From 8d978d6527c1021bc8a62f729c5f99677a2146b3 Mon Sep 17 00:00:00 2001
From: MichalKinas <michal.kinas@hyland.com>
Date: Tue, 13 Feb 2024 11:33:20 +0100
Subject: [PATCH 1/2] ACS-5506 Fix string to node ref cast exception

---
 .../java/org/alfresco/rest/api/impl/GroupsImpl.java |  4 ++--
 .../impl/acegi/ACLEntryAfterInvocationProvider.java | 13 ++++++++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/remote-api/src/main/java/org/alfresco/rest/api/impl/GroupsImpl.java b/remote-api/src/main/java/org/alfresco/rest/api/impl/GroupsImpl.java
index d291b1293b..fd67f5e9aa 100644
--- a/remote-api/src/main/java/org/alfresco/rest/api/impl/GroupsImpl.java
+++ b/remote-api/src/main/java/org/alfresco/rest/api/impl/GroupsImpl.java
@@ -147,7 +147,7 @@ public class GroupsImpl implements Groups
         }
 
         Map<QName, Serializable> props = new HashMap<>();
-        if (StringUtils.isNotEmpty(group.getDescription()))
+        if (group.getDescription() != null)
         {
             props.put(ContentModel.PROP_DESCRIPTION, group.getDescription());
         }
@@ -170,7 +170,7 @@ public class GroupsImpl implements Groups
 
         try
         {
-            if (StringUtils.isNotEmpty(group.getDescription()))
+            if (group.getDescription() != null)
             {
                 authorityService.setAuthorityDisplayNameAndDescription(groupId, group.getDisplayName(), group.getDescription());
             }
diff --git a/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java b/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java
index 9185cfa0f8..b80ff0a3ea 100644
--- a/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java
+++ b/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java
@@ -269,7 +269,18 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
             }
             else if (Pair.class.isAssignableFrom(returnedObject.getClass()))
             {
-                return decide(authentication, object, config, (Pair) returnedObject);
+                Pair<?, ?> pair = (Pair<?, ?>) returnedObject;
+                if (pair.getSecond() != null && NodeRef.class.isAssignableFrom(pair.getSecond().getClass()))
+                {
+                    return decide(authentication, object, config, pair);
+                } else
+                {
+                    if (log.isDebugEnabled())
+                    {
+                        log.debug("Uncontrolled object - access allowed for " + object.getClass().getName());
+                    }
+                    return returnedObject;
+                }
             }
             else if (ChildAssociationRef.class.isAssignableFrom(returnedObject.getClass()))
             {

From e3407e5a538b2a06b1c3808a99ffc842eb66b874 Mon Sep 17 00:00:00 2001
From: MichalKinas <michal.kinas@hyland.com>
Date: Tue, 13 Feb 2024 13:22:51 +0100
Subject: [PATCH 2/2] ACS-5506 Move NodeRef check to decide method

---
 .../acegi/ACLEntryAfterInvocationProvider.java | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java b/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java
index b80ff0a3ea..5888a4b313 100644
--- a/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java
+++ b/repository/src/main/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java
@@ -269,18 +269,7 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
             }
             else if (Pair.class.isAssignableFrom(returnedObject.getClass()))
             {
-                Pair<?, ?> pair = (Pair<?, ?>) returnedObject;
-                if (pair.getSecond() != null && NodeRef.class.isAssignableFrom(pair.getSecond().getClass()))
-                {
-                    return decide(authentication, object, config, pair);
-                } else
-                {
-                    if (log.isDebugEnabled())
-                    {
-                        log.debug("Uncontrolled object - access allowed for " + object.getClass().getName());
-                    }
-                    return returnedObject;
-                }
+                return decide(authentication, object, config, (Pair) returnedObject);
             }
             else if (ChildAssociationRef.class.isAssignableFrom(returnedObject.getClass()))
             {
@@ -435,6 +424,11 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
     @SuppressWarnings("rawtypes")
     private Pair decide(Authentication authentication, Object object, ConfigAttributeDefinition config, Pair returnedObject) throws AccessDeniedException
     {
+        if (returnedObject.getSecond() != null && !NodeRef.class.isAssignableFrom(returnedObject.getSecond().getClass()))
+        {
+            return returnedObject;
+        }
+
         NodeRef nodeRef = (NodeRef) returnedObject.getSecond();
         decide(authentication, object, config, nodeRef);
         // the noderef was allowed