Merged FILE-FOLDER-API (5.2.0) to HEAD (5.2)

122626 jvonka: Nodes (FileFolder) API - add "permanent" option to delete node (to optionally bypass archive/trashcan) - follow-on such that user cannot delete permanently (even with delete permission) unless they're owner or admin of node (for hierarchy, only checks parent folder node) RA-837, RA-642 git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@126486 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-14 17:58:59 +00:00 · 2016-05-10 11:10:24 +00:00
parent 63b7a24c69
commit f470bf8efa
3 changed files with 97 additions and 28 deletions
--- a/source/java/org/alfresco/rest/api/impl/NodesImpl.java
+++ b/source/java/org/alfresco/rest/api/impl/NodesImpl.java
@@ -42,6 +42,7 @@ import org.alfresco.repo.content.ContentLimitViolationException;
 import org.alfresco.repo.model.Repository;
 import org.alfresco.repo.model.filefolder.FileFolderServiceImpl;
 import org.alfresco.repo.node.getchildren.GetChildrenCannedQuery;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.security.permissions.AccessDeniedException;
 import org.alfresco.rest.antlr.WhereClauseParser;
 import org.alfresco.rest.api.Nodes;
@@ -97,6 +98,8 @@ import org.alfresco.service.cmr.repository.Path;
 import org.alfresco.service.cmr.repository.Path.Element;
 import org.alfresco.service.cmr.repository.StoreRef;
 import org.alfresco.service.cmr.security.AccessStatus;
+import org.alfresco.service.cmr.security.AuthorityService;
+import org.alfresco.service.cmr.security.OwnableService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.cmr.usage.ContentQuotaException;
@@ -154,6 +157,8 @@ public class NodesImpl implements Nodes
    private ActionService actionService;
    private VersionService versionService;
    private PersonService personService;
+    private OwnableService ownableService;
+    private AuthorityService authorityService;

    // note: circular - Nodes/QuickShareLinks currently use each other (albeit for different methods)
    private QuickShareLinks quickShareLinks;
@@ -184,6 +189,8 @@ public class NodesImpl implements Nodes
        this.actionService = sr.getActionService();
        this.versionService = sr.getVersionService();
        this.personService = sr.getPersonService();
+        this.ownableService = sr.getOwnableService();
+        this.authorityService = sr.getAuthorityService();

        if (defaultIgnoreTypesAndAspects != null)
        {
@@ -1137,6 +1144,17 @@ public class NodesImpl implements Nodes

        if (permanentDelete == true)
        {
+            boolean isAdmin = authorityService.hasAdminAuthority();
+            if (! isAdmin)
+            {
+                String owner = ownableService.getOwner(nodeRef);
+                if (! AuthenticationUtil.getRunAsUser().equals(owner))
+                {
+                    // non-owner/non-admin cannot permanently delete (even if they have delete permission)
+                    throw new PermissionDeniedException("Non-owner/non-admin cannot permanently delete: " + nodeId);
+                }
+            }
+
            // Set as temporary to delete node instead of archiving.
            nodeService.addAspect(nodeRef, ContentModel.ASPECT_TEMPORARY, null);
        }