Merged HEAD (5.2) to 5.2.N (5.2.1)

127557 jkaabimofrad: Merged API-STRIKES-BACK (5.2.0) to HEAD (5.2) 125609 jvonka: RA-952: If relative path cannot be resolved due to a permissionn error, return 404 (rather than 403) - when listing children or getting node info git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@127651 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-14 17:58:59 +00:00 · 2016-06-03 14:03:50 +00:00
parent 7d4d15bbab
commit e82595fb8e
2 changed files with 9 additions and 4 deletions
--- a/source/java/org/alfresco/rest/api/impl/NodesImpl.java
+++ b/source/java/org/alfresco/rest/api/impl/NodesImpl.java
@@ -692,6 +692,11 @@ public class NodesImpl implements Nodes
            // convert checked exception
            throw new NotFoundException("The entity with relativePath: " + path + " was not found.");
        }
+        catch (AccessDeniedException ade)
+        {
+            // return 404 instead of 403 (as per security review - uuid vs path)
+            throw new NotFoundException("The entity with relativePath: " + path + " was not found.");
+        }

        return fileInfo.getNodeRef();
    }
--- a/source/test-java/org/alfresco/rest/api/tests/NodeApiTest.java
+++ b/source/test-java/org/alfresco/rest/api/tests/NodeApiTest.java
@@ -536,9 +536,9 @@ public class NodeApiTest extends AbstractBaseApiTest
        params = Collections.singletonMap(Nodes.PARAM_RELATIVE_PATH, "User Homes/" + user1 + "/unknown");
        getAll(rootChildrenUrl, user1, paging, params, 404);

-        // -ve test - try to list children using relative path to node for which user does not have read permission
+        // -ve test - try to list children using relative path to node for which user does not have read permission (expect 404 instead of 403)
        params = Collections.singletonMap(Nodes.PARAM_RELATIVE_PATH, "User Homes/" + user2);
-        getAll(rootChildrenUrl, user1, paging, params, 403);
+        getAll(rootChildrenUrl, user1, paging, params, 404);

        // -ve test - try to list children using relative path to node that is of wrong type (ie. not a folder/container)
        params = Collections.singletonMap(Nodes.PARAM_RELATIVE_PATH, folder1 + "/" + contentF1);
@@ -756,9 +756,9 @@ public class NodeApiTest extends AbstractBaseApiTest
        params = Collections.singletonMap(Nodes.PARAM_RELATIVE_PATH, folderA+"/unknown");
        getSingle(NodesEntityResource.class, user1, Nodes.PATH_MY, params, 404);

-        // -ve test - try to get node info using relative path to node for which user does not have read permission
+        // -ve test - try to get node info using relative path to node for which user does not have read permission (expect 404 instead of 403)
        params = Collections.singletonMap(Nodes.PARAM_RELATIVE_PATH, "User Homes/"+user2);
-        getSingle(NodesEntityResource.class, user1, Nodes.PATH_ROOT, params, 403);
+        getSingle(NodesEntityResource.class, user1, Nodes.PATH_ROOT, params, 404);

        // -ve test - attempt to get node info for non-folder node with relative path should return 400
        params = Collections.singletonMap(Nodes.PARAM_RELATIVE_PATH, "/unknown");