From d67b66bebfc5235d8a52cfb8e8de6e9f1fbf7aad Mon Sep 17 00:00:00 2001 From: Nick Burch Date: Fri, 20 Apr 2012 13:48:00 +0000 Subject: [PATCH] Merged BRANCHES/DEV/V4.0-BUG-FIX to HEAD: 35474: ALF-13773 WebScript permission checking for Guest vs User should work for HTTP Auth and Alf_Ticket based ways of identifying the user a Guest, and not just for the ?guest=true URL parameter git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@35477 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../repo/web/scripts/RepositoryContainer.java | 11 +++++++++++ .../servlet/BasicHttpAuthenticatorFactory.java | 3 ++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/source/java/org/alfresco/repo/web/scripts/RepositoryContainer.java b/source/java/org/alfresco/repo/web/scripts/RepositoryContainer.java index 44efce232e..d8229e0f8a 100644 --- a/source/java/org/alfresco/repo/web/scripts/RepositoryContainer.java +++ b/source/java/org/alfresco/repo/web/scripts/RepositoryContainer.java @@ -301,6 +301,17 @@ public class RepositoryContainer extends AbstractRuntimeContainer implements Ten // if (auth == null || auth.authenticate(required, isGuest)) { + // The user will now have been authenticated, based on HTTP Auth, Ticket etc + // Check that the user they authenticated as has appropriate access to the script + + // Check to see if they supplied HTTP Auth or Ticket as guest, on a script that needs more + isGuest = authorityService.isGuestAuthority(AuthenticationUtil.getFullyAuthenticatedUser()); + if (isGuest && (required == RequiredAuthentication.user || required == RequiredAuthentication.admin)) + { + throw new WebScriptException(HttpServletResponse.SC_UNAUTHORIZED, "Web Script " + desc.getId() + " requires user authentication; however, a guest has attempted access."); + } + + // Check to see if they're admin or system on an Admin only script if (required == RequiredAuthentication.admin && !(authorityService.hasAdminAuthority() || AuthenticationUtil.getFullyAuthenticatedUser().equals(AuthenticationUtil.getSystemUserName()))) { throw new WebScriptException(HttpServletResponse.SC_UNAUTHORIZED, "Web Script " + desc.getId() + " requires admin authentication; however, a non-admin has attempted access."); diff --git a/source/java/org/alfresco/repo/web/scripts/servlet/BasicHttpAuthenticatorFactory.java b/source/java/org/alfresco/repo/web/scripts/servlet/BasicHttpAuthenticatorFactory.java index 464a02e46a..896e31fa03 100644 --- a/source/java/org/alfresco/repo/web/scripts/servlet/BasicHttpAuthenticatorFactory.java +++ b/source/java/org/alfresco/repo/web/scripts/servlet/BasicHttpAuthenticatorFactory.java @@ -116,7 +116,8 @@ public class BasicHttpAuthenticatorFactory implements ServletAuthenticatorFactor logger.debug("URL ticket provided: " + (ticket != null && ticket.length() > 0)); } - // authenticate as guest, if service allows + // If they requested explicit guest authentication, + // Authenticate as guest (if allowed) if (isGuest && RequiredAuthentication.guest == required) { if (logger.isDebugEnabled())