RM-2123 Give clearance to the admin and system users.

Make sure this is executed as a patch and also bootstrapped into a clean system using the BootstrapImporterModuleComponent. Also restrict access to the classification levels (via the get API) to only the levels that the user has clearance to. +review RM git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@104376 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-07-31 17:39:05 +00:00 · 2015-05-18 15:03:59 +00:00
parent 24780dc472
commit f03e36ee91
12 changed files with 286 additions and 44 deletions
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/bootstrap/BootstrapImporterModuleComponent.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/bootstrap/BootstrapImporterModuleComponent.java
@@ -40,9 +40,11 @@ public class BootstrapImporterModuleComponent extends ImporterModuleComponent

    /** module patch executer */
    private ModulePatchExecuter modulePatchExecuter;
-    
+
    /** record contributors group bootstrap component */
    private RecordContributorsGroupBootstrapComponent recordContributorsGroupBootstrapComponent;
+    /** Clearances for special users bootstrap component. */
+    private ClearancesForSpecialUsersBootstrapComponent clearancesForSpecialUsersBootstrapComponent;

    /**
     * @param nodeService   node service
@@ -57,8 +59,8 @@ public class BootstrapImporterModuleComponent extends ImporterModuleComponent
     */
    public void setModulePatchExecuter(ModulePatchExecuter modulePatchExecuter)
    {
-		this.modulePatchExecuter = modulePatchExecuter;
-	}
+        this.modulePatchExecuter = modulePatchExecuter;
+    }

    /**
     * @param recordContributorsGroupBootstrapComponent record contributors group bootstrap component
@@ -67,7 +69,16 @@ public class BootstrapImporterModuleComponent extends ImporterModuleComponent
    {
        this.recordContributorsGroupBootstrapComponent = recordContributorsGroupBootstrapComponent;
    }
-    
+
+    /**
+     * @param clearancesForSpecialUsersBootstrapComponent The bootstrap component that give the admin and system users
+     *            the maximum clearance.
+     */
+    public void setClearancesForSpecialUsersBootstrapComponent(ClearancesForSpecialUsersBootstrapComponent clearancesForSpecialUsersBootstrapComponent)
+    {
+        this.clearancesForSpecialUsersBootstrapComponent = clearancesForSpecialUsersBootstrapComponent;
+    }
+
    /**
     * Need to check whether this module has already been executed.
     *
@@ -80,9 +91,10 @@ public class BootstrapImporterModuleComponent extends ImporterModuleComponent
        if (!nodeService.exists(nodeRef))
        {
            super.executeInternal();
-            
-            // bootstrap the record contributors group
+
+            // Bootstrap creation of initial data.
            recordContributorsGroupBootstrapComponent.createRecordContributorsGroup();
+            clearancesForSpecialUsersBootstrapComponent.createClearancesForSpecialUsers();

            // init module schema number
            modulePatchExecuter.initSchemaVersion();
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/bootstrap/ClearancesForSpecialUsersBootstrapComponent.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/bootstrap/ClearancesForSpecialUsersBootstrapComponent.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2005-2015 Alfresco Software Limited.
+ *
+ * This file is part of Alfresco
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.alfresco.module.org_alfresco_module_rm.bootstrap;
+
+import java.io.Serializable;
+
+import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceBootstrap;
+import org.alfresco.module.org_alfresco_module_rm.classification.model.ClassifiedContentModel;
+import org.alfresco.module.org_alfresco_module_rm.patch.v30.RMv30ClearancesForSpecialUsers;
+import org.alfresco.module.org_alfresco_module_rm.util.AuthenticationUtil;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.repository.NodeService;
+import org.alfresco.service.cmr.security.PersonService;
+
+/**
+ * Provide the highest clearance to the admin and system users. This needs to be run once (either bootstrapped into a
+ * fresh system, or as part of an upgrade in {@link RMv30ClearancesForSpecialUsers}) per installation.
+ *
+ * @author tpage
+ */
+public class ClearancesForSpecialUsersBootstrapComponent implements ClassifiedContentModel
+{
+    private AuthenticationUtil authenticationUtil;
+    private NodeService nodeService;
+    private PersonService personService;
+    private ClassificationServiceBootstrap classificationServiceBootstrap;
+
+    public void setAuthenticationUtil(AuthenticationUtil authenticationUtil) { this.authenticationUtil = authenticationUtil; }
+    public void setNodeService(NodeService nodeService) { this.nodeService = nodeService; }
+    public void setPersonService(PersonService personService) { this.personService = personService; }
+    public void setClassificationServiceBootstrap(ClassificationServiceBootstrap classificationServiceBootstrap) { this.classificationServiceBootstrap = classificationServiceBootstrap; }
+
+    /**
+     * Give the admin and system users the maximum clearance.
+     */
+    public void createClearancesForSpecialUsers()
+    {
+        // Ensure the classification levels are loaded before this patch runs. (Nb. This will result in the
+        // classification service bootstrap method being called twice on the start-up that includes this call).
+        classificationServiceBootstrap.onBootstrap(null);
+
+        Serializable mostSecureLevel = classificationServiceBootstrap.getClassificationLevelManager()
+                    .getMostSecureLevel().getId();
+        String systemUserName = authenticationUtil.getSystemUserName();
+        NodeRef system = personService.getPerson(systemUserName);
+        nodeService.setProperty(system, PROP_CLEARANCE_LEVEL, mostSecureLevel);
+        String adminUserName = authenticationUtil.getAdminUserName();
+        NodeRef admin = personService.getPerson(adminUserName);
+        nodeService.setProperty(admin, PROP_CLEARANCE_LEVEL, mostSecureLevel);
+    }
+}
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/ClassificationService.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/ClassificationService.java
@@ -34,7 +34,8 @@ import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationS
 public interface ClassificationService
 {
    /**
-     * Returns an immutable list of the defined classification levels.
+     * Returns an immutable list of the defined classification levels visible to the current user.
+     *
     * @return classification levels in descending order from highest to lowest
     *         (where fewer users have access to the highest classification levels
     *         and therefore access to the most restricted documents).
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/ClassificationServiceImpl.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/ClassificationServiceImpl.java
@@ -40,13 +40,12 @@ public class ClassificationServiceImpl extends ServiceBaseImpl
    private ClassificationLevelManager levelManager;
    /** The classification reasons currently configured in this server. */
    private ClassificationReasonManager reasonManager;
+    private SecurityClearanceService securityClearanceService;
    private ClassificationServiceBootstrap classificationServiceBootstrap;

    public void setNodeService(NodeService service) { this.nodeService = service; }
-    public void setClassificationServiceBootstrap(ClassificationServiceBootstrap classificationServiceBootstrap)
-    {
-        this.classificationServiceBootstrap = classificationServiceBootstrap;
-    }
+    public void setSecurityClearanceService(SecurityClearanceService securityClearanceService) { this.securityClearanceService = securityClearanceService; }
+    public void setClassificationServiceBootstrap(ClassificationServiceBootstrap classificationServiceBootstrap) { this.classificationServiceBootstrap = classificationServiceBootstrap; }

    /** Store the references to the classification level and reason managers in this class. */
    public void init()
@@ -78,8 +77,8 @@ public class ClassificationServiceImpl extends ServiceBaseImpl
        {
            return Collections.emptyList();
        }
-        // FIXME Currently assume user has highest security clearance, this should be fixed as part of RM-2112.
-        ClassificationLevel usersLevel = levelManager.getMostSecureLevel();
+        SecurityClearance securityClearance = securityClearanceService.getUserSecurityClearance();
+        ClassificationLevel usersLevel = securityClearance.getClearanceLevel().getHighestClassificationLevel();
        return restrictList(levelManager.getClassificationLevels(), usersLevel);
    }

--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/patch/v30/RMv30ClearancesForSpecialUsers.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/patch/v30/RMv30ClearancesForSpecialUsers.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2005-2015 Alfresco Software Limited.
+ *
+ * This file is part of Alfresco
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.alfresco.module.org_alfresco_module_rm.patch.v30;
+
+import org.alfresco.module.org_alfresco_module_rm.bootstrap.ClearancesForSpecialUsersBootstrapComponent;
+import org.alfresco.module.org_alfresco_module_rm.patch.AbstractModulePatch;
+
+/**
+ * Patch to provide the highest clearance to the admin and system users.
+ *
+ * @author tpage
+ */
+public class RMv30ClearancesForSpecialUsers extends AbstractModulePatch
+{
+    private ClearancesForSpecialUsersBootstrapComponent bootstrapComponent;
+
+    public void setBootstrapComponent(ClearancesForSpecialUsersBootstrapComponent bootstrapComponent)
+    {
+        this.bootstrapComponent = bootstrapComponent;
+    }
+
+    /**
+     * Give the admin and system users the maximum clearance.
+     *
+     * @see org.alfresco.module.org_alfresco_module_rm.patch.AbstractModulePatch#applyInternal()
+     */
+    @Override
+    public void applyInternal()
+    {
+        bootstrapComponent.createClearancesForSpecialUsers();
+    }
+}