mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-10-08 14:51:49 +00:00
RM: Add CreateRecord capability
* an assignable capability * performs as the missing 'filling' capability * also added a unassignable capability for HideRecords * ensures that extended writers .. ie users that have temporary filling permission on records .. can not then fileTo or reject records git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@46408 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Roy Wetherall
@@ -87,201 +87,6 @@ public class CapabilitiesTest extends BaseRMTestCase implements
|
||||
assertEquals(accessStatus, access.get(capability));
|
||||
}
|
||||
|
||||
/**
|
||||
* Check the RM permission model
|
||||
*/
|
||||
public void testPermissionsModel()
|
||||
{
|
||||
retryingTransactionHelper.doInTransaction(
|
||||
new RetryingTransactionCallback<Object>()
|
||||
{
|
||||
@Override
|
||||
public Object execute() throws Throwable
|
||||
{
|
||||
// As system user
|
||||
AuthenticationUtil
|
||||
.setFullyAuthenticatedUser(AuthenticationUtil
|
||||
.getSystemUserName());
|
||||
|
||||
Set<PermissionReference> exposed = permissionModel
|
||||
.getExposedPermissions(ASPECT_FILE_PLAN_COMPONENT);
|
||||
assertEquals(6, exposed.size());
|
||||
assertTrue(exposed.contains(permissionModel
|
||||
.getPermissionReference(
|
||||
ASPECT_FILE_PLAN_COMPONENT,
|
||||
ROLE_ADMINISTRATOR)));
|
||||
|
||||
// Check all the permission are there
|
||||
Set<PermissionReference> all = permissionModel
|
||||
.getAllPermissions(ASPECT_FILE_PLAN_COMPONENT);
|
||||
assertEquals(58 /* capbilities */* 2 + 5 /* roles */
|
||||
+ (2 /* Read+File */* 2) + 1 /* Filing */, all
|
||||
.size());
|
||||
|
||||
/*
|
||||
* Check the granting for each permission. It is assumed
|
||||
* that the ROLE_ADMINISTRATOR always has grant
|
||||
* permission so is automatically checked.
|
||||
*/
|
||||
checkGranting(ACCESS_AUDIT, ROLE_RECORDS_MANAGER);
|
||||
checkGranting(ADD_MODIFY_EVENT_DATES,
|
||||
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER,
|
||||
ROLE_POWER_USER);
|
||||
checkGranting(APPROVE_RECORDS_SCHEDULED_FOR_CUTOFF,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(ATTACH_RULES_TO_METADATA_PROPERTIES,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(AUTHORIZE_ALL_TRANSFERS,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(AUTHORIZE_NOMINATED_TRANSFERS,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(CHANGE_OR_DELETE_REFERENCES,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(CLOSE_FOLDERS, ROLE_RECORDS_MANAGER,
|
||||
ROLE_SECURITY_OFFICER, ROLE_POWER_USER);
|
||||
checkGranting(CREATE_AND_ASSOCIATE_SELECTION_LISTS,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(
|
||||
CREATE_MODIFY_DESTROY_CLASSIFICATION_GUIDES,
|
||||
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER);
|
||||
checkGranting(CREATE_MODIFY_DESTROY_EVENTS,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(CREATE_MODIFY_DESTROY_FILEPLAN_METADATA,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(CREATE_MODIFY_DESTROY_FILEPLAN_TYPES,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(CREATE_MODIFY_DESTROY_FOLDERS,
|
||||
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER,
|
||||
ROLE_POWER_USER);
|
||||
checkGranting(CREATE_MODIFY_DESTROY_RECORD_TYPES,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(CREATE_MODIFY_DESTROY_REFERENCE_TYPES,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(CREATE_MODIFY_DESTROY_ROLES,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(CREATE_MODIFY_DESTROY_TIMEFRAMES,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(CREATE_MODIFY_DESTROY_USERS_AND_GROUPS,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(CREATE_MODIFY_RECORDS_IN_CUTOFF_FOLDERS,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(CYCLE_VITAL_RECORDS,
|
||||
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER,
|
||||
ROLE_POWER_USER);
|
||||
checkGranting(DECLARE_AUDIT_AS_RECORD,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(DECLARE_RECORDS, ROLE_RECORDS_MANAGER,
|
||||
ROLE_SECURITY_OFFICER, ROLE_POWER_USER,
|
||||
ROLE_USER);
|
||||
checkGranting(DECLARE_RECORDS_IN_CLOSED_FOLDERS,
|
||||
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER,
|
||||
ROLE_POWER_USER);
|
||||
checkGranting(DELETE_AUDIT, ROLE_RECORDS_MANAGER);
|
||||
checkGranting(DELETE_LINKS, ROLE_RECORDS_MANAGER);
|
||||
checkGranting(DELETE_RECORDS, ROLE_RECORDS_MANAGER);
|
||||
checkGranting(DESTROY_RECORDS, ROLE_RECORDS_MANAGER);
|
||||
checkGranting(
|
||||
DESTROY_RECORDS_SCHEDULED_FOR_DESTRUCTION,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(DISPLAY_RIGHTS_REPORT,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(EDIT_DECLARED_RECORD_METADATA,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(EDIT_NON_RECORD_METADATA,
|
||||
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER,
|
||||
ROLE_POWER_USER);
|
||||
checkGranting(EDIT_RECORD_METADATA,
|
||||
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER,
|
||||
ROLE_POWER_USER);
|
||||
checkGranting(EDIT_SELECTION_LISTS,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(ENABLE_DISABLE_AUDIT_BY_TYPES,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(EXPORT_AUDIT, ROLE_RECORDS_MANAGER);
|
||||
checkGranting(EXTEND_RETENTION_PERIOD_OR_FREEZE,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(MAKE_OPTIONAL_PARAMETERS_MANDATORY,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(MANAGE_ACCESS_CONTROLS);
|
||||
checkGranting(MANAGE_ACCESS_RIGHTS,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(MANUALLY_CHANGE_DISPOSITION_DATES,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(MAP_CLASSIFICATION_GUIDE_METADATA,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(MAP_EMAIL_METADATA, ROLE_RECORDS_MANAGER);
|
||||
checkGranting(MOVE_RECORDS, ROLE_RECORDS_MANAGER);
|
||||
checkGranting(PASSWORD_CONTROL, ROLE_RECORDS_MANAGER);
|
||||
checkGranting(PLANNING_REVIEW_CYCLES,
|
||||
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER,
|
||||
ROLE_POWER_USER);
|
||||
checkGranting(RE_OPEN_FOLDERS, ROLE_RECORDS_MANAGER,
|
||||
ROLE_SECURITY_OFFICER, ROLE_POWER_USER);
|
||||
checkGranting(SELECT_AUDIT_METADATA,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(TRIGGER_AN_EVENT, ROLE_RECORDS_MANAGER);
|
||||
checkGranting(UNDECLARE_RECORDS, ROLE_RECORDS_MANAGER);
|
||||
checkGranting(UNFREEZE, ROLE_RECORDS_MANAGER);
|
||||
checkGranting(UPDATE_CLASSIFICATION_DATES,
|
||||
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER);
|
||||
checkGranting(UPDATE_EXEMPTION_CATEGORIES,
|
||||
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER);
|
||||
checkGranting(UPDATE_TRIGGER_DATES,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(UPDATE_VITAL_RECORD_CYCLE_INFORMATION,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
checkGranting(UPGRADE_DOWNGRADE_AND_DECLASSIFY_RECORDS,
|
||||
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER);
|
||||
checkGranting(VIEW_RECORDS, ROLE_RECORDS_MANAGER,
|
||||
ROLE_SECURITY_OFFICER, ROLE_POWER_USER,
|
||||
ROLE_USER);
|
||||
checkGranting(VIEW_UPDATE_REASONS_FOR_FREEZE,
|
||||
ROLE_RECORDS_MANAGER);
|
||||
|
||||
return null;
|
||||
}
|
||||
}, false, true);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check that the roles passed have grant on the permission passed.
|
||||
*
|
||||
* @param permission
|
||||
* permission
|
||||
* @param roles
|
||||
* grant roles
|
||||
*/
|
||||
private void checkGranting(String permission, String... roles)
|
||||
{
|
||||
Set<PermissionReference> granting = permissionModel
|
||||
.getGrantingPermissions(permissionModel.getPermissionReference(
|
||||
RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT,
|
||||
permission));
|
||||
Set<PermissionReference> test = new HashSet<PermissionReference>();
|
||||
test.addAll(granting);
|
||||
Set<PermissionReference> nonRM = new HashSet<PermissionReference>();
|
||||
for (PermissionReference pr : granting)
|
||||
{
|
||||
if (!pr.getQName().equals(
|
||||
RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT))
|
||||
{
|
||||
nonRM.add(pr);
|
||||
}
|
||||
}
|
||||
test.removeAll(nonRM);
|
||||
assertEquals(roles.length + 2, test.size());
|
||||
|
||||
assertTrue(test.contains(permissionModel.getPermissionReference(
|
||||
RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT,
|
||||
ROLE_ADMINISTRATOR)));
|
||||
for (String role : roles)
|
||||
{
|
||||
assertTrue(test.contains(permissionModel.getPermissionReference(
|
||||
RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT, role)));
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Test file plan as system
|
||||
*/
|
||||
|
||||
@@ -33,9 +33,7 @@ import org.alfresco.repo.security.permissions.AccessDeniedException;
|
||||
import org.alfresco.service.cmr.action.ActionService;
|
||||
import org.alfresco.service.cmr.repository.ContentWriter;
|
||||
import org.alfresco.service.cmr.repository.NodeRef;
|
||||
import org.alfresco.service.cmr.security.AccessPermission;
|
||||
import org.alfresco.service.cmr.security.AccessStatus;
|
||||
import org.alfresco.service.cmr.security.AuthorityType;
|
||||
import org.alfresco.service.cmr.security.PermissionService;
|
||||
import org.alfresco.service.namespace.QName;
|
||||
|
||||
@@ -275,7 +273,7 @@ public class RecordServiceImplTest extends BaseRMTestCase
|
||||
assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan, RMPermissionModel.EDIT_RECORD_METADATA));
|
||||
|
||||
Capability filling = capabilityService.getCapability("FileRecords");
|
||||
assertEquals(AccessStatus.ALLOWED, filling.hasPermission(dmDocument));
|
||||
assertEquals(AccessStatus.DENIED, filling.hasPermission(dmDocument));
|
||||
|
||||
Capability editRecordMetadata = capabilityService.getCapability("EditRecordMetadata");
|
||||
assertEquals(AccessStatus.ALLOWED, editRecordMetadata.hasPermission(dmDocument));
|
||||
|
||||
Reference in New Issue
Block a user