diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMPermissionModel.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMPermissionModel.java index f002c507d5..12d267d1b2 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMPermissionModel.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMPermissionModel.java @@ -64,7 +64,8 @@ public interface RMPermissionModel // Capability permissions String DECLARE_RECORDS = "DeclareRecords"; - String VIEW_RECORDS = "ViewRecords"; + String VIEW_RECORDS = "ViewRecords"; + String CREATE_RECORDS = "CreateRecords"; String CREATE_MODIFY_DESTROY_FOLDERS = "CreateModifyDestroyFolders"; String EDIT_RECORD_METADATA = "EditRecordMetadata"; String EDIT_NON_RECORD_METADATA = "EditNonRecordMetadata"; diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/impl/CreateCapability.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/impl/CreateCapability.java index 05aec4b7b6..cb08db9dea 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/impl/CreateCapability.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/impl/CreateCapability.java @@ -80,6 +80,10 @@ public class CreateCapability extends DeclarativeCapability */ public int evaluate(NodeRef destination, NodeRef linkee, QName assocType) { + //if the user doesn't have Create Record capability deny access + if(capabilityService.getCapabilityAccessState(destination, RMPermissionModel.CREATE_RECORDS) == AccessStatus.DENIED) + return AccessDecisionVoter.ACCESS_DENIED; + if (linkee != null) { int state = checkRead(linkee, true); diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/integration/record/CreateRecordTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/integration/record/CreateRecordTest.java index 9be23993f0..a96d7b8c30 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/integration/record/CreateRecordTest.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/integration/record/CreateRecordTest.java @@ -28,6 +28,7 @@ import org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase; import org.alfresco.repo.content.MimetypeMap; import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork; +import org.alfresco.repo.security.permissions.AccessDeniedException; import org.alfresco.service.cmr.repository.ContentWriter; import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.util.GUID; @@ -201,4 +202,49 @@ public class CreateRecordTest extends BaseRMTestCase } }); } + + public void testCreateRecordWithoutCreateRecordCapability() throws Exception + { + doBehaviourDrivenTest(new BehaviourDrivenTest(AccessDeniedException.class) + { + /** test data */ + String roleName = GUID.generate(); + String user = GUID.generate(); + NodeRef recordFolder; + + public void given() + { + // create role + Set capabilities = new HashSet(2); + capabilities.add(capabilityService.getCapability("ViewRecords")); + filePlanRoleService.createRole(filePlan, roleName, roleName, capabilities); + + // create user and assign to role + createPerson(user, true); + filePlanRoleService.assignRoleToAuthority(filePlan, roleName, user); + + // create file plan structure + NodeRef rc = filePlanService.createRecordCategory(filePlan, GUID.generate()); + recordFolder = recordFolderService.createRecordFolder(rc, GUID.generate()); + } + + public void when() + { + // give read and file permissions to user + filePlanPermissionService.setPermission(recordFolder, user, + RMPermissionModel.FILING); + + AuthenticationUtil.runAs(new RunAsWork() + { + public Void doWork() throws Exception + { + recordService.createRecordFromContent(recordFolder, GUID.generate(), + TYPE_CONTENT, null, null); + + return null; + } + }, user); + } + }); + } }