-    RecordContributorsGroupBootstrapComponentUnitTest.class
+    RecordContributorsGroupBootstrapComponentUnitTest.class,
    // suites by package
    CapabilityDeclarativeConditionSuite.class
 })
 public class AllUnitTestSuite
 {
--- a/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/test/util/BaseUnitTest.java
+++ b/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/test/util/BaseUnitTest.java
@@ -35,6 +35,7 @@ import org.alfresco.model.ContentModel;
 import org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementActionService;
 import org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditService;
 import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService;
 import org.alfresco.module.org_alfresco_module_rm.freeze.FreezeService;
 import org.alfresco.module.org_alfresco_module_rm.hold.HoldService;
 import org.alfresco.module.org_alfresco_module_rm.identifier.IdentifierService;
 import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
@@ -46,7 +47,9 @@ import org.alfresco.module.org_alfresco_module_rm.recordfolder.RecordFolderServi
 import org.alfresco.module.org_alfresco_module_rm.report.ReportService;
 import org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService;
 import org.alfresco.module.org_alfresco_module_rm.security.ExtendedSecurityService;
 import org.alfresco.module.org_alfresco_module_rm.util.AlfrescoTransactionSupport;
 import org.alfresco.module.org_alfresco_module_rm.util.AuthenticationUtil;
 import org.alfresco.module.org_alfresco_module_rm.util.TransactionalResourceHelper;
 import org.alfresco.module.org_alfresco_module_rm.version.RecordableVersionService;
 import org.alfresco.repo.policy.BehaviourFilter;
 import org.alfresco.repo.policy.PolicyComponent;
@@ -128,6 +131,9 @@ public class BaseUnitTest implements RecordsManagementModel, ContentModel
    @Mock(name="recordableVersionConfigService") protected RecordableVersionConfigService mockedRecordableVersionConfigService;
    @Mock(name="cmObjectType")                   protected CmObjectType                 mockedCmObjectType;
    @Mock(name="recordableVersionService")       protected RecordableVersionService     mockedRecordableVersionService;
    @Mock(name="transactionalResourceHelper")    protected TransactionalResourceHelper  mockedTransactionalResourceHelper;
    @Mock(name="alfrescoTransactionSupport")     protected AlfrescoTransactionSupport   mockedAlfrescoTransactionSupport;
    @Mock(name="freezeService")                  protected FreezeService                mockedFreezeService;
    /** application context mock */
    @Mock(name="applicationContext")             protected ApplicationContext           mockedApplicationContext;