From fa2d37f37b69af8655abb14e3b0166f79f217cfc Mon Sep 17 00:00:00 2001
From: David Webster <david@cognite.net>
Date: Wed, 12 Oct 2016 15:08:17 +0100
Subject: [PATCH] MNT-16852: First pass at extracting permission mapping to
 properties file.

---
 .../alfresco-global.properties                |  6 +++
 .../extended-repository-context.xml           |  6 +++
 .../impl/RMPermissionServiceImpl.java         | 37 +++++++++++++++++--
 3 files changed, 45 insertions(+), 4 deletions(-)

diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/alfresco-global.properties b/rm-server/config/alfresco/module/org_alfresco_module_rm/alfresco-global.properties
index 46e84685b0..41a1f5aa9c 100644
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/alfresco-global.properties
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/alfresco-global.properties
@@ -47,3 +47,9 @@ rm.autocompletesuggestion.nodeParameterSuggester.aspectsAndTypes=rma:record,cm:c
 # Global RM disposition lifecycle trigger cron job expression
 #
 rm.dispositionlifecycletrigger.cronexpression=0 0/5 * * * ?
+
+# Permission mapping
+# these take a comma separated string of permissions from org.alfresco.service.cmr.security.PermissionService
+# read maps to ReadRecords and write to FileRecords
+rm.haspermissionmap.read=ReadProperties,ReadChildren
+rm.haspermissionmap.write=WriteProperties,AddChildren
diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml
index bd74307107..0218d2d22c 100644
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml
@@ -134,6 +134,12 @@
             <ref bean="extendedReaderDynamicAuthority" />
          </list>
       </property>
+      <property name="readMapping">
+         <value>{rm.haspermissionmap.read}</value>
+      </property>
+      <property name="fileMapping">
+         <value>{rm.haspermissionmap.write}</value>
+      </property>
    </bean>
 
    <bean id="extendedReaderDynamicAuthority" class="org.alfresco.module.org_alfresco_module_rm.security.ExtendedReaderDynamicAuthority" />
diff --git a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java
index 63c8e95254..b4bb8166d9 100644
--- a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java
+++ b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java
@@ -19,21 +19,28 @@
 package org.alfresco.repo.security.permissions.impl;
 
 import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
 
 import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
 import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
 import org.alfresco.repo.cache.SimpleCache;
+
 import org.alfresco.repo.security.permissions.AccessControlEntry;
 import org.alfresco.repo.security.permissions.AccessControlList;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.security.AccessStatus;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.util.PropertyCheck;
+import org.apache.commons.collections.ArrayStack;
+import org.apache.commons.lang.StringUtils;
 import org.springframework.context.ApplicationEvent;
 
+
 /**
  * Extends the core permission service implementation allowing the consideration of the read records
  * permission.
@@ -48,6 +55,10 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl
 	/** Writers simple cache */
     protected SimpleCache<Serializable, Set<String>> writersCache;
 
+    /** Permission maps*/
+    protected String readMapping;
+    protected String fileMapping;
+
     /**
      * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#setAnyDenyDenies(boolean)
      */
@@ -66,6 +77,22 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl
         this.writersCache = writersCache;
     }
 
+    /**
+     * @param readMapping the mapping of permissions to ReadRecord
+     */
+    public void setReadMapping(String readMapping)
+    {
+        this.readMapping = readMapping;
+    }
+
+    /**
+     * @param fileMapping the mapping of permissions to ReadRecord
+     */
+    public void setFileMapping(String fileMapping)
+    {
+        this.fileMapping = fileMapping;
+    }
+
     /**
      * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#onBootstrap(org.springframework.context.ApplicationEvent)
      */
@@ -91,13 +118,15 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl
         if (AccessStatus.DENIED.equals(acs) &&
             nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT))
         {
-            if (PermissionService.READ.equals(perm) || PermissionService.READ_PROPERTIES.equals(perm))
+
+            List<String> configuredReadPermissions = Arrays.asList(this.readMapping.split(","));
+            List<String> configuredFilePermissions = Arrays.asList(this.fileMapping.split(","));
+
+            if (PermissionService.READ.equals(perm) || configuredReadPermissions.contains(perm))
             {
                 return super.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS);
             }
-            else if (PermissionService.WRITE.equals(perm) ||
-                    PermissionService.ADD_CHILDREN.equals(perm) ||
-                    PermissionService.WRITE_PROPERTIES.equals(perm))
+            else if (PermissionService.WRITE.equals(perm) || configuredFilePermissions.contains(perm))
             {
                 return super.hasPermission(nodeRef, RMPermissionModel.FILE_RECORDS);
             }