inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-07 17:49:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Site Service does not allow users 'admin' or 'system user' to set site membership if they are not Site Manager of the given site

Browse Source 
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@11011 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Roy Wetherall
2008-09-24 15:37:13 +00:00
parent ff01cea0c5
commit d2c08c8307
2 changed files with 126 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

159
source/java/org/alfresco/repo/site/SiteServiceImpl.java
View File

@@ -47,6 +47,7 @@ import org.alfresco.service.cmr.repository.StoreRef;
import org.alfresco.service.cmr.search.ResultSet; import org.alfresco.service.cmr.search.ResultSet;
import org.alfresco.service.cmr.search.SearchService; import org.alfresco.service.cmr.search.SearchService;
import org.alfresco.service.cmr.security.AccessPermission; import org.alfresco.service.cmr.security.AccessPermission;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.AuthorityService; import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.AuthorityType; import org.alfresco.service.cmr.security.AuthorityType;
import org.alfresco.service.cmr.security.PermissionService; import org.alfresco.service.cmr.security.PermissionService;
@@ -660,13 +661,12 @@ public class SiteServiceImpl implements SiteService, SiteModel
} }
// If ... // If ...
// -- the current user is a site manager // -- the current user has change permissions
// or // or
// -- the site is public and // -- the site is public and
// -- the user is ourselves and // -- the user is ourselves and
// -- the users current role is consumer // -- the users current role is consumer
if ((currentUserRole != null && if ((permissionService.hasPermission(siteNodeRef, PermissionService.CHANGE_PERMISSIONS) == AccessStatus.ALLOWED)
SiteModel.SITE_MANAGER.equals(currentUserRole) == true)
|| ||
(isPublic == true && (isPublic == true &&
currentUserName.equals(userName) == true && currentUserName.equals(userName) == true &&
@@ -702,6 +702,11 @@ public class SiteServiceImpl implements SiteService, SiteModel
throw new AlfrescoRuntimeException("Access denied, user does not have permissions to delete membership details of the site '" + shortName + "'"); throw new AlfrescoRuntimeException("Access denied, user does not have permissions to delete membership details of the site '" + shortName + "'");
} }
} }
else
{
// Throw a permission exception
throw new AlfrescoRuntimeException("Access denied, user does not have permissions to delete membership details of the site '" + shortName + "'");
}
} }
/** /**
@@ -718,95 +723,103 @@ public class SiteServiceImpl implements SiteService, SiteModel
// Get the user's current role // Get the user's current role
final String currentRole = getMembersRole(shortName, userName); final String currentRole = getMembersRole(shortName, userName);
if (currentRole == null || role.equals(currentRole) == false) if (currentRole == null)
{ {
// Determine whether the site is private or not // Do nothing if the role of the user is not being changed
boolean isPublic = isSitePublic(siteNodeRef); if (role.equals(currentRole) == false)
// TODO if this is the only site manager do not downgrade their permissions
// If we are ...
// -- the site manager
// or we are ...
// -- refering to a public site and
// -- the role being set is consumer and
// -- the user being added is ourselves and
// -- the member does not already have permissions
// ... then we can set the permissions as system user
final String currentUserName = AuthenticationUtil.getCurrentUserName();
final String currentUserRole = getMembersRole(shortName, currentUserName);
if ((currentUserRole != null &&
SiteModel.SITE_MANAGER.equals(currentUserRole) == true)
||
(isPublic == true &&
role.equals(SiteModel.SITE_CONSUMER) == true &&
userName.equals(currentUserName) == true &&
currentRole == null))
{ {
// Check that we are not about to remove the last site manager // Determine whether the site is private or not
if (SiteModel.SITE_MANAGER.equals(currentRole) == true) boolean isPublic = isSitePublic(siteNodeRef);
{
Set<String> siteMangers = this.authorityService.getContainedAuthorities(
AuthorityType.USER,
getSiteRoleGroup(shortName, SITE_MANAGER, true),
true);
if (siteMangers.size() == 1)
{
throw new AlfrescoRuntimeException("A site requires at least one site manager. You can not change '" + userName + "' role from the site memebership because they are currently the only site manager.");
}
}
// Run as system user // TODO if this is the only site manager do not downgrade their permissions
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>()
// If we are ...
// -- the site manager
// or we are ...
// -- refering to a public site and
// -- the role being set is consumer and
// -- the user being added is ourselves and
// -- the member does not already have permissions
// ... then we can set the permissions as system user
final String currentUserName = AuthenticationUtil.getCurrentUserName();
final String currentUserRole = getMembersRole(shortName, currentUserName);
if ((permissionService.hasPermission(siteNodeRef, PermissionService.CHANGE_PERMISSIONS) == AccessStatus.ALLOWED)
||
(isPublic == true &&
role.equals(SiteModel.SITE_CONSUMER) == true &&
userName.equals(currentUserName) == true &&
currentRole == null))
{ {
public Object doWork() throws Exception // Check that we are not about to remove the last site manager
if (SiteModel.SITE_MANAGER.equals(currentRole) == true)
{ {
if (currentRole != null) Set<String> siteMangers = this.authorityService.getContainedAuthorities(
AuthorityType.USER,
getSiteRoleGroup(shortName, SITE_MANAGER, true),
true);
if (siteMangers.size() == 1)
{ {
// Remove the user from the current permission group throw new AlfrescoRuntimeException("A site requires at least one site manager. You can not change '" + userName + "' role from the site memebership because they are currently the only site manager.");
String currentGroup = getSiteRoleGroup(shortName, currentRole, true); }
authorityService.removeAuthority(currentGroup, userName); }
// Run as system user
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Object>()
{
public Object doWork() throws Exception
{
if (currentRole != null)
{
// Remove the user from the current permission group
String currentGroup = getSiteRoleGroup(shortName, currentRole, true);
authorityService.removeAuthority(currentGroup, userName);
}
// Add the user to the new permission group
String newGroup = getSiteRoleGroup(shortName, role, true);
authorityService.addAuthority(newGroup, userName);
return null;
} }
// Add the user to the new permission group }, AuthenticationUtil.SYSTEM_USER_NAME);
String newGroup = getSiteRoleGroup(shortName, role, true);
authorityService.addAuthority(newGroup, userName);
return null; if (currentRole == null)
}
}, AuthenticationUtil.SYSTEM_USER_NAME);
if (currentRole == null)
{
if (AuthorityType.getAuthorityType(userName) == AuthorityType.USER)
{ {
activityService.postActivity(ActivityType.SITE_USER_JOINED, shortName, ACTIVITY_TOOL, getActivityData(userName, role)); if (AuthorityType.getAuthorityType(userName) == AuthorityType.USER)
{
activityService.postActivity(ActivityType.SITE_USER_JOINED, shortName, ACTIVITY_TOOL, getActivityData(userName, role));
}
else
{
// TODO - update this, if sites support groups
logger.error("setMembership - failed to post activity: unexpected authority type: " + AuthorityType.getAuthorityType(userName));
}
} }
else else
{ {
// TODO - update this, if sites support groups if (AuthorityType.getAuthorityType(userName) == AuthorityType.USER)
logger.error("setMembership - failed to post activity: unexpected authority type: " + AuthorityType.getAuthorityType(userName)); {
activityService.postActivity(ActivityType.SITE_USER_ROLE_UPDATE, shortName, ACTIVITY_TOOL, getActivityData(userName, role));
}
else
{
// TODO - update this, if sites support groups
logger.error("setMembership - failed to post activity: unexpected authority type: " + AuthorityType.getAuthorityType(userName));
}
} }
} }
else else
{ {
if (AuthorityType.getAuthorityType(userName) == AuthorityType.USER) // Raise a permission exception
{ throw new AlfrescoRuntimeException("Access denied, user does not have permissions to modify membership details of the site '" + shortName + "'");
activityService.postActivity(ActivityType.SITE_USER_ROLE_UPDATE, shortName, ACTIVITY_TOOL, getActivityData(userName, role));
}
else
{
// TODO - update this, if sites support groups
logger.error("setMembership - failed to post activity: unexpected authority type: " + AuthorityType.getAuthorityType(userName));
}
} }
} }
else }
{ else
// Raise a permission exception {
throw new AlfrescoRuntimeException("Access denied, user does not have permissions to modify membership details of the site '" + shortName + "'"); // Raise a permission exception
} throw new AlfrescoRuntimeException("Access denied, user does not have permissions to modify membership details of the site '" + shortName + "'");
} }
} }

36
source/java/org/alfresco/repo/site/SiteServiceImplTest.java
View File

@@ -134,6 +134,42 @@ public class SiteServiceImplTest extends BaseAlfrescoSpringTest
} }
} }
public void testETHREEOH_15() throws Exception
{
SiteInfo siteInfo = this.siteService.createSite(TEST_SITE_PRESET, "mySiteTest", TEST_TITLE, TEST_DESCRIPTION, true);
checkSiteInfo(siteInfo, TEST_SITE_PRESET, "mySiteTest", TEST_TITLE, TEST_DESCRIPTION, true);
authenticationComponent.setCurrentUser("admin");
this.siteService.setMembership(siteInfo.getShortName(), USER_TWO, SiteModel.SITE_MANAGER);
authenticationComponent.setCurrentUser(USER_TWO);
this.siteService.setMembership(siteInfo.getShortName(), USER_THREE, SiteModel.SITE_CONTRIBUTOR);
this.siteService.removeMembership(siteInfo.getShortName(), USER_THREE);
authenticationComponent.setCurrentUser("admin");
this.siteService.removeMembership(siteInfo.getShortName(), USER_TWO);
authenticationComponent.setSystemUserAsCurrentUser();
this.siteService.setMembership(siteInfo.getShortName(), USER_THREE, SiteModel.SITE_CONTRIBUTOR);
authenticationComponent.setCurrentUser(USER_THREE);
try
{
this.siteService.setMembership(siteInfo.getShortName(), USER_TWO, SiteModel.SITE_CONTRIBUTOR);
fail("Shouldn't be able to do this cos you don't have permissions");
}
catch (Exception exception) {}
try
{
this.siteService.removeMembership(siteInfo.getShortName(), USER_THREE);
fail("Shouldn't be able to do this cos you don't have permissions");
}
catch (Exception exception) {}
authenticationComponent.setSystemUserAsCurrentUser();
this.siteService.removeMembership(siteInfo.getShortName(), USER_THREE);
}
private void checkSiteInfo( SiteInfo siteInfo, String expectedSitePreset, String expectedShortName, String expectedTitle, private void checkSiteInfo( SiteInfo siteInfo, String expectedSitePreset, String expectedShortName, String expectedTitle,
String expectedDescription, boolean expectedIsPublic) String expectedDescription, boolean expectedIsPublic)
{ {