Merged mward/5.2.n-repo1636-customonly (5.2.1) to 5.2.N (5.2.1)

133683 mward: REPO-1636 (initial commit): Properties from the "cm", "usr", "sys" namespaces should not be exposed


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@133703 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

source/java/org/alfresco/rest/api/Nodes.java

@@ -269,13 +269,15 @@ public interface Nodes
      * Convert from node properties (map of QName to Serializable) retrieved from
      * the respository to a map of String to Object that can be formatted/expressed
      * as required by the API JSON response for get nodes, get person etc.
+     * <p>
+     * Returns null if there are no properties to return, rather than an empty map.
      * 
      * @param nodeProps
      * @param selectParam
      * @param mapUserInfo
      * @param excludedNS
      * @param excludedProps
-     * @return
+     * @return The map of properties, or null if none to return.
      */
     Map<String, Object> mapFromNodeProperties(Map<QName, Serializable> nodeProps, List<String> selectParam, Map<String,UserInfo> mapUserInfo, List<String> excludedNS, List<QName> excludedProps);
 
@@ -288,15 +290,26 @@ public interface Nodes
      */
     Map<QName, Serializable> mapToNodeProperties(Map<String, Object> props);
 
+    /**
+     * Map from a String representation of aspect names to a set
+     * of QName objects, as used by the repository.
+     * 
+     * @param aspectNames
+     * @return
+     */
+    Set<QName> mapToNodeAspects(List<String> aspectNames);
+        
     /**
      * Map from aspects (Set of QName) retrieved from the repository to a
      * map List of String required that can be formatted/expressed as required
      * by the API JSON response for get nodes, get person etc.
+     * <p>
+     * Returns null if there are no aspect names to return, rather than an empty list.
      * 
      * @param nodeAspects
      * @param excludedNS
      * @param excludedAspects
-     * @return
+     * @return The list of aspect names, or null if none to return.
      */
     List<String> mapFromNodeAspects(Set<QName> nodeAspects, List<String> excludedNS, List<QName> excludedAspects);
 

source/java/org/alfresco/rest/api/impl/NodesImpl.java

@@ -1099,7 +1099,7 @@ public class NodesImpl implements Nodes
         return new PathInfo(pathStr, isComplete, pathElements);
     }
 
-    protected Set<QName> mapToNodeAspects(List<String> aspectNames)
+    public Set<QName> mapToNodeAspects(List<String> aspectNames)
     {
         Set<QName> nodeAspects = new HashSet<>(aspectNames.size());
 

source/java/org/alfresco/rest/api/impl/PeopleImpl.java

@@ -82,8 +82,10 @@ public class PeopleImpl implements People
 {
     private static final List<String> EXCLUDED_NS = Arrays.asList(
             NamespaceService.SYSTEM_MODEL_1_0_URI,
-            "http://www.alfresco.org/model/user/1.0");
+            "http://www.alfresco.org/model/user/1.0",
+            NamespaceService.CONTENT_MODEL_1_0_URI);
 	private static final List<QName> EXCLUDED_ASPECTS = Arrays.asList();
+    // TODO: no longer needed? (can be empty)
 	private static final List<QName> EXCLUDED_PROPS = Arrays.asList(
 			ContentModel.PROP_USERNAME,
 			ContentModel.PROP_FIRSTNAME,
@@ -411,8 +413,8 @@ public class PeopleImpl implements People
             // Expose properties
             if (include.contains(PARAM_INCLUDE_PROPERTIES))
             {
-                Map<String, Object> custProps = new HashMap<>();
-                custProps.putAll(nodes.mapFromNodeProperties(nodeProps, new ArrayList<>(), new HashMap<>(), EXCLUDED_NS, EXCLUDED_PROPS));
+                // Note that custProps may be null.
+                Map<String, Object> custProps = nodes.mapFromNodeProperties(nodeProps, new ArrayList<>(), new HashMap<>(), EXCLUDED_NS, EXCLUDED_PROPS);
                 person.setProperties(custProps);
             }
             if (include.contains(PARAM_INCLUDE_ASPECTNAMES))
@@ -529,13 +531,41 @@ public class PeopleImpl implements People
 
 	private void validateCreatePersonData(Person person)
 	{
+        validateNamespaces(person.getAspectNames(), person.getProperties());
 		checkRequiredField("id", person.getUserName());
 		checkRequiredField("firstName", person.getFirstName());
 		checkRequiredField("email", person.getEmail());
 		checkRequiredField("password", person.getPassword());
 	}
-	
-	private void checkRequiredField(String fieldName, Object fieldValue)
+
+    private void validateNamespaces(List<String> aspectNames, Map<String, Object> properties)
+    {
+        if (aspectNames != null)
+        {
+            Set<QName> aspects = nodes.mapToNodeAspects(aspectNames);
+            aspects.forEach(aspect ->
+            {
+                if (EXCLUDED_NS.contains(aspect.getNamespaceURI()))
+                {
+                    throw new IllegalArgumentException("Namespace cannot be used by People API: "+aspect.toPrefixString());
+                }
+            });
+        }
+        
+        if (properties != null)
+        {
+            Map<QName, Serializable> nodeProps = nodes.mapToNodeProperties(properties);
+            nodeProps.keySet().forEach(qname ->
+            {
+                if (EXCLUDED_NS.contains(qname.getNamespaceURI()))
+                {
+                    throw new IllegalArgumentException("Namespace cannot be used by People API: "+qname.toPrefixString());
+                }
+            });
+        }
+    }
+
+    private void checkRequiredField(String fieldName, Object fieldValue)
 	{
 		if (fieldValue == null)
 		{
@@ -616,6 +646,8 @@ public class PeopleImpl implements People
 
     private void validateUpdatePersonData(Person person)
     {
+        validateNamespaces(person.getAspectNames(), person.getProperties());
+        
         if (person.wasSet(ContentModel.PROP_FIRSTNAME))
         {
             checkRequiredField("firstName", person.getFirstName());