mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-07-31 17:39:05 +00:00
RM-3963: prevent POST request directly in RM site node
This commit is contained in:
Silviu Dinuta
@@ -31,7 +31,7 @@
|
||||
|
||||
<bean id="rm.Nodes" class="org.springframework.aop.framework.ProxyFactoryBean">
|
||||
<property name="proxyInterfaces">
|
||||
<value>org.alfresco.rest.api.Nodes</value>
|
||||
<value>org.alfresco.rm.rest.api.RMNodes</value>
|
||||
</property>
|
||||
<property name="target">
|
||||
<ref bean="rm.nodes" />
|
||||
|
||||
@@ -40,4 +40,12 @@ public interface RMNodes extends Nodes
|
||||
String PARAM_INCLUDE_HAS_RETENTION_SCHEDULE = "hasRetentionSchedule";
|
||||
String PARAM_INCLUDE_IS_CLOSED = "isClosed";
|
||||
String PARAM_INCLUDE_IS_COMPLETED = "isCompleted";
|
||||
|
||||
/**
|
||||
* Identifies if one node is RM site node.
|
||||
*
|
||||
* @param nodeId
|
||||
* @return
|
||||
*/
|
||||
boolean isRMSite(String nodeId);
|
||||
}
|
||||
|
||||
@@ -60,6 +60,8 @@ import org.alfresco.service.cmr.dictionary.DictionaryService;
|
||||
import org.alfresco.service.cmr.repository.ChildAssociationRef;
|
||||
import org.alfresco.service.cmr.repository.NodeRef;
|
||||
import org.alfresco.service.cmr.repository.NodeService;
|
||||
import org.alfresco.service.cmr.site.SiteInfo;
|
||||
import org.alfresco.service.cmr.site.SiteService;
|
||||
import org.alfresco.service.namespace.NamespaceService;
|
||||
import org.alfresco.service.namespace.QName;
|
||||
import org.alfresco.util.Pair;
|
||||
@@ -89,6 +91,7 @@ public class RMNodesImpl extends NodesImpl implements RMNodes
|
||||
private Repository repositoryHelper;
|
||||
private DictionaryService dictionaryService;
|
||||
private DispositionService dispositionService;
|
||||
private SiteService siteService;
|
||||
|
||||
/**
|
||||
* TODO to remove this after isSpecialNode is made protected in core implementation
|
||||
@@ -100,6 +103,7 @@ public class RMNodesImpl extends NodesImpl implements RMNodes
|
||||
this.nodeService = serviceRegistry.getNodeService();
|
||||
this.dictionaryService = serviceRegistry.getDictionaryService();
|
||||
this.dispositionService = serviceRegistry.getDispositionService();
|
||||
this.siteService = serviceRegistry.getSiteService();
|
||||
}
|
||||
|
||||
public void setRecordsManagementServiceRegistry(RecordsManagementServiceRegistry serviceRegistry)
|
||||
@@ -367,12 +371,6 @@ public class RMNodesImpl extends NodesImpl implements RMNodes
|
||||
private boolean isCoreSpecialNode(NodeRef nodeRef, QName type)
|
||||
{
|
||||
// Check for Company Home, Sites and Data Dictionary (note: must be tenant-aware)
|
||||
NodeRef filePlan = filePlanService.getFilePlanBySiteId(FilePlanService.DEFAULT_RM_SITE_ID);
|
||||
if(filePlan != null)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
if (nodeRef.equals(repositoryHelper.getCompanyHome()))
|
||||
{
|
||||
return true;
|
||||
@@ -425,4 +423,21 @@ public class RMNodesImpl extends NodesImpl implements RMNodes
|
||||
}
|
||||
super.deleteNode(nodeId, parameters);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isRMSite(String nodeId)
|
||||
{
|
||||
NodeRef nodeRef = validateOrLookupNode(nodeId, null);
|
||||
|
||||
SiteInfo siteInfo = siteService.getSite(FilePlanService.DEFAULT_RM_SITE_ID);
|
||||
if(siteInfo !=null)
|
||||
{
|
||||
NodeRef rmNodeRef = siteInfo.getNodeRef();
|
||||
if(rmNodeRef.equals(nodeRef))
|
||||
{
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -30,14 +30,15 @@ package org.alfresco.rm.rest.api.nodes;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import org.alfresco.rest.api.Nodes;
|
||||
import org.alfresco.rest.api.model.Node;
|
||||
import org.alfresco.rest.framework.core.exceptions.PermissionDeniedException;
|
||||
import org.alfresco.rest.framework.resource.RelationshipResource;
|
||||
import org.alfresco.rest.framework.resource.actions.interfaces.MultiPartRelationshipResourceAction;
|
||||
import org.alfresco.rest.framework.resource.actions.interfaces.RelationshipResourceAction;
|
||||
import org.alfresco.rest.framework.resource.parameters.CollectionWithPagingInfo;
|
||||
import org.alfresco.rest.framework.resource.parameters.Parameters;
|
||||
import org.alfresco.rest.framework.webscripts.WithResponse;
|
||||
import org.alfresco.rm.rest.api.RMNodes;
|
||||
import org.springframework.extensions.webscripts.servlet.FormData;
|
||||
|
||||
/**
|
||||
@@ -51,9 +52,9 @@ public class FileplanComponentChildrenRelation implements RelationshipResourceAc
|
||||
RelationshipResourceAction.Create<Node>,
|
||||
MultiPartRelationshipResourceAction.Create<Node>
|
||||
{
|
||||
private Nodes nodes;
|
||||
private RMNodes nodes;
|
||||
|
||||
public void setNodes(Nodes nodes)
|
||||
public void setNodes(RMNodes nodes)
|
||||
{
|
||||
this.nodes = nodes;
|
||||
}
|
||||
@@ -67,6 +68,10 @@ public class FileplanComponentChildrenRelation implements RelationshipResourceAc
|
||||
@Override
|
||||
public List<Node> create(String parentFolderNodeId, List<Node> nodeInfos, Parameters parameters)
|
||||
{
|
||||
if(nodes.isRMSite(parentFolderNodeId))
|
||||
{
|
||||
throw new PermissionDeniedException("POST request not allowed in RM site.");
|
||||
}
|
||||
List<Node> result = new ArrayList<>(nodeInfos.size());
|
||||
|
||||
for (Node nodeInfo : nodeInfos)
|
||||
@@ -80,6 +85,10 @@ public class FileplanComponentChildrenRelation implements RelationshipResourceAc
|
||||
@Override
|
||||
public Node create(String parentFolderNodeId, FormData formData, Parameters parameters, WithResponse withResponse)
|
||||
{
|
||||
if(nodes.isRMSite(parentFolderNodeId))
|
||||
{
|
||||
throw new PermissionDeniedException("POST request not allowed in RM site.");
|
||||
}
|
||||
return nodes.upload(parentFolderNodeId, formData, parameters);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -27,13 +27,13 @@
|
||||
|
||||
package org.alfresco.rm.rest.api.nodes;
|
||||
|
||||
import org.alfresco.rest.api.Nodes;
|
||||
import org.alfresco.rest.api.model.Node;
|
||||
import org.alfresco.rest.framework.WebApiDescription;
|
||||
import org.alfresco.rest.framework.WebApiParam;
|
||||
import org.alfresco.rest.framework.resource.EntityResource;
|
||||
import org.alfresco.rest.framework.resource.actions.interfaces.EntityResourceAction;
|
||||
import org.alfresco.rest.framework.resource.parameters.Parameters;
|
||||
import org.alfresco.rm.rest.api.RMNodes;
|
||||
|
||||
/**
|
||||
* Fileplan component children
|
||||
@@ -47,9 +47,9 @@ public class FileplanComponentsEntityResource implements
|
||||
EntityResourceAction.Delete,
|
||||
EntityResourceAction.Update<Node>
|
||||
{
|
||||
private Nodes nodes;
|
||||
private RMNodes nodes;
|
||||
|
||||
public void setNodes(Nodes nodes)
|
||||
public void setNodes(RMNodes nodes)
|
||||
{
|
||||
this.nodes = nodes;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user