Merged HEAD-BUG-FIX (5.0/Cloud) to HEAD (4.3/Cloud)

71600: Merged V4.2-BUG-FIX (4.2.3) to HEAD-BUG-FIX (4.3/Cloud) 70349: Merged DEV to V4.2-BUG-FIX (4.2.3) 70294 : MNT-10946 : Admin is no longer able to unlock files - Check if node is locked before unlock for non-admin or System users. Fix related test git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@74694 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2014-06-25 15:30:54 +00:00
parent 6ab8f45601
commit f7534027fb
5 changed files with 104 additions and 4 deletions
--- a/config/alfresco/core-services-context.xml
+++ b/config/alfresco/core-services-context.xml
@@ -532,6 +532,7 @@
        <property name="searchService" ref="admSearchService" />
        <property name="behaviourFilter" ref="policyBehaviourFilter" />
        <property name="nodeIndexer" ref="nodeIndexer"/>      
+        <property name="authorityService" ref="authorityService"/>
    </bean>

    <!--                               -->
--- a/source/java/org/alfresco/repo/lock/LockServiceImpl.java
+++ b/source/java/org/alfresco/repo/lock/LockServiceImpl.java
@@ -66,6 +66,8 @@ import org.alfresco.service.cmr.repository.StoreRef;
 import org.alfresco.service.cmr.search.ResultSet;
 import org.alfresco.service.cmr.search.SearchService;
 import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.AuthorityService;
+import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.util.Pair;
 import org.alfresco.util.PropertyCheck;
@@ -94,6 +96,7 @@ public class LockServiceImpl implements LockService,
    private TenantService tenantService;
    private AuthenticationService authenticationService;
    private SearchService searchService;
+    private AuthorityService authorityService;
    private BehaviourFilter behaviourFilter;
    private LockStore lockStore;
    private PolicyComponent policyComponent;
@@ -139,6 +142,11 @@ public class LockServiceImpl implements LockService,
        this.searchService = searchService;
    }

+    public void setAuthorityService(AuthorityService authorityService) 
+    {
+        this.authorityService = authorityService;
+    }
+
    /**
     * Initialise methods called by Spring framework
     */
@@ -150,6 +158,7 @@ public class LockServiceImpl implements LockService,
        PropertyCheck.mandatory(this, "searchService",  searchService);
        PropertyCheck.mandatory(this, "behaviourFilter",  behaviourFilter);
        PropertyCheck.mandatory(this, "policyComponent",  policyComponent);
+        PropertyCheck.mandatory(this, "authorityService",  authorityService);
        
        // Register the policies
        beforeLock = policyComponent.registerClassPolicy(LockServicePolicies.BeforeLock.class);
@@ -478,6 +487,8 @@ public class LockServiceImpl implements LockService,
            {
            	throw new UnableToReleaseLockException(nodeRef, CAUSE.CHECKED_OUT);
            }
+            // check if the user able to unlock the node
+            checkNodeBeforeUnlock(nodeRef);

            // Remove the lock from persistent storage.
            Lifetime lifetime = lockState.getLifetime();
@@ -503,8 +514,8 @@ public class LockServiceImpl implements LockService,
            }
            else if (lifetime == Lifetime.EPHEMERAL)
            {
-                // Remove the ephemeral lock.
-                lockStore.set(nodeRef, LockState.createUnlocked(nodeRef));
+                // force unlock the ephemeral lock.
+                lockStore.forceUnlock(nodeRef);
                nodeIndexer.indexUpdateNode(nodeRef);
            }
            else
@@ -656,6 +667,39 @@ public class LockServiceImpl implements LockService,
            }
        }
    }
+    
+    private void checkNodeBeforeUnlock(NodeRef nodeRef)
+    {
+        String userName = getUserName();
+        Set<String> userAuthorities = authorityService.getAuthoritiesForUser(userName);
+        // ignore check for admins and system
+        if (userAuthorities.contains(PermissionService.ADMINISTRATOR_AUTHORITY) ||
+            tenantService.getBaseNameUser(userName).equals(AuthenticationUtil.getSystemUserName()))
+        {
+            return;
+        }
+        
+        nodeRef = tenantService.getName(nodeRef);
+        
+        // Ensure we have found a node reference
+        if (nodeRef != null && userName != null)
+        {
+            try
+            {
+                // Get the current lock status on the node ref
+                LockStatus currentLockStatus = getLockStatus(nodeRef, userName);
+                
+                if (LockStatus.LOCKED.equals(currentLockStatus) == true)
+                {
+                    throw new UnableToReleaseLockException(nodeRef);
+                }
+            }
+            catch (AspectMissingException exception)
+            {
+                // Ignore since this indicates that the node does not have the lock aspect applied
+            }
+        }
+    }

    /**
     * Ensures that the parent is not locked.
--- a/source/java/org/alfresco/repo/lock/mem/AbstractLockStore.java
+++ b/source/java/org/alfresco/repo/lock/mem/AbstractLockStore.java
@@ -67,9 +67,20 @@ public abstract class AbstractLockStore<T extends ConcurrentMap<NodeRef, LockSta
        }
        return lockState;
    }
+    
+    @Override
+    public void forceUnlock(NodeRef nodeRef)
+    {
+        set(nodeRef, LockState.createUnlocked(nodeRef), true);
+    }

    @Override
    public void set(NodeRef nodeRef, LockState lockState)
+    {
+        set(nodeRef, lockState, false);
+    }
+    
+    private void set(NodeRef nodeRef, LockState lockState, boolean ignoreOwnerCheck)
    {
        Map<NodeRef, LockState> txMap = getTxMap();
        LockState previousLockState = null;
@@ -102,7 +113,7 @@ public abstract class AbstractLockStore<T extends ConcurrentMap<NodeRef, LockSta
            String userName = AuthenticationUtil.getFullyAuthenticatedUser();
            String owner = previousLockState.getOwner();
            Date expires = previousLockState.getExpires();
-            if (LockUtils.lockStatus(userName, owner, expires) == LockStatus.LOCKED)
+            if (!ignoreOwnerCheck && LockUtils.lockStatus(userName, owner, expires) == LockStatus.LOCKED)
            {
                throw new UnableToAquireLockException(nodeRef);
            }            
--- a/source/java/org/alfresco/repo/lock/mem/LockStore.java
+++ b/source/java/org/alfresco/repo/lock/mem/LockStore.java
@@ -35,6 +35,13 @@ public interface LockStore
    void set(NodeRef nodeRef, LockState lockState);
    public Set<NodeRef> getNodes();
    
+    /**
+     * WARNING: only use in lockService - unlocks node ignoring lockOwner
+     * 
+     * @param nodeRef
+     */
+    void forceUnlock(NodeRef nodeRef);
+    
    /**
     * WARNING: only use in test code - unsafe method for production use.
     * 
--- a/source/test-java/org/alfresco/repo/lock/LockServiceImplTest.java
+++ b/source/test-java/org/alfresco/repo/lock/LockServiceImplTest.java
@@ -33,6 +33,7 @@ import org.alfresco.repo.lock.mem.LockStore;
 import org.alfresco.repo.search.IndexerAndSearcher;
 import org.alfresco.repo.search.SearcherComponent;
 import org.alfresco.repo.security.authentication.AuthenticationComponent;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.service.cmr.coci.CheckOutCheckInService;
 import org.alfresco.service.cmr.lock.LockService;
 import org.alfresco.service.cmr.lock.LockStatus;
@@ -903,5 +904,41 @@ public class LockServiceImplTest extends BaseSpringTest
            logger.debug("exception while trying to unlock a checked out node", e);
        }
    }
-
+    
+    public void testUnlockEphemeralNodeWithAdminUser()
+    {
+        for (Lifetime lt : new Lifetime[]{Lifetime.EPHEMERAL, Lifetime.PERSISTENT})
+        {
+            TestWithUserUtils.authenticateUser(GOOD_USER_NAME, PWD, rootNodeRef, this.authenticationService);
+        
+            /* create node */
+            final NodeRef testNode = 
+                this.nodeService.createNode(parentNode, ContentModel.ASSOC_CONTAINS, QName.createQName("{}testNode"), ContentModel.TYPE_CONTAINER).getChildRef();
+        
+            // lock it as GOOD user
+            this.lockService.lock(testNode, LockType.WRITE_LOCK, 2 * 86400, lt, null);
+        
+            TestWithUserUtils.authenticateUser(BAD_USER_NAME, PWD, rootNodeRef, this.authenticationService);
+        
+            try
+            {
+                // try to unlock as bad user
+                this.lockService.unlock(testNode);
+                fail("BAD user shouldn't be able to unlock " + lt + " lock");
+            }
+            catch(UnableToReleaseLockException e)
+            {
+                // it's expected
+            }
+        
+            TestWithUserUtils.authenticateUser(AuthenticationUtil.getAdminUserName(), "admin", rootNodeRef, this.authenticationService);
+        
+            // try to unlock as ADMIN user
+            this.lockService.unlock(testNode);
+        
+            TestWithUserUtils.authenticateUser(GOOD_USER_NAME, PWD, rootNodeRef, this.authenticationService);
+        
+            this.nodeService.deleteNode(testNode);
+        }
+    }
 }