REPO-1709: V1 REST API - fix download content (fails unexpectedly with 403)

- introduced by REPO-265 git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@133619 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-14 17:58:59 +00:00 · 2016-12-13 14:47:15 +00:00
parent 1622adeab0
commit f65ce88f03
2 changed files with 77 additions and 4 deletions
--- a/source/java/org/alfresco/rest/api/impl/NodesImpl.java
+++ b/source/java/org/alfresco/rest/api/impl/NodesImpl.java
@@ -1978,7 +1978,7 @@ public class NodesImpl implements Nodes
    }

    /**
-     * Posts activites based on the activity_type.
+     * Posts activities based on the activity_type.
     * If the method is called with aSync=true then a TransactionListener is used post the activity
     * afterCommit.  Otherwise the activity posting is done synchronously.
     * @param activity_type
@@ -2009,9 +2009,19 @@ public class NodesImpl implements Nodes
        }
    }

+    // note: see also org.alfresco.opencmis.ActivityPosterImpl
    protected ActivityInfo getActivityInfo(NodeRef parentNodeRef, NodeRef nodeRef)
    {
-        SiteInfo siteInfo = siteService.getSite(nodeRef);
+        // runAs system, eg. user may not have permission see one or more parents (irrespective of whether in a site context of not)
+        SiteInfo siteInfo = AuthenticationUtil.runAs(new RunAsWork<SiteInfo>()
+        {
+            @Override
+            public SiteInfo doWork() throws Exception
+            {
+                return siteService.getSite(nodeRef);
+            }
+        }, AuthenticationUtil.getSystemUserName());
+
        String siteId = (siteInfo != null ? siteInfo.getShortName() : null);
        if(siteId != null && !siteId.equals(""))
        {
--- a/source/test-java/org/alfresco/rest/api/tests/NodeApiTest.java
+++ b/source/test-java/org/alfresco/rest/api/tests/NodeApiTest.java
@@ -3481,6 +3481,69 @@ public class NodeApiTest extends AbstractSingleNetworkSiteTest
        getSingle(getNodeContentUrl(contentNodeId), null, null, headers, 304);
    }

+    /**
+     * Tests download of file/content - basic read permission
+     * <p>GET:</p>
+     * {@literal <host>:<port>/alfresco/api/-default-/public/alfresco/versions/1/nodes/<nodeId>/content}
+     */
+    @Test
+    public void testDownloadFileContentReadPermission() throws Exception
+    {
+        setRequestContext(user1);
+
+        String fileName = "quick-1.txt";
+        File file = getResourceFile(fileName);
+
+        MultiPartBuilder multiPartBuilder = MultiPartBuilder.create()
+                .setFileData(new FileData(fileName, file));
+        MultiPartRequest reqBody = multiPartBuilder.build();
+
+        // Upload text content
+        HttpResponse response = post(getNodeChildrenUrl(Nodes.PATH_MY), reqBody.getBody(), null, reqBody.getContentType(), 201);
+        Document document = RestApiUtil.parseRestApiEntry(response.getJsonResponse(), Document.class);
+        String contentNodeId = document.getId();
+
+        // Download text content
+        response = getSingle(NodesEntityResource.class, contentNodeId+"/content", null, 200);
+        String textContent = response.getResponse();
+        assertEquals("The quick brown fox jumps over the lazy dog", textContent);
+
+        // Also test versions endpoint (1.0 in this case)
+        response = getSingle(NodesEntityResource.class, contentNodeId+"/versions/1.0/content", null, 200);
+        textContent = response.getResponse();
+        assertEquals("The quick brown fox jumps over the lazy dog", textContent);
+
+        // -ve test: user2 does not have read permission
+        setRequestContext(user2);
+        getSingle(NodesEntityResource.class, contentNodeId+"/content", null, 403);
+        getSingle(NodesEntityResource.class, contentNodeId+"/versions/1.0/content", null, 403);
+
+        // add Consumer (~ Read) permission
+        setRequestContext(user1);
+
+        Document dUpdate = new Document();
+        NodePermissions nodePermissions = new NodePermissions();
+        List<NodePermissions.NodePermission> locallySetPermissions = new ArrayList<>();
+        locallySetPermissions.add(new NodePermissions.NodePermission(user2, PermissionService.CONSUMER, AccessStatus.ALLOWED.toString()));
+        nodePermissions.setLocallySet(locallySetPermissions);
+        dUpdate.setPermissions(nodePermissions);
+
+        // update node
+        response = put(URL_NODES, contentNodeId, toJsonAsStringNonNull(dUpdate), null, 200);
+
+        setRequestContext(user2);
+
+        // Download text content
+        response = getSingle(NodesEntityResource.class, contentNodeId+"/content", null, 200);
+        textContent = response.getResponse();
+        assertEquals("The quick brown fox jumps over the lazy dog", textContent);
+
+        // Also test versions endpoint (1.0 in this case)
+        response = getSingle(NodesEntityResource.class, contentNodeId+"/versions/1.0/content", null, 200);
+        textContent = response.getResponse();
+        assertEquals("The quick brown fox jumps over the lazy dog", textContent);
+    }
+
    /**
     * Tests optional lookup of Allowable Operations (eg. when getting node info, listing node children, ...)
     *