inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-07 17:49:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged DEV to HEAD (4.2)

Browse Source 
54623: ALF-19234: An Editor (probably also Collaborator) can take ownership of a document (probably also folders)
     - The new "ACL_ITEM" cad was implemented. Now we check TakeOwnership permission if cm:owner property is going to change when NodeService.addProperties(), NodeService.addAspect(), NodeService.setProperties(), NodeService.setProperty() methods were invoked. Also testTakeOwnershipPermission test was added to check if we can take document ownership through NodeService without appropriate permissions.


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@55167 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Pavel Yurke
2013-09-10 10:11:58 +00:00
parent f89f2abff4
commit da112f3a33
3 changed files with 214 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
config/alfresco/public-services-security-context.xml
View File

@@ -199,6 +199,9 @@
<property name="nodeService"> <property name="nodeService">
<ref bean="nodeService"></ref> <ref bean="nodeService"></ref>
</property> </property>
<property name="ownableService">
<ref bean="ownableService"></ref>
</property>
<property name="authenticationService"> <property name="authenticationService">
<ref bean="authenticationService" /> <ref bean="authenticationService" />
</property> </property>
@@ -388,7 +391,7 @@
org.alfresco.service.cmr.repository.NodeService.setChildAssociationIndex=ACL_PARENT.0.sys:base.WriteProperties org.alfresco.service.cmr.repository.NodeService.setChildAssociationIndex=ACL_PARENT.0.sys:base.WriteProperties
org.alfresco.service.cmr.repository.NodeService.getType=ACL_ALLOW org.alfresco.service.cmr.repository.NodeService.getType=ACL_ALLOW
org.alfresco.service.cmr.repository.NodeService.setType=ACL_NODE.0.sys:base.WriteProperties org.alfresco.service.cmr.repository.NodeService.setType=ACL_NODE.0.sys:base.WriteProperties
org.alfresco.service.cmr.repository.NodeService.addAspect=ACL_NODE.0.sys:base.WriteProperties org.alfresco.service.cmr.repository.NodeService.addAspect=ACL_NODE.0.sys:base.WriteProperties,ACL_ITEM.0.cm:ownable.TakeOwnership
org.alfresco.service.cmr.repository.NodeService.removeAspect=ACL_NODE.0.sys:base.WriteProperties org.alfresco.service.cmr.repository.NodeService.removeAspect=ACL_NODE.0.sys:base.WriteProperties
org.alfresco.service.cmr.repository.NodeService.hasAspect=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.hasAspect=ACL_NODE.0.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.getAspects=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getAspects=ACL_NODE.0.sys:base.ReadProperties
@@ -398,9 +401,9 @@
org.alfresco.service.cmr.repository.NodeService.removeChildAssociation=ACL_PARENT.0.sys:base.DeleteChildren,ACL_PRI_CHILD_ASSOC_ON_CHILD.0.sys:base.DeleteNode org.alfresco.service.cmr.repository.NodeService.removeChildAssociation=ACL_PARENT.0.sys:base.DeleteChildren,ACL_PRI_CHILD_ASSOC_ON_CHILD.0.sys:base.DeleteNode
org.alfresco.service.cmr.repository.NodeService.getProperties=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getProperties=ACL_NODE.0.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.getProperty=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getProperty=ACL_NODE.0.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.setProperties=ACL_NODE.0.sys:base.WriteProperties org.alfresco.service.cmr.repository.NodeService.setProperties=ACL_NODE.0.sys:base.WriteProperties,ACL_ITEM.0.cm:ownable.TakeOwnership
org.alfresco.service.cmr.repository.NodeService.addProperties=ACL_NODE.0.sys:base.WriteProperties org.alfresco.service.cmr.repository.NodeService.addProperties=ACL_NODE.0.sys:base.WriteProperties,ACL_ITEM.0.cm:ownable.TakeOwnership
org.alfresco.service.cmr.repository.NodeService.setProperty=ACL_NODE.0.sys:base.WriteProperties org.alfresco.service.cmr.repository.NodeService.setProperty=ACL_NODE.0.sys:base.WriteProperties,ACL_ITEM.0.cm:ownable.TakeOwnership
org.alfresco.service.cmr.repository.NodeService.removeProperty=ACL_NODE.0.sys:base.WriteProperties org.alfresco.service.cmr.repository.NodeService.removeProperty=ACL_NODE.0.sys:base.WriteProperties
org.alfresco.service.cmr.repository.NodeService.getParentAssocs=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getParentAssocs=ACL_NODE.0.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.getChildAssocs=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getChildAssocs=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties

94
source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoter.java
View File

@@ -18,11 +18,13 @@
*/ */
package org.alfresco.repo.security.permissions.impl.acegi; package org.alfresco.repo.security.permissions.impl.acegi;
import java.io.Serializable;
import java.lang.reflect.Method; import java.lang.reflect.Method;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.HashSet; import java.util.HashSet;
import java.util.Iterator; import java.util.Iterator;
import java.util.List; import java.util.List;
import java.util.Map;
import java.util.Set; import java.util.Set;
import java.util.StringTokenizer; import java.util.StringTokenizer;
@@ -31,6 +33,7 @@ import net.sf.acegisecurity.ConfigAttribute;
import net.sf.acegisecurity.ConfigAttributeDefinition; import net.sf.acegisecurity.ConfigAttributeDefinition;
import net.sf.acegisecurity.vote.AccessDecisionVoter; import net.sf.acegisecurity.vote.AccessDecisionVoter;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.permissions.impl.SimplePermissionReference; import org.alfresco.repo.security.permissions.impl.SimplePermissionReference;
import org.alfresco.service.cmr.repository.ChildAssociationRef; import org.alfresco.service.cmr.repository.ChildAssociationRef;
@@ -40,6 +43,7 @@ import org.alfresco.service.cmr.repository.StoreRef;
import org.alfresco.service.cmr.security.AccessStatus; import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.AuthenticationService; import org.alfresco.service.cmr.security.AuthenticationService;
import org.alfresco.service.cmr.security.AuthorityService; import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.OwnableService;
import org.alfresco.service.cmr.security.PermissionService; import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.service.namespace.NamespacePrefixResolver; import org.alfresco.service.namespace.NamespacePrefixResolver;
import org.alfresco.service.namespace.QName; import org.alfresco.service.namespace.QName;
@@ -57,7 +61,9 @@ public class ACLEntryVoter implements AccessDecisionVoter, InitializingBean
private static Log log = LogFactory.getLog(ACLEntryVoter.class); private static Log log = LogFactory.getLog(ACLEntryVoter.class);
private static final String ACL_NODE = "ACL_NODE"; private static final String ACL_NODE = "ACL_NODE";
private static final String ACL_ITEM = "ACL_ITEM";
private static final String ACL_PRI_CHILD_ASSOC_ON_CHILD = "ACL_PRI_CHILD_ASSOC_ON_CHILD"; private static final String ACL_PRI_CHILD_ASSOC_ON_CHILD = "ACL_PRI_CHILD_ASSOC_ON_CHILD";
private static final String ACL_PARENT = "ACL_PARENT"; private static final String ACL_PARENT = "ACL_PARENT";
@@ -74,6 +80,8 @@ public class ACLEntryVoter implements AccessDecisionVoter, InitializingBean
private NodeService nodeService; private NodeService nodeService;
private OwnableService ownableService;
private AuthorityService authorityService; private AuthorityService authorityService;
private Set<QName> abstainForClassQNames = new HashSet<QName>(); private Set<QName> abstainForClassQNames = new HashSet<QName>();
@@ -137,6 +145,15 @@ public class ACLEntryVoter implements AccessDecisionVoter, InitializingBean
return nodeService; return nodeService;
} }
/**
* Get the ownable service
* @return the ownable service
*/
public OwnableService getOwnableService()
{
return ownableService;
}
/** /**
* Set the node service * Set the node service
* @param nodeService * @param nodeService
@@ -146,6 +163,15 @@ public class ACLEntryVoter implements AccessDecisionVoter, InitializingBean
this.nodeService = nodeService; this.nodeService = nodeService;
} }
/**
* Set the ownable service
* @param nodeService
*/
public void setOwnableService(OwnableService ownableService)
{
this.ownableService = ownableService;
}
/** /**
* Set the authentication service * Set the authentication service
* @param authenticationService * @param authenticationService
@@ -207,6 +233,7 @@ public class ACLEntryVoter implements AccessDecisionVoter, InitializingBean
{ {
if ((attribute.getAttribute() != null) if ((attribute.getAttribute() != null)
&& (attribute.getAttribute().startsWith(ACL_NODE) && (attribute.getAttribute().startsWith(ACL_NODE)
|| attribute.getAttribute().startsWith(ACL_ITEM)
|| attribute.getAttribute().startsWith(ACL_PRI_CHILD_ASSOC_ON_CHILD) || attribute.getAttribute().startsWith(ACL_PRI_CHILD_ASSOC_ON_CHILD)
|| attribute.getAttribute().startsWith(ACL_PARENT) || attribute.getAttribute().startsWith(ACL_PARENT)
|| attribute.getAttribute().equals(ACL_ALLOW) || attribute.getAttribute().equals(ACL_ALLOW)
@@ -416,6 +443,65 @@ public class ACLEntryVoter implements AccessDecisionVoter, InitializingBean
throw new ACLEntryVoterException("The specified parameter is not a NodeRef or ChildAssociationRef"); throw new ACLEntryVoterException("The specified parameter is not a NodeRef or ChildAssociationRef");
} }
} }
else if (cad.typeString.equals(ACL_ITEM))
{
if (NodeRef.class.isAssignableFrom(params[cad.parameter[0]]))
{
if (Map.class.isAssignableFrom(params[1]) || Map.class.isAssignableFrom(params[2]))
{
Map<QName, Serializable> properties = (Map<QName, Serializable>) (Map.class.isAssignableFrom(params[1]) ? getArgument(invocation, 1) : getArgument(invocation, 2));
if (properties != null && properties.containsKey(ContentModel.PROP_OWNER))
{
testNodeRef = getArgument(invocation, cad.parameter[0]);
boolean isChanged = !properties.get(ContentModel.PROP_OWNER).toString().equals(ownableService.getOwner(testNodeRef));
if (!isChanged)
{
testNodeRef = null;
}
if (log.isDebugEnabled())
{
if (nodeService.exists(testNodeRef))
{
log.debug("\tPermission test on node " + nodeService.getPath(testNodeRef));
}
else
{
log.debug("\tPermission test on non-existing node " + testNodeRef);
}
}
}
}
else if (QName.class.isAssignableFrom(params[1]) && params[2] != null)
{
testNodeRef = getArgument(invocation, cad.parameter[0]);
boolean isChanged = !getArgument(invocation, 2).toString().equals(ownableService.getOwner(testNodeRef));
if (!isChanged)
{
testNodeRef = null;
}
if (log.isDebugEnabled())
{
if (nodeService.exists(testNodeRef))
{
log.debug("\tPermission test on node " + nodeService.getPath(testNodeRef));
}
else
{
log.debug("\tPermission test on non-existing node " + testNodeRef);
}
}
}
}
else
{
throw new ACLEntryVoterException("The specified parameter is not a Item");
}
}
else if (cad.typeString.equals(ACL_PARENT)) else if (cad.typeString.equals(ACL_PARENT))
{ {
// There is no point having parent permissions for store // There is no point having parent permissions for store
@@ -573,14 +659,14 @@ public class ACLEntryVoter implements AccessDecisionVoter, InitializingBean
} }
typeString = st.nextToken(); typeString = st.nextToken();
if (!(typeString.equals(ACL_NODE) || typeString.equals(ACL_PRI_CHILD_ASSOC_ON_CHILD) if (!(typeString.equals(ACL_NODE) || typeString.equals(ACL_ITEM) || typeString.equals(ACL_PRI_CHILD_ASSOC_ON_CHILD)
|| typeString.equals(ACL_PARENT) || typeString.equals(ACL_ALLOW) || typeString.equals(ACL_METHOD) || typeString || typeString.equals(ACL_PARENT) || typeString.equals(ACL_ALLOW) || typeString.equals(ACL_METHOD) || typeString
.equals(ACL_DENY))) .equals(ACL_DENY)))
{ {
throw new ACLEntryVoterException("Invalid type: must be ACL_NODE, ACL_PARENT or ACL_ALLOW"); throw new ACLEntryVoterException("Invalid type: must be ACL_NODE, ACL_ITEM, ACL_PARENT or ACL_ALLOW");
} }
if (typeString.equals(ACL_NODE) || typeString.equals(ACL_PRI_CHILD_ASSOC_ON_CHILD) if (typeString.equals(ACL_NODE) || typeString.equals(ACL_ITEM) || typeString.equals(ACL_PRI_CHILD_ASSOC_ON_CHILD)
|| typeString.equals(ACL_PARENT)) || typeString.equals(ACL_PARENT))
{ {
int count = st.countTokens(); int count = st.countTokens();

117
source/test-java/org/alfresco/repo/version/NodeServiceImplTest.java
View File

@@ -29,14 +29,21 @@ import java.util.Set;
import org.alfresco.model.ApplicationModel; import org.alfresco.model.ApplicationModel;
import org.alfresco.model.ContentModel; import org.alfresco.model.ContentModel;
import org.alfresco.repo.cache.TransactionalCache; import org.alfresco.repo.cache.TransactionalCache;
import org.alfresco.repo.security.authentication.AuthenticationComponent;
import org.alfresco.repo.security.permissions.AccessDeniedException;
import org.alfresco.service.cmr.repository.AssociationRef; import org.alfresco.service.cmr.repository.AssociationRef;
import org.alfresco.service.cmr.repository.ChildAssociationRef; import org.alfresco.service.cmr.repository.ChildAssociationRef;
import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService; import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.repository.Path; import org.alfresco.service.cmr.repository.Path;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.service.cmr.version.Version; import org.alfresco.service.cmr.version.Version;
import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName; import org.alfresco.service.namespace.QName;
import org.alfresco.service.namespace.RegexQNamePattern; import org.alfresco.service.namespace.RegexQNamePattern;
import org.alfresco.util.GUID;
import org.alfresco.util.TestWithUserUtils;
import org.alfresco.util.debug.NodeStoreInspector; import org.alfresco.util.debug.NodeStoreInspector;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
@@ -59,6 +66,11 @@ public class NodeServiceImplTest extends BaseVersionStoreTest
private final static String MSG_ERR = private final static String MSG_ERR =
"This operation is not supported by a version store implementation of the node service."; "This operation is not supported by a version store implementation of the node service.";
/**
* User password
*/
private static final String PWD = "password";
/** /**
* Dummy data used in failure tests * Dummy data used in failure tests
*/ */
@@ -715,4 +727,109 @@ public class NodeServiceImplTest extends BaseVersionStoreTest
Version version = createVersion(newNode, this.versionProperties); Version version = createVersion(newNode, this.versionProperties);
assertNotNull(version); assertNotNull(version);
} }
public void testTakeOwnershipPermission()
{
NodeService proxyNodeService = (NodeService) applicationContext.getBean("NodeService");
// Authenticate as system user because the current user should not be node owner
AuthenticationComponent authenticationComponent = (AuthenticationComponent) this.applicationContext.getBean("authenticationComponent");
authenticationComponent.setSystemUserAsCurrentUser();
// Create folder
Map<QName, Serializable> folderProps = new HashMap<QName, Serializable>(1);
String folderName = "testFolder" + GUID.generate();
folderProps.put(ContentModel.PROP_NAME, folderName);
NodeRef folderRef = this.nodeService.createNode(this.rootNodeRef, ContentModel.ASSOC_CHILDREN, QName.createQName(NamespaceService.CONTENT_MODEL_1_0_URI, folderName),
ContentModel.TYPE_FOLDER, folderProps).getChildRef();
// Create document
Map<QName, Serializable> docProps = new HashMap<QName, Serializable>(1);
String docName = "testDoc" + GUID.generate() + ".txt";
docProps.put(ContentModel.PROP_NAME, docName);
NodeRef docRef = this.nodeService.createNode(folderRef, ContentModel.ASSOC_CONTAINS, QName.createQName(NamespaceService.CONTENT_MODEL_1_0_URI, docName),
ContentModel.TYPE_CONTENT, docProps).getChildRef();
// Create user
String userName = "testUser" + GUID.generate();
TestWithUserUtils.createUser(userName, PWD, this.rootNodeRef, this.nodeService, this.authenticationService);
// Apply editor permission to document
permissionService.deletePermissions(docRef);
permissionService.setInheritParentPermissions(docRef, false);
permissionService.setPermission(docRef, userName, PermissionService.EDITOR, true);
// Authenticate test user
TestWithUserUtils.authenticateUser(userName, PWD, this.rootNodeRef, this.authenticationService);
// Check if a user has not the "take ownership" permission directly through permissionService
boolean isAble = AccessStatus.ALLOWED == permissionService.hasPermission(docRef, PermissionService.TAKE_OWNERSHIP);
assertEquals("Incorrect TakeOwnership permission.", false, isAble);
// Add ownable aspect to the document
this.nodeService.addAspect(docRef, ContentModel.ASPECT_OWNABLE, null);
// Take ownership through addAspect method
Map<QName, Serializable> properties = new HashMap<QName, Serializable>(4, 1.0f);
properties.put(ContentModel.PROP_OWNER, (Serializable) userName);
try
{
proxyNodeService.addAspect(docRef, ContentModel.ASPECT_OWNABLE, properties);
}
catch (AccessDeniedException e)
{
}
// Retrieve the data directly from the node service to ensure its not been changed
String updatedOwner = (String) this.nodeService.getProperty(docRef, ContentModel.PROP_OWNER);
boolean isUserOwner = updatedOwner == null || !updatedOwner.equals(userName) ? false : true;
assertEquals("Ownership's rights to the document have been taken by the user that has Editor permissions (addAspect).", false, isUserOwner);
// Take ownership through addProperties method
try
{
proxyNodeService.addProperties(docRef, properties);
}
catch (AccessDeniedException e)
{
}
// Retrieve the data directly from the node service to ensure its not been changed
updatedOwner = (String) this.nodeService.getProperty(docRef, ContentModel.PROP_OWNER);
isUserOwner = updatedOwner == null || !updatedOwner.equals(userName) ? false : true;
assertEquals("Ownership's rights to the document have been taken by the user that has Editor permissions (addProperties).", false, isUserOwner);
// Take ownership through setProperties method
try
{
proxyNodeService.setProperties(docRef, properties);
}
catch (AccessDeniedException e)
{
}
// Retrieve the data directly from the node service to ensure its not been changed
updatedOwner = (String) this.nodeService.getProperty(docRef, ContentModel.PROP_OWNER);
isUserOwner = updatedOwner == null || !updatedOwner.equals(userName) ? false : true;
assertEquals("Ownership's rights to the document have been taken by the user that has Editor permissions (setProperties).", false, isUserOwner);
// Take ownership through setProperty method
try
{
proxyNodeService.setProperty(docRef, ContentModel.ASPECT_OWNABLE, (Serializable) userName);
}
catch (AccessDeniedException e)
{
}
// Retrieve the data directly from the node service to ensure its not been changed
updatedOwner = (String) this.nodeService.getProperty(docRef, ContentModel.PROP_OWNER);
isUserOwner = updatedOwner == null || !updatedOwner.equals(userName) ? false : true;
assertEquals("Ownership's rights to the document have been taken by the user that has Editor permissions (setProperty).", false, isUserOwner);
}
} }