From f7989073a766be674aeedb569b1b4887aa31328d Mon Sep 17 00:00:00 2001 From: Andrei Rebegea Date: Wed, 14 Jun 2017 16:55:47 +0000 Subject: [PATCH] Merged 5.2.N (5.2.2) to HEAD (5.2) 133997 mward: REPO-1660: REST API - update person should also accept "-me-" git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@137331 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../alfresco/rest/api/impl/PeopleImpl.java | 37 +++++++++++-------- .../alfresco/rest/api/tests/TestPeople.java | 23 +++++++++--- 2 files changed, 39 insertions(+), 21 deletions(-) diff --git a/source/java/org/alfresco/rest/api/impl/PeopleImpl.java b/source/java/org/alfresco/rest/api/impl/PeopleImpl.java index 79ad549d6b..cc5ab4361d 100644 --- a/source/java/org/alfresco/rest/api/impl/PeopleImpl.java +++ b/source/java/org/alfresco/rest/api/impl/PeopleImpl.java @@ -157,7 +157,13 @@ public class PeopleImpl implements People { this.thumbnailService = thumbnailService; } - + + /** + * Validate, perform -me- substitution and canonicalize the person ID. + * + * @param personId + * @return The validated and processed ID. + */ public String validatePerson(String personId) { return validatePerson(personId, false); @@ -555,10 +561,12 @@ public class PeopleImpl implements People public Person update(String personId, final Person person) { - boolean isAdmin = isAdminAuthority(); - + // Validate, perform -me- substitution and canonicalize the person ID. + personId = validatePerson(personId); validateUpdatePersonData(person); + boolean isAdmin = isAdminAuthority(); + String currentUserId = AuthenticationUtil.getFullyAuthenticatedUser(); if (!isAdmin && !currentUserId.equalsIgnoreCase(personId)) { @@ -572,6 +580,17 @@ public class PeopleImpl implements People // if requested, update password updatePassword(isAdmin, personIdToUpdate, person); + if (person.isEnabled() != null) + { + if (isAdminAuthority(personIdToUpdate)) + { + throw new PermissionDeniedException("Admin authority cannot be disabled."); + } + + // note: if current user is not an admin then permission denied exception is thrown + MutableAuthenticationService mutableAuthenticationService = (MutableAuthenticationService) authenticationService; + mutableAuthenticationService.setAuthenticationEnabled(personIdToUpdate, person.isEnabled()); + } NodeRef personNodeRef = personService.getPerson(personIdToUpdate, false); if (person.wasSet(Person.PROP_PERSON_DESCRIPTION)) @@ -681,20 +700,8 @@ public class PeopleImpl implements People mutableAuthenticationService.setAuthentication(personIdToUpdate, newPassword); } } - - if (person.isEnabled() != null) - { - if (isAdminAuthority(personIdToUpdate)) - { - throw new PermissionDeniedException("Admin authority cannot be disabled."); - } - - mutableAuthenticationService.setAuthenticationEnabled(personIdToUpdate, person.isEnabled()); - } - } - private boolean isAdminAuthority() { return authorityService.hasAdminAuthority(); diff --git a/source/test-java/org/alfresco/rest/api/tests/TestPeople.java b/source/test-java/org/alfresco/rest/api/tests/TestPeople.java index 4584285130..dfcd96cc35 100644 --- a/source/test-java/org/alfresco/rest/api/tests/TestPeople.java +++ b/source/test-java/org/alfresco/rest/api/tests/TestPeople.java @@ -979,17 +979,28 @@ public class TestPeople extends EnterpriseTestApi final String personId = account1PersonIt.next(); publicApiClient.setRequestContext(new RequestContext(account1.getId(), personId)); - Person updatedPerson = people.update(personId, qjson("{ `firstName`: `Updated firstName` }"), 200); - assertEquals("Updated firstName", updatedPerson.getFirstName()); + // Explicitly using the person's ID + { + Person updatedPerson = people.update(personId, qjson("{ `firstName`: `Matt` }"), 200); + assertEquals("Matt", updatedPerson.getFirstName()); + } + + // "-me-" user + { + Person updatedPerson = people.update("-me-", qjson("{ `firstName`: `John` }"), 200); + assertEquals("John", updatedPerson.getFirstName()); + } // TODO: temp fix, set back to orig firstName publicApiClient.setRequestContext(new RequestContext(account1.getId(), account1Admin, "admin")); people.update(personId, qjson("{ `firstName`:`Bill` }"), 200); - + // -ve test: check that required/mandatory/non-null fields cannot be unset (or empty string) - people.update("people", personId, null, null, qjson("{ `firstName`:`` }"), null, "Expected 400 response when updating " + personId, 400); - people.update("people", personId, null, null, qjson("{ `email`:`` }"), null, "Expected 400 response when updating " + personId, 400); - people.update("people", personId, null, null, qjson("{ `emailNotificationsEnabled`:`` }"), null, "Expected 400 response when updating " + personId, 400); + { + people.update("people", personId, null, null, qjson("{ `firstName`:`` }"), null, "Expected 400 response when updating " + personId, 400); + people.update("people", personId, null, null, qjson("{ `email`:`` }"), null, "Expected 400 response when updating " + personId, 400); + people.update("people", personId, null, null, qjson("{ `emailNotificationsEnabled`:`` }"), null, "Expected 400 response when updating " + personId, 400); + } } @Test