From fc750835ebe56968ff5144fa01a1cf513c8429cb Mon Sep 17 00:00:00 2001 From: Ana Bozianu Date: Mon, 26 Jan 2015 10:27:07 +0000 Subject: [PATCH] Merged DEV to /BRANCHES/v2.3 93906: RM-1644 : Possible to create "report" records and copy records without Create Record capability - added "CreateRecord" constant in RMPermissionModel - in CreateCapability evaluator I checked if the user has the capability - wrote unit test 93998: RM-1644 : Possible to create "report" records and copy records without Create Record capability - changed test implementation using the framework to specify the expected exception correctly git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.3@94003 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../capability/RMPermissionModel.java | 3 +- .../capability/impl/CreateCapability.java | 4 ++ .../integration/record/CreateRecordTest.java | 46 +++++++++++++++++++ 3 files changed, 52 insertions(+), 1 deletion(-) diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMPermissionModel.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMPermissionModel.java index f002c507d5..12d267d1b2 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMPermissionModel.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMPermissionModel.java @@ -64,7 +64,8 @@ public interface RMPermissionModel // Capability permissions String DECLARE_RECORDS = "DeclareRecords"; - String VIEW_RECORDS = "ViewRecords"; + String VIEW_RECORDS = "ViewRecords"; + String CREATE_RECORDS = "CreateRecords"; String CREATE_MODIFY_DESTROY_FOLDERS = "CreateModifyDestroyFolders"; String EDIT_RECORD_METADATA = "EditRecordMetadata"; String EDIT_NON_RECORD_METADATA = "EditNonRecordMetadata"; diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/impl/CreateCapability.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/impl/CreateCapability.java index 05aec4b7b6..cb08db9dea 100644 --- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/impl/CreateCapability.java +++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/impl/CreateCapability.java @@ -80,6 +80,10 @@ public class CreateCapability extends DeclarativeCapability */ public int evaluate(NodeRef destination, NodeRef linkee, QName assocType) { + //if the user doesn't have Create Record capability deny access + if(capabilityService.getCapabilityAccessState(destination, RMPermissionModel.CREATE_RECORDS) == AccessStatus.DENIED) + return AccessDecisionVoter.ACCESS_DENIED; + if (linkee != null) { int state = checkRead(linkee, true); diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/integration/record/CreateRecordTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/integration/record/CreateRecordTest.java index 9be23993f0..a96d7b8c30 100644 --- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/integration/record/CreateRecordTest.java +++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/integration/record/CreateRecordTest.java @@ -28,6 +28,7 @@ import org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase; import org.alfresco.repo.content.MimetypeMap; import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork; +import org.alfresco.repo.security.permissions.AccessDeniedException; import org.alfresco.service.cmr.repository.ContentWriter; import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.util.GUID; @@ -201,4 +202,49 @@ public class CreateRecordTest extends BaseRMTestCase } }); } + + public void testCreateRecordWithoutCreateRecordCapability() throws Exception + { + doBehaviourDrivenTest(new BehaviourDrivenTest(AccessDeniedException.class) + { + /** test data */ + String roleName = GUID.generate(); + String user = GUID.generate(); + NodeRef recordFolder; + + public void given() + { + // create role + Set capabilities = new HashSet(2); + capabilities.add(capabilityService.getCapability("ViewRecords")); + filePlanRoleService.createRole(filePlan, roleName, roleName, capabilities); + + // create user and assign to role + createPerson(user, true); + filePlanRoleService.assignRoleToAuthority(filePlan, roleName, user); + + // create file plan structure + NodeRef rc = filePlanService.createRecordCategory(filePlan, GUID.generate()); + recordFolder = recordFolderService.createRecordFolder(rc, GUID.generate()); + } + + public void when() + { + // give read and file permissions to user + filePlanPermissionService.setPermission(recordFolder, user, + RMPermissionModel.FILING); + + AuthenticationUtil.runAs(new RunAsWork() + { + public Void doWork() throws Exception + { + recordService.createRecordFromContent(recordFolder, GUID.generate(), + TYPE_CONTENT, null, null); + + return null; + } + }, user); + } + }); + } }