Merged FILE-FOLDER-API (5.2.0) to HEAD (5.2)

123902 jvonka: RA-750: Shared links API - get limited share link info (no auth required) - additional changes, as per updated A/Cs git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@126545 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-14 17:58:59 +00:00 · 2016-05-10 11:25:32 +00:00
parent f79e7be94d
commit f752a61061
2 changed files with 22 additions and 20 deletions
--- a/source/java/org/alfresco/rest/api/impl/QuickShareLinksImpl.java
+++ b/source/java/org/alfresco/rest/api/impl/QuickShareLinksImpl.java
@@ -176,13 +176,12 @@ public class QuickShareLinksImpl implements QuickShareLinks, InitializingBean
            Pair<String, NodeRef> pair = quickShareService.getTenantNodeRefFromSharedId(sharedId);
            String networkTenantDomain = pair.getFirst();

-            final boolean noAuth = (AuthenticationUtil.getRunAsUser() == null);
-
            return TenantUtil.runAsSystemTenant(new TenantUtil.TenantRunAsWork<QuickShareLink>()
            {
                public QuickShareLink doWork() throws Exception
                {
-                    return getQuickShareInfo(sharedId, noAuth, parameters.getInclude());
+                    // note: assume noAuth here (rather than rely on getRunAsUser which will be null in non-MT)
+                    return getQuickShareInfo(sharedId, true, parameters.getInclude());
                }
            }, networkTenantDomain);
        }
@@ -305,8 +304,6 @@ public class QuickShareLinksImpl implements QuickShareLinks, InitializingBean

        List<QuickShareLink> result = new ArrayList<>(nodeIds.size());

-        boolean noAuth = (AuthenticationUtil.getRunAsUser() == null);
-
        List<String> includeParam = parameters.getInclude();

        for (QuickShareLink qs : nodeIds)
@@ -334,7 +331,7 @@ public class QuickShareLinksImpl implements QuickShareLinks, InitializingBean
                try
                {
                    QuickShareDTO qsDto = quickShareService.shareContent(nodeRef);
-                    result.add(getQuickShareInfo(qsDto.getId(), noAuth, includeParam));
+                    result.add(getQuickShareInfo(qsDto.getId(), false, includeParam));
                }
                catch (InvalidNodeRefException inre)
                {
@@ -486,7 +483,7 @@ public class QuickShareLinksImpl implements QuickShareLinks, InitializingBean

            Map<String, UserInfo> mapUserInfo = new HashMap<>(2);

-            // note: if not authenticated then we do not currently return userids (to be consistent with v0 internal - limited disclosure)
+            // note: if noAuth mode then don't return userids (to limit disclosure and be consistent with v0 internal)
            boolean displayNameOnly = noAuth;

            UserInfo modifiedByUser = Node.lookupUserInfo((String)nodeProps.get(ContentModel.PROP_MODIFIER), mapUserInfo, personService, displayNameOnly);
@@ -495,13 +492,14 @@ public class QuickShareLinksImpl implements QuickShareLinks, InitializingBean
            String sharedByUserId = (String)nodeProps.get(QuickShareModel.PROP_QSHARE_SHAREDBY);
            UserInfo sharedByUser = Node.lookupUserInfo(sharedByUserId, mapUserInfo, personService, displayNameOnly);

-            QuickShareLink qs = new QuickShareLink(sharedId, (noAuth ? null : nodeRef.getId()));
+            QuickShareLink qs = new QuickShareLink(sharedId, nodeRef.getId());
            qs.setName((String) map.get("name"));
            qs.setContent(contentInfo);
            qs.setModifiedAt((Date) map.get("modified"));
            qs.setModifiedByUser(modifiedByUser);
            qs.setSharedByUser(sharedByUser);

+            // note: if noAuth mode then do not return allowable operations (eg. but can be optionally returned when finding shared links)
            if ((! noAuth) && includeParam.contains(PARAM_INCLUDE_ALLOWABLEOPERATIONS))
            {
                if (canDeleteSharedLink(nodeRef, sharedByUserId))
--- a/source/test-java/org/alfresco/rest/api/tests/SharedLinkApiTest.java
+++ b/source/test-java/org/alfresco/rest/api/tests/SharedLinkApiTest.java
@@ -208,7 +208,9 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
        String shared2Id = resp.getId();


-        // auth access to get shared link info - as user1
+        // currently passing auth should make no difference (irrespective of MT vs non-MY enb)
+
+        // access to get shared link info - pass user1 (but ignore in non-MT)
        Map<String, String> params = Collections.singletonMap("include", "allowableOperations");
        response = getSingle(QuickShareLinkEntityResource.class, user1, shared1Id, params, 200);
        resp = RestApiUtil.parseRestApiEntry(response.getJsonResponse(), QuickShareLink.class);
@@ -216,13 +218,14 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
        assertEquals(shared1Id, resp.getId());
        assertEquals(fileName1, resp.getName());
        assertEquals(d1Id, resp.getNodeId());
+        assertNull(resp.getAllowableOperations()); // include is ignored

-        assertEquals(user1, resp.getModifiedByUser().getId()); // returned if authenticated
-        assertEquals(user2, resp.getSharedByUser().getId()); // returned if authenticated
+        assertNull(resp.getModifiedByUser().getId()); // userId not returned
+        assertEquals(user1+" "+user1, resp.getModifiedByUser().getDisplayName());
+        assertNull(resp.getSharedByUser().getId()); // userId not returned
+        assertEquals(user2+" "+user2, resp.getSharedByUser().getDisplayName());

-        assertNull(resp.getAllowableOperations());
-
-        // auth access to get shared link info - as user2
+        // access to get shared link info - pass user2 (but ignore in non-MT)
        params = Collections.singletonMap("include", "allowableOperations");
        response = getSingle(QuickShareLinkEntityResource.class, user2, shared1Id, params, 200);
        resp = RestApiUtil.parseRestApiEntry(response.getJsonResponse(), QuickShareLink.class);
@@ -230,14 +233,15 @@ public class SharedLinkApiTest extends AbstractBaseApiTest
        assertEquals(shared1Id, resp.getId());
        assertEquals(fileName1, resp.getName());
        assertEquals(d1Id, resp.getNodeId());
+        assertNull(resp.getAllowableOperations()); // include is ignored

-        assertEquals(user1, resp.getModifiedByUser().getId()); // returned if authenticated
-        assertEquals(user2, resp.getSharedByUser().getId()); // returned if authenticated
+        assertNull(resp.getModifiedByUser().getId()); // userId not returned
+        assertEquals(user1+" "+user1, resp.getModifiedByUser().getDisplayName());
+        assertNull(resp.getSharedByUser().getId()); // userId not returned
+        assertEquals(user2+" "+user2, resp.getSharedByUser().getDisplayName());

-        assertEquals(1, resp.getAllowableOperations().size());
-        assertEquals("delete", resp.getAllowableOperations().get(0));

-        // allowable operations not included
+        // allowable operations not included - no params
        response = getSingle(QuickShareLinkEntityResource.class, user2, shared1Id, null, 200);
        resp = RestApiUtil.parseRestApiEntry(response.getJsonResponse(), QuickShareLink.class);
        assertNull(resp.getAllowableOperations());
@@ -250,7 +254,7 @@ public class SharedLinkApiTest extends AbstractBaseApiTest

        assertEquals(shared1Id, resp.getId());
        assertEquals(fileName1, resp.getName());
-        assertNull(resp.getNodeId()); // nodeId not returned
+        assertEquals(d1Id, resp.getNodeId());
        assertNull(resp.getAllowableOperations()); // include is ignored

        assertNull(resp.getModifiedByUser().getId()); // userId not returned