From e82595fb8e18b3ba2708bda403b1beebc987409e Mon Sep 17 00:00:00 2001 From: Alan Davis Date: Fri, 3 Jun 2016 14:03:50 +0000 Subject: [PATCH] Merged HEAD (5.2) to 5.2.N (5.2.1) 127557 jkaabimofrad: Merged API-STRIKES-BACK (5.2.0) to HEAD (5.2) 125609 jvonka: RA-952: If relative path cannot be resolved due to a permissionn error, return 404 (rather than 403) - when listing children or getting node info git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@127651 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- source/java/org/alfresco/rest/api/impl/NodesImpl.java | 5 +++++ .../org/alfresco/rest/api/tests/NodeApiTest.java | 8 ++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/source/java/org/alfresco/rest/api/impl/NodesImpl.java b/source/java/org/alfresco/rest/api/impl/NodesImpl.java index 5e7f67a152..61d144704c 100644 --- a/source/java/org/alfresco/rest/api/impl/NodesImpl.java +++ b/source/java/org/alfresco/rest/api/impl/NodesImpl.java @@ -692,6 +692,11 @@ public class NodesImpl implements Nodes // convert checked exception throw new NotFoundException("The entity with relativePath: " + path + " was not found."); } + catch (AccessDeniedException ade) + { + // return 404 instead of 403 (as per security review - uuid vs path) + throw new NotFoundException("The entity with relativePath: " + path + " was not found."); + } return fileInfo.getNodeRef(); } diff --git a/source/test-java/org/alfresco/rest/api/tests/NodeApiTest.java b/source/test-java/org/alfresco/rest/api/tests/NodeApiTest.java index 3955cb6b61..a09eb097df 100644 --- a/source/test-java/org/alfresco/rest/api/tests/NodeApiTest.java +++ b/source/test-java/org/alfresco/rest/api/tests/NodeApiTest.java @@ -536,9 +536,9 @@ public class NodeApiTest extends AbstractBaseApiTest params = Collections.singletonMap(Nodes.PARAM_RELATIVE_PATH, "User Homes/" + user1 + "/unknown"); getAll(rootChildrenUrl, user1, paging, params, 404); - // -ve test - try to list children using relative path to node for which user does not have read permission + // -ve test - try to list children using relative path to node for which user does not have read permission (expect 404 instead of 403) params = Collections.singletonMap(Nodes.PARAM_RELATIVE_PATH, "User Homes/" + user2); - getAll(rootChildrenUrl, user1, paging, params, 403); + getAll(rootChildrenUrl, user1, paging, params, 404); // -ve test - try to list children using relative path to node that is of wrong type (ie. not a folder/container) params = Collections.singletonMap(Nodes.PARAM_RELATIVE_PATH, folder1 + "/" + contentF1); @@ -756,9 +756,9 @@ public class NodeApiTest extends AbstractBaseApiTest params = Collections.singletonMap(Nodes.PARAM_RELATIVE_PATH, folderA+"/unknown"); getSingle(NodesEntityResource.class, user1, Nodes.PATH_MY, params, 404); - // -ve test - try to get node info using relative path to node for which user does not have read permission + // -ve test - try to get node info using relative path to node for which user does not have read permission (expect 404 instead of 403) params = Collections.singletonMap(Nodes.PARAM_RELATIVE_PATH, "User Homes/"+user2); - getSingle(NodesEntityResource.class, user1, Nodes.PATH_ROOT, params, 403); + getSingle(NodesEntityResource.class, user1, Nodes.PATH_ROOT, params, 404); // -ve test - attempt to get node info for non-folder node with relative path should return 400 params = Collections.singletonMap(Nodes.PARAM_RELATIVE_PATH, "/unknown");