inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-31 17:39:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

RM: Add CreateRecord capability

Browse Source 
* an assignable capability
 * performs as the missing 'filling' capability
 * also added a unassignable capability for HideRecords
 * ensures that extended writers .. ie users that have temporary filling permission on records .. can not then fileTo or reject records



git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@46408 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Roy Wetherall
2013-02-08 05:05:30 +00:00
parent 6cb7541653
commit d72f12738f
10 changed files with 70 additions and 325 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-record-context.xml
View File

@@ -11,6 +11,23 @@
<property name="index" value="30" />
</bean>
<bean id="rmCreateRecordsCapability"
parent="declarativeCapability">
<property name="name" value="CreateRecords"/>
<property name="group"><ref bean="recordsGroup"/></property>
<property name="index" value="35" />
<property name="permission" value="CreateRecords"/>
<property name="conditions">
<map>
<entry key="capabilityCondition.filling" value="true"/>
<entry key="capabilityCondition.frozen" value="false"/>
<entry key="capabilityCondition.cutoff" value="false"/>
<entry key="capabilityCondition.closed" value="false"/>
<entry key="capabilityCondition.declared" value="false"/>
</map>
</property>
</bean>
<bean id="rmUndeclareRecordsCapability"
parent="declarativeCapability">
<property name="name" value="UndeclareRecords"/>
@@ -54,27 +71,12 @@
<property name="index" value="20" />
</bean>
<bean id="rmFileCapability"
parent="declarativeCapability">
<property name="name" value="File"/>
<property name="private" value="true"/>
<property name="conditions">
<map>
<entry key="capabilityCondition.filling" value="true"/>
<entry key="capabilityCondition.frozen" value="false"/>
<entry key="capabilityCondition.cutoff" value="false"/>
<entry key="capabilityCondition.closed" value="false"/>
<entry key="capabilityCondition.declared" value="false"/>
</map>
</property>
</bean>
<bean id="rmFileRecordsCapability"
parent="compositeCapability">
<property name="name" value="FileRecords" />
<property name="capabilities">
<list>
<ref bean="rmFileCapability"/>
<ref bean="rmCreateRecordsCapability"/>
<ref bean="rmCreateModifyRecordsInCuttoffFoldersCapability"/>
</list>
</property>
@@ -254,4 +256,19 @@
</property>
</bean>
<bean id="rmHideRecordsCapability"
parent="declarativeCapability">
<property name="name" value="HideRecords"/>
<property name="private" value="true" />
<property name="conditions">
<map>
<entry key="capabilityCondition.filling" value="true"/>
<entry key="capabilityCondition.frozen" value="false"/>
<entry key="capabilityCondition.cutoff" value="false"/>
<entry key="capabilityCondition.closed" value="false"/>
<entry key="capabilityCondition.declared" value="false"/>
</map>
</property>
</bean>
</beans>

1
rm-server/config/alfresco/module/org_alfresco_module_rm/messages/capability-service.properties
View File

@@ -3,6 +3,7 @@ capability.group.records.title=Records
capability.DeclareRecords.title=Declare Records
capability.ViewRecords.title=View Records
capability.UndeclareRecords.title=Undeclare Records
capability.CreateRecords.title=Create Records
# Metadata Control
capability.group.metadataControl.title=Metadata Control

110
rm-server/config/alfresco/module/org_alfresco_module_rm/model/recordsPermissionModel.xml
View File

@@ -13,102 +13,6 @@
</namespaces>
<permissionSet expose="selected" type="rma:filePlanComponent">
<permissionGroup name="User" allowFullControl="false" expose="true">
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="DeclareRecords"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="ViewRecords"/>
</permissionGroup>
<permissionGroup name="PowerUser" allowFullControl="false" expose="true">
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="DeclareRecords"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="ViewRecords"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CreateModifyDestroyFolders"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="EditRecordMetadata"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="EditNonRecordMetadata"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="AddModifyEventDates"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CloseFolders"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="DeclareRecordsInClosedFolders"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="ReOpenFolders"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CycleVitalRecords"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="PlanningReviewCycles"/>
</permissionGroup>
<permissionGroup name="SecurityOfficer" allowFullControl="false" expose="true">
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="DeclareRecords"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="ViewRecords"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CreateModifyDestroyFolders"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="EditRecordMetadata"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="EditNonRecordMetadata"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="AddModifyEventDates"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CloseFolders"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="DeclareRecordsInClosedFolders"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="ReOpenFolders"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CycleVitalRecords"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="PlanningReviewCycles"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="UpdateClassificationDates"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CreateModifyDestroyClassificationGuides"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="UpgradeDowngradeAndDeclassifyRecords"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="UpdateExemptionCategories"/>
</permissionGroup>
<permissionGroup name="RecordsManager" allowFullControl="false" expose="true">
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="DeclareRecords"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="ViewRecords"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CreateModifyDestroyFolders"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="EditRecordMetadata"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="EditNonRecordMetadata"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="AddModifyEventDates"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CloseFolders"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="DeclareRecordsInClosedFolders"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="ReOpenFolders"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CycleVitalRecords"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="PlanningReviewCycles"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="UpdateTriggerDates"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CreateModifyDestroyEvents"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="ManageAccessRights"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="MoveRecords"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="ChangeOrDeleteReferences"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="DeleteLinks"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="EditDeclaredRecordMetadata"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="ManuallyChangeDispositionDates"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="ApproveRecordsScheduledForCutoff"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CreateModifyRecordsInCutoffFolders"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="ExtendRetentionPeriodOrFreeze"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="Unfreeze"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="ViewUpdateReasonsForFreeze"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="DestroyRecordsScheduledForDestruction"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="DestroyRecords"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="UpdateVitalRecordCycleInformation"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="UndeclareRecords"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="DeclareAuditAsRecord"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="DeleteAudit"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CreateModifyDestroyTimeframes"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="AuthorizeNominatedTransfers"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="EditSelectionLists"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="AuthorizeAllTransfers"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CreateModifyDestroyFileplanMetadata"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CreateAndAssociateSelectionLists"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="AttachRulesToMetadataProperties"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CreateModifyDestroyFileplanTypes"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CreateModifyDestroyRecordTypes"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="MakeOptionalParametersMandatory"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="MapEmailMetadata"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="DeleteRecords"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="TriggerAnEvent"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CreateModifyDestroyRoles"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CreateModifyDestroyUsersAndGroups"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="PasswordControl"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="EnableDisableAuditByTypes"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="SelectAuditMetadata"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="DisplayRightsReport"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="AccessAudit"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="ExportAudit"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CreateModifyDestroyReferenceTypes"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="UpdateClassificationDates"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CreateModifyDestroyClassificationGuides"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="UpgradeDowngradeAndDeclassifyRecords"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="UpdateExemptionCategories"/>
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="MapClassificationGuideMetadata"/>
</permissionGroup>
<!-- An RM administrator does not have admin rights to the full DM repo -->
<!-- On no account should allowFullControl="true" be set here -->
@@ -175,6 +79,8 @@
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="ManageAccessControls"/>
<!-- Administrator has filing rights to all records - no other role does -->
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="Filing"/>
<!-- Since V2.1 -->
<includePermissionGroup type="rma:filePlanComponent" permissionGroup="CreateRecords"/>
</permissionGroup>
<permissionGroup name="Filing" allowFullControl="false" expose="true">
@@ -245,6 +151,12 @@
<permissionGroup name="MapClassificationGuideMetadata" expose="false" allowFullControl="false"/>
<permissionGroup name="ManageAccessControls" expose="false" allowFullControl="false"/>
<!-- Added since V2.1 -->
<permissionGroup name="CreateRecords" expose="false" allowFullControl="false"/>
<!-- End -->
<permission name="_ReadRecords" expose="false">
<grantedToGroup permissionGroup="ReadRecords"/>
</permission>
@@ -485,6 +397,12 @@
<grantedToGroup permissionGroup="ManageAccessControls"/>
</permission>
<!-- Added since V2.1 -->
<permission name="_CreateRecords" expose="false">
<grantedToGroup permissionGroup="CreateRecords"/>
</permission>
</permissionSet>
</permissions>

2
rm-server/config/alfresco/module/org_alfresco_module_rm/rm-ui-evaluators-context.xml
View File

@@ -694,7 +694,7 @@
<value>RECORD</value>
</set>
</property>
<property name="capability" value="FileRecords" />
<property name="capability" value="HideRecords" />
</bean>
</beans>

4
rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-default-roles-bootstrap.json
View File

@@ -17,6 +17,7 @@
[
"DeclareRecords",
"ViewRecords",
"CreateRecords",
"CreateModifyDestroyFolders",
"EditRecordMetadata",
"EditNonRecordMetadata",
@@ -36,6 +37,7 @@
[
"DeclareRecords",
"ViewRecords",
"CreateRecords",
"CreateModifyDestroyFolders",
"EditRecordMetadata",
"EditNonRecordMetadata",
@@ -59,6 +61,7 @@
[
"DeclareRecords",
"ViewRecords",
"CreateRecords",
"CreateModifyDestroyFolders",
"EditRecordMetadata",
"EditNonRecordMetadata",
@@ -125,6 +128,7 @@
[
"DeclareRecords",
"ViewRecords",
"CreateRecords",
"CreateModifyDestroyFolders",
"EditRecordMetadata",
"EditNonRecordMetadata",

11
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/AbstractCapability.java
View File

@@ -63,12 +63,6 @@ public abstract class AbstractCapability extends RMSecurityCommon
/** Indicates whether this is a private capability or not */
protected boolean isPrivate = false;
/** List of actions */
// protected List<RecordsManagementAction> actions = new ArrayList<RecordsManagementAction>(1);
/** Action names */
// protected List<String> actionNames = new ArrayList<String>(1);
/**
* @param voter RM entry voter
*/
@@ -128,6 +122,11 @@ public abstract class AbstractCapability extends RMSecurityCommon
if (StringUtils.isBlank(title))
{
title = I18NUtil.getMessage("capability." + getName() + ".title");
if (StringUtils.isBlank(title) == true)
{
title = getName();
}
}
return title;
}

12
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMPermissionModel.java
View File

@@ -39,18 +39,18 @@ public interface RMPermissionModel
// Roles
public static final String ROLE_NAME_USER = "User";
public static final String ROLE_USER = SimplePermissionReference.getPermissionReference(RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT, ROLE_NAME_USER).toString();
//public static final String ROLE_USER = SimplePermissionReference.getPermissionReference(RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT, ROLE_NAME_USER).toString();
public static final String ROLE_NAME_POWER_USER = "PowerUser";
public static final String ROLE_POWER_USER = SimplePermissionReference.getPermissionReference(RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT, ROLE_NAME_POWER_USER).toString();
// public static final String ROLE_POWER_USER = SimplePermissionReference.getPermissionReference(RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT, ROLE_NAME_POWER_USER).toString();
public static final String ROLE_NAME_SECURITY_OFFICER = "SecurityOfficer";
public static final String ROLE_SECURITY_OFFICER = SimplePermissionReference.getPermissionReference(RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT, ROLE_NAME_SECURITY_OFFICER)
.toString();
// public static final String ROLE_SECURITY_OFFICER = SimplePermissionReference.getPermissionReference(RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT, ROLE_NAME_SECURITY_OFFICER)
// .toString();
public static final String ROLE_NAME_RECORDS_MANAGER = "RecordsManager";
public static final String ROLE_RECORDS_MANAGER = SimplePermissionReference.getPermissionReference(RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT, ROLE_NAME_RECORDS_MANAGER)
.toString();
// public static final String ROLE_RECORDS_MANAGER = SimplePermissionReference.getPermissionReference(RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT, ROLE_NAME_RECORDS_MANAGER)
// .toString();
public static final String ROLE_NAME_ADMINISTRATOR = "Administrator";
public static final String ROLE_ADMINISTRATOR = SimplePermissionReference.getPermissionReference(RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT, ROLE_NAME_ADMINISTRATOR).toString();

3
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/role/FilePlanRoleServiceImpl.java
View File

@@ -591,6 +591,9 @@ public class FilePlanRoleServiceImpl implements FilePlanRoleService,
String allRoleGroup = authorityService.getName(AuthorityType.GROUP, getAllRolesGroupShortName(rmRootNode));
authorityService.addAuthority(allRoleGroup, roleGroup);
// TODO .. we should be creating a permission set containing all the capabilities and then assigning that
// single permission group to the file plan .. would be tidier
// Assign the various capabilities to the group on the root records management node
if (capabilities != null)
{

195
rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/capabilities/CapabilitiesTest.java
View File

@@ -87,201 +87,6 @@ public class CapabilitiesTest extends BaseRMTestCase implements
assertEquals(accessStatus, access.get(capability));
}
/**
* Check the RM permission model
*/
public void testPermissionsModel()
{
retryingTransactionHelper.doInTransaction(
new RetryingTransactionCallback<Object>()
{
@Override
public Object execute() throws Throwable
{
// As system user
AuthenticationUtil
.setFullyAuthenticatedUser(AuthenticationUtil
.getSystemUserName());
Set<PermissionReference> exposed = permissionModel
.getExposedPermissions(ASPECT_FILE_PLAN_COMPONENT);
assertEquals(6, exposed.size());
assertTrue(exposed.contains(permissionModel
.getPermissionReference(
ASPECT_FILE_PLAN_COMPONENT,
ROLE_ADMINISTRATOR)));
// Check all the permission are there
Set<PermissionReference> all = permissionModel
.getAllPermissions(ASPECT_FILE_PLAN_COMPONENT);
assertEquals(58 /* capbilities */* 2 + 5 /* roles */
+ (2 /* Read+File */* 2) + 1 /* Filing */, all
.size());
/*
* Check the granting for each permission. It is assumed
* that the ROLE_ADMINISTRATOR always has grant
* permission so is automatically checked.
*/
checkGranting(ACCESS_AUDIT, ROLE_RECORDS_MANAGER);
checkGranting(ADD_MODIFY_EVENT_DATES,
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER,
ROLE_POWER_USER);
checkGranting(APPROVE_RECORDS_SCHEDULED_FOR_CUTOFF,
ROLE_RECORDS_MANAGER);
checkGranting(ATTACH_RULES_TO_METADATA_PROPERTIES,
ROLE_RECORDS_MANAGER);
checkGranting(AUTHORIZE_ALL_TRANSFERS,
ROLE_RECORDS_MANAGER);
checkGranting(AUTHORIZE_NOMINATED_TRANSFERS,
ROLE_RECORDS_MANAGER);
checkGranting(CHANGE_OR_DELETE_REFERENCES,
ROLE_RECORDS_MANAGER);
checkGranting(CLOSE_FOLDERS, ROLE_RECORDS_MANAGER,
ROLE_SECURITY_OFFICER, ROLE_POWER_USER);
checkGranting(CREATE_AND_ASSOCIATE_SELECTION_LISTS,
ROLE_RECORDS_MANAGER);
checkGranting(
CREATE_MODIFY_DESTROY_CLASSIFICATION_GUIDES,
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER);
checkGranting(CREATE_MODIFY_DESTROY_EVENTS,
ROLE_RECORDS_MANAGER);
checkGranting(CREATE_MODIFY_DESTROY_FILEPLAN_METADATA,
ROLE_RECORDS_MANAGER);
checkGranting(CREATE_MODIFY_DESTROY_FILEPLAN_TYPES,
ROLE_RECORDS_MANAGER);
checkGranting(CREATE_MODIFY_DESTROY_FOLDERS,
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER,
ROLE_POWER_USER);
checkGranting(CREATE_MODIFY_DESTROY_RECORD_TYPES,
ROLE_RECORDS_MANAGER);
checkGranting(CREATE_MODIFY_DESTROY_REFERENCE_TYPES,
ROLE_RECORDS_MANAGER);
checkGranting(CREATE_MODIFY_DESTROY_ROLES,
ROLE_RECORDS_MANAGER);
checkGranting(CREATE_MODIFY_DESTROY_TIMEFRAMES,
ROLE_RECORDS_MANAGER);
checkGranting(CREATE_MODIFY_DESTROY_USERS_AND_GROUPS,
ROLE_RECORDS_MANAGER);
checkGranting(CREATE_MODIFY_RECORDS_IN_CUTOFF_FOLDERS,
ROLE_RECORDS_MANAGER);
checkGranting(CYCLE_VITAL_RECORDS,
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER,
ROLE_POWER_USER);
checkGranting(DECLARE_AUDIT_AS_RECORD,
ROLE_RECORDS_MANAGER);
checkGranting(DECLARE_RECORDS, ROLE_RECORDS_MANAGER,
ROLE_SECURITY_OFFICER, ROLE_POWER_USER,
ROLE_USER);
checkGranting(DECLARE_RECORDS_IN_CLOSED_FOLDERS,
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER,
ROLE_POWER_USER);
checkGranting(DELETE_AUDIT, ROLE_RECORDS_MANAGER);
checkGranting(DELETE_LINKS, ROLE_RECORDS_MANAGER);
checkGranting(DELETE_RECORDS, ROLE_RECORDS_MANAGER);
checkGranting(DESTROY_RECORDS, ROLE_RECORDS_MANAGER);
checkGranting(
DESTROY_RECORDS_SCHEDULED_FOR_DESTRUCTION,
ROLE_RECORDS_MANAGER);
checkGranting(DISPLAY_RIGHTS_REPORT,
ROLE_RECORDS_MANAGER);
checkGranting(EDIT_DECLARED_RECORD_METADATA,
ROLE_RECORDS_MANAGER);
checkGranting(EDIT_NON_RECORD_METADATA,
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER,
ROLE_POWER_USER);
checkGranting(EDIT_RECORD_METADATA,
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER,
ROLE_POWER_USER);
checkGranting(EDIT_SELECTION_LISTS,
ROLE_RECORDS_MANAGER);
checkGranting(ENABLE_DISABLE_AUDIT_BY_TYPES,
ROLE_RECORDS_MANAGER);
checkGranting(EXPORT_AUDIT, ROLE_RECORDS_MANAGER);
checkGranting(EXTEND_RETENTION_PERIOD_OR_FREEZE,
ROLE_RECORDS_MANAGER);
checkGranting(MAKE_OPTIONAL_PARAMETERS_MANDATORY,
ROLE_RECORDS_MANAGER);
checkGranting(MANAGE_ACCESS_CONTROLS);
checkGranting(MANAGE_ACCESS_RIGHTS,
ROLE_RECORDS_MANAGER);
checkGranting(MANUALLY_CHANGE_DISPOSITION_DATES,
ROLE_RECORDS_MANAGER);
checkGranting(MAP_CLASSIFICATION_GUIDE_METADATA,
ROLE_RECORDS_MANAGER);
checkGranting(MAP_EMAIL_METADATA, ROLE_RECORDS_MANAGER);
checkGranting(MOVE_RECORDS, ROLE_RECORDS_MANAGER);
checkGranting(PASSWORD_CONTROL, ROLE_RECORDS_MANAGER);
checkGranting(PLANNING_REVIEW_CYCLES,
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER,
ROLE_POWER_USER);
checkGranting(RE_OPEN_FOLDERS, ROLE_RECORDS_MANAGER,
ROLE_SECURITY_OFFICER, ROLE_POWER_USER);
checkGranting(SELECT_AUDIT_METADATA,
ROLE_RECORDS_MANAGER);
checkGranting(TRIGGER_AN_EVENT, ROLE_RECORDS_MANAGER);
checkGranting(UNDECLARE_RECORDS, ROLE_RECORDS_MANAGER);
checkGranting(UNFREEZE, ROLE_RECORDS_MANAGER);
checkGranting(UPDATE_CLASSIFICATION_DATES,
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER);
checkGranting(UPDATE_EXEMPTION_CATEGORIES,
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER);
checkGranting(UPDATE_TRIGGER_DATES,
ROLE_RECORDS_MANAGER);
checkGranting(UPDATE_VITAL_RECORD_CYCLE_INFORMATION,
ROLE_RECORDS_MANAGER);
checkGranting(UPGRADE_DOWNGRADE_AND_DECLASSIFY_RECORDS,
ROLE_RECORDS_MANAGER, ROLE_SECURITY_OFFICER);
checkGranting(VIEW_RECORDS, ROLE_RECORDS_MANAGER,
ROLE_SECURITY_OFFICER, ROLE_POWER_USER,
ROLE_USER);
checkGranting(VIEW_UPDATE_REASONS_FOR_FREEZE,
ROLE_RECORDS_MANAGER);
return null;
}
}, false, true);
}
/**
* Check that the roles passed have grant on the permission passed.
*
* @param permission
* permission
* @param roles
* grant roles
*/
private void checkGranting(String permission, String... roles)
{
Set<PermissionReference> granting = permissionModel
.getGrantingPermissions(permissionModel.getPermissionReference(
RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT,
permission));
Set<PermissionReference> test = new HashSet<PermissionReference>();
test.addAll(granting);
Set<PermissionReference> nonRM = new HashSet<PermissionReference>();
for (PermissionReference pr : granting)
{
if (!pr.getQName().equals(
RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT))
{
nonRM.add(pr);
}
}
test.removeAll(nonRM);
assertEquals(roles.length + 2, test.size());
assertTrue(test.contains(permissionModel.getPermissionReference(
RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT,
ROLE_ADMINISTRATOR)));
for (String role : roles)
{
assertTrue(test.contains(permissionModel.getPermissionReference(
RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT, role)));
}
}
/**
* Test file plan as system
*/

4
rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/service/RecordServiceImplTest.java
View File

@@ -33,9 +33,7 @@ import org.alfresco.repo.security.permissions.AccessDeniedException;
import org.alfresco.service.cmr.action.ActionService;
import org.alfresco.service.cmr.repository.ContentWriter;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.security.AccessPermission;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.AuthorityType;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.service.namespace.QName;
@@ -275,7 +273,7 @@ public class RecordServiceImplTest extends BaseRMTestCase
assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan, RMPermissionModel.EDIT_RECORD_METADATA));
Capability filling = capabilityService.getCapability("FileRecords");
assertEquals(AccessStatus.ALLOWED, filling.hasPermission(dmDocument));
assertEquals(AccessStatus.DENIED, filling.hasPermission(dmDocument));
Capability editRecordMetadata = capabilityService.getCapability("EditRecordMetadata");
assertEquals(AccessStatus.ALLOWED, editRecordMetadata.hasPermission(dmDocument));