RM-6928 adding check to allow specified properties on frozen nodes to be updated

rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/model/rma/aspect/FrozenAspect.java

@@ -38,6 +38,7 @@ import java.util.Map;
 
 import org.alfresco.module.org_alfresco_module_rm.freeze.FreezeService;
 import org.alfresco.module.org_alfresco_module_rm.model.BaseBehaviourBean;
+import org.alfresco.module.org_alfresco_module_rm.util.PropertyModificationAllowedCheck;
 import org.alfresco.repo.node.NodeServicePolicies;
 import org.alfresco.repo.policy.Behaviour.NotificationFrequency;
 import org.alfresco.repo.policy.annotation.Behaviour;
@@ -76,6 +77,11 @@ public class FrozenAspect extends    BaseBehaviourBean
     /** freeze service */
     protected FreezeService freezeService;
 
+    /**
+     * Utility class for property modification
+     */
+    private PropertyModificationAllowedCheck propertyModificationAllowedCheck;
+
     /**
      * @param freezeService freeze service
      */
@@ -84,6 +90,14 @@ public class FrozenAspect extends    BaseBehaviourBean
         this.freezeService = freezeService;
     }
 
+    /**
+     * Setter for property modification check utility
+     * @param propertyModificationAllowedCheck Utility class for property modification
+     */
+    public void setPropertyModificationAllowedCheck(PropertyModificationAllowedCheck propertyModificationAllowedCheck)
+    {
+        this.propertyModificationAllowedCheck = propertyModificationAllowedCheck;
+    }
 
     /**
      * Disable the on update properties for frozen aspect behaviour
@@ -268,7 +282,8 @@ public class FrozenAspect extends    BaseBehaviourBean
         AuthenticationUtil.runAsSystem((RunAsWork<Void>) () -> {
             // check to not throw exception when the aspect is being added
             if (nodeService.exists(nodeRef) && freezeService.isFrozen(nodeRef) &&
-                    !transactionalResourceHelper.getSet("frozen").contains(nodeRef) )
+                    !transactionalResourceHelper.getSet("frozen").contains(nodeRef) &&
+                        !propertyModificationAllowedCheck.check(before, after))
                 {
                     throw new PermissionDeniedException(I18NUtil.getMessage("rm.hold.update-frozen-node"));
                 }

rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/util/PropertyModificationAllowedCheck.java

@@ -0,0 +1,106 @@
+/*
+ * #%L
+ * Alfresco Records Management Module
+ * %%
+ * Copyright (C) 2005 - 2019 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * -
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ * -
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * -
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * -
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.module.org_alfresco_module_rm.util;
+
+import java.io.Serializable;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+
+import org.alfresco.service.namespace.QName;
+
+/**
+ * Utility check for modification of a properties based off presence in a whitelist.
+ *
+ * @author Ross Gale
+ * @since 3.2
+ */
+public class PropertyModificationAllowedCheck
+{
+    /**
+     * List of qnames that can be modified
+     */
+    private List<QName> whiteList;
+
+    /**
+     * Setter for list of qnames
+     * @param whiteList List<QName>
+     */
+    public void setWhiteList(List<QName> whiteList)
+    {
+        this.whiteList = whiteList;
+    }
+
+    /**
+     * Compares the node properties with the requested update to make sure all potential updates are permitted
+     * @param before current node properties
+     * @param after updated properties for the node
+     * @return true -  if all modified property keys are in the whitelist
+     */
+    public boolean check(Map<QName, Serializable> before, Map<QName, Serializable> after)
+    {
+        boolean proceed = true;
+        HashSet<QName> unionKeys = new HashSet<>(before.keySet());
+        unionKeys.addAll(after.keySet());
+        for (QName key : unionKeys)
+        {
+            //Check if property has been added or removed
+            if (!before.containsKey(key)  || !after.containsKey(key))
+            {
+                //Property modified check to see if allowed
+                proceed = whiteList.contains(key);
+                if (!proceed)
+                {
+                    break;
+                }
+            }
+            //Check if property emptied or empty property filled
+            if  ((before.get(key) == null && after.get(key) != null) ||
+                    (after.get(key) == null && before.get(key) != null))
+            {
+                //Property modified check to see if allowed
+                proceed = whiteList.contains(key);
+                if (!proceed)
+                {
+                    break;
+                }
+            }
+            //If properties aren't missing or empty check equality
+            if (before.get(key) != null && after.get(key) != null && !(after.get(key).equals(before.get(key))))
+            {
+                //Property modified check to see if allowed
+                proceed = whiteList.contains(key);
+                if (!proceed)
+                {
+                    break;
+                }
+            }
+        }
+        return proceed;
+    }
+
+}