Fixes ALF-11742: Contributor could not publish content uploaded by another user

- A user is able to publish content to a channel if they have permission to add children to the node representing the channel in the repo. In Share terms, this means that people with any one of Manager, Coordinator, Collaborator, or Contributor roles on a channel are allowed to publish to that channel. This means that people with the Consumer role on a channel are not allowed to publish to that channel. git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@32558 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2011-12-06 10:47:35 +00:00
parent 598f7d939d
commit e55ff0db2e
1 changed files with 51 additions and 16 deletions
--- a/source/java/org/alfresco/repo/publishing/ChannelImpl.java
+++ b/source/java/org/alfresco/repo/publishing/ChannelImpl.java
@@ -33,6 +33,9 @@ import java.util.Set;

 import org.alfresco.model.ContentModel;
 import org.alfresco.repo.node.NodeUtils;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
+import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
+import org.alfresco.repo.security.permissions.AccessDeniedException;
 import org.alfresco.service.ServiceRegistry;
 import org.alfresco.service.cmr.dictionary.DictionaryService;
 import org.alfresco.service.cmr.publishing.NodeSnapshot;
@@ -55,6 +58,7 @@ import org.alfresco.util.ParameterCheck;
 */
 public class ChannelImpl implements Channel
 {
+    private static final String PERMISSIONS_ERR_ACCESS_DENIED = "permissions.err_access_denied";
    private final NodeRef nodeRef;
    private final AbstractChannelType channelType;
    private final String name;
@@ -132,20 +136,43 @@ public class ChannelImpl implements Channel
         }
     }

-    public void unpublishEntry(PublishingPackageEntry entry)
+    public void unpublishEntry(final PublishingPackageEntry entry)
    {
-        NodeRef channelNode = new NodeRef(getId());
-        NodeRef publishedNode = channelHelper.mapSourceToEnvironment(entry.getNodeRef(), channelNode);
-        if (NodeUtils.exists(publishedNode, nodeService))
+        final NodeRef channelNode = getNodeRef();
+        if (channelHelper.hasPublishPermissions(channelNode))
        {
-            unpublish(publishedNode);
+            AuthenticationUtil.runAsSystem(new RunAsWork<NodeRef>()
+            {
+                @Override
+                public NodeRef doWork() throws Exception
+                {
+                    NodeRef unpublishedNode = channelHelper.mapSourceToEnvironment(entry.getNodeRef(), channelNode);
+                    if (NodeUtils.exists(unpublishedNode, nodeService))
+                    {
+                        unpublish(unpublishedNode);
                        // Need to set as temporary to delete node instead of archiving.
-            nodeService.addAspect(publishedNode, ContentModel.ASPECT_TEMPORARY, null);
-            nodeService.deleteNode(publishedNode);
+                        nodeService.addAspect(unpublishedNode, ContentModel.ASPECT_TEMPORARY, null);
+                        nodeService.deleteNode(unpublishedNode);
+                    }
+                    return unpublishedNode;
+                }
+            });
        }
    }

-    public NodeRef publishEntry(PublishingPackageEntry entry, NodeRef eventNode)
+    public NodeRef publishEntry(final PublishingPackageEntry entry, final NodeRef eventNode)
+    {
+        NodeRef publishedNode;
+        //We decouple the permissions needed to publish from the permissions needed to do what's
+        //necessary to actually do the publish. If that makes sense...
+        //For example, a user may be able to publish to a channel even if they do not have permission
+        //to add an aspect to a published node (which is a necessary part of the publishing process).
+        if (channelHelper.hasPublishPermissions(getNodeRef()))
+        {
+            publishedNode = AuthenticationUtil.runAsSystem(new RunAsWork<NodeRef>()
+            {
+                @Override
+                public NodeRef doWork() throws Exception
                {
                    NodeRef publishedNode = channelHelper.mapSourceToEnvironment(entry.getNodeRef(), getNodeRef());
                    if (publishedNode == null)
@@ -160,6 +187,14 @@ public class ChannelImpl implements Channel
                    publish(publishedNode);
                    return publishedNode;
                }
+            });
+        }
+        else
+        {
+            throw new AccessDeniedException(PERMISSIONS_ERR_ACCESS_DENIED);
+        }
+        return publishedNode;
+    }
    
    /**
     * Creates a new node under the root of the specified channel. The type,