From dc5427d92032f22c29e3bae8afe9a58c0e5418cd Mon Sep 17 00:00:00 2001 From: Jan Vonka Date: Wed, 7 Dec 2016 11:19:20 +0000 Subject: [PATCH] REPO-1579: V1 REST API - create person fix - expect 403 instead of 409, if a non-admin tries to create a person that already exists - REPO-892 git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@133423 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../org/alfresco/rest/api/impl/PeopleImpl.java | 8 +++++++- .../org/alfresco/rest/api/tests/TestPeople.java | 16 ++++++++++++---- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/source/java/org/alfresco/rest/api/impl/PeopleImpl.java b/source/java/org/alfresco/rest/api/impl/PeopleImpl.java index 46b84d5a03..8347ae075e 100644 --- a/source/java/org/alfresco/rest/api/impl/PeopleImpl.java +++ b/source/java/org/alfresco/rest/api/impl/PeopleImpl.java @@ -440,7 +440,13 @@ public class PeopleImpl implements People { validateCreatePersonData(person); - // TODO: check, is this transaction safe? + if (! isAdminAuthority()) + { + // note: do an explict check for admin here (since personExists does not throw 403 unlike createPerson, + // hence next block would cause 409 to be returned) + throw new PermissionDeniedException(); + } + // Unfortunately PersonService.createPerson(...) only throws an AlfrescoRuntimeException // rather than a more specific exception and does not use a message ID either, so there's // no sensible way to know that it was thrown due to the user already existing - hence this check here. diff --git a/source/test-java/org/alfresco/rest/api/tests/TestPeople.java b/source/test-java/org/alfresco/rest/api/tests/TestPeople.java index 68aca5e24b..cc6eeddcfe 100644 --- a/source/test-java/org/alfresco/rest/api/tests/TestPeople.java +++ b/source/test-java/org/alfresco/rest/api/tests/TestPeople.java @@ -468,17 +468,25 @@ public class TestPeople extends EnterpriseTestApi // -ve: person already exists { - publicApiClient.setRequestContext(new RequestContext(account1.getId(), account1Admin, "admin")); + String username = "myUserName03@"+account1.getId(); + String password = "secret"; + Person person = new Person(); - person.setUserName("myUserName03@"+account1.getId()); + person.setUserName(username); person.setFirstName("Alison"); person.setEmail("alison.smythe@example.com"); person.setEnabled(true); - person.setPassword("secret"); + person.setPassword(password); + + publicApiClient.setRequestContext(new RequestContext(account1.getId(), account1Admin, "admin")); people.create(person); - // Attempt to create the person a second time. + // Attempt to create the person a second time - as admin expect 409 people.create(person, 409); + + publicApiClient.setRequestContext(new RequestContext(account1.getId(), username, password)); + // Attempt to create the person a second time - as non-admin expect 403 + people.create(person, 403); } }