[maven-release-plugin][skip ci] prepare for next development iteration

Suggester feature in Share

.github/workflows/ci.yml

@@ -138,7 +138,7 @@ jobs:
       - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v1.35.2
       - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v1.35.2
       - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v1.35.2
-      - uses: Alfresco/ya-pmd-scan@v3.0.2
+      - uses: Alfresco/ya-pmd-scan@v4.0.0
         with:
           classpath-build-command: "mvn test-compile -ntp -Pags -pl \"-:alfresco-community-repo-docker\""
 

amps/ags/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-community-repo-amps</artifactId>
-      <version>23.3.0.75</version>
+      <version>23.3.0.87-SNAPSHOT</version>
    </parent>
 
    <modules>

amps/ags/rm-automation/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-governance-services-community-parent</artifactId>
-      <version>23.3.0.75</version>
+      <version>23.3.0.87-SNAPSHOT</version>
    </parent>
 
    <modules>

amps/ags/rm-automation/rm-automation-community-rest-api/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-governance-services-automation-community-repo</artifactId>
-      <version>23.3.0.75</version>
+      <version>23.3.0.87-SNAPSHOT</version>
    </parent>
 
    <build>

amps/ags/rm-community/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-governance-services-community-parent</artifactId>
-      <version>23.3.0.75</version>
+      <version>23.3.0.87-SNAPSHOT</version>
    </parent>
 
    <modules>

amps/ags/rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-recordfolder-context.xml

@@ -125,7 +125,7 @@
          parent="declarativeCapability">
       <property name="name" value="DeleteRecordFolder"/>
       <property name="private" value="true"/>
-      <property name="permission" value="CreateModifyDestroyFolders"/>
+      <property name="permission" value="DeleteRecords"/>
       <property name="kinds">
          <list>
             <value>RECORD_FOLDER</value>

amps/ags/rm-community/rm-community-repo/pom.xml

@@ -8,7 +8,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-governance-services-community-repo-parent</artifactId>
-      <version>23.3.0.75</version>
+      <version>23.3.0.87-SNAPSHOT</version>
    </parent>
 
    <properties>

amps/ags/rm-community/rm-community-repo/source/java/org/alfresco/rm/rest/api/impl/SearchTypesFactory.java

@@ -92,7 +92,7 @@ public class SearchTypesFactory
         boolean includeRecords = false;
         boolean includeSubTypes = false;
 
-        if (q != null)
+        if (q != null && q.getTree() != null)
         {
             // filtering via "where" clause
             MapBasedQueryWalker propertyWalker = new MapBasedQueryWalker(listFolderChildrenEqualsQueryProperties, null);
@@ -101,11 +101,11 @@ public class SearchTypesFactory
             Boolean isUnfiledRecordFolder = propertyWalker.getProperty(UnfiledChild.PARAM_IS_UNFILED_RECORD_FOLDER,
                     WhereClauseParser.EQUALS, Boolean.class);
             Boolean isRecord = propertyWalker.getProperty(UnfiledChild.PARAM_IS_RECORD, WhereClauseParser.EQUALS, Boolean.class);
-            if ((isUnfiledRecordFolder != null && isUnfiledRecordFolder.booleanValue()) || (isRecord != null && !isRecord.booleanValue()))
+            if (checkIncludeUnfiledRecordFolders(isUnfiledRecordFolder, isRecord))
             {
                 includeUnfiledRecordFolders = true;
             }
-            else if ((isUnfiledRecordFolder != null && !isUnfiledRecordFolder.booleanValue()) || (isRecord != null && isRecord.booleanValue()))
+            else if (checkIncludeRecords(isUnfiledRecordFolder, isRecord))
             {
                 includeRecords = true;
             }
@@ -199,11 +199,11 @@ public class SearchTypesFactory
                     WhereClauseParser.EQUALS, Boolean.class);
             Boolean isRecordCategory = propertyWalker.getProperty(RecordCategoryChild.PARAM_IS_RECORD_CATEGORY, WhereClauseParser.EQUALS, Boolean.class);
 
-            if ((isRecordFolder != null && isRecordFolder.booleanValue()) || (isRecordCategory != null && !isRecordCategory.booleanValue()))
+            if (checkIncludeUnfiledRecordFolders(isRecordFolder, isRecordCategory))
             {
                 includeRecordFolders = true;
             }
-            else if ((isRecordFolder != null && !isRecordFolder.booleanValue()) || (isRecordCategory != null && isRecordCategory.booleanValue()))
+            else if (checkIncludeRecords(isRecordFolder, isRecordCategory))
             {
                 includeRecordCategories = true;
             }
@@ -291,4 +291,16 @@ public class SearchTypesFactory
 
         return new Pair<>(filterNodeTypeQName, filterIncludeSubTypes);
     }
+
+    private static boolean checkIncludeRecords(Boolean isUnfiledRecordFolder, Boolean isRecord)
+    {
+        return (isUnfiledRecordFolder != null && !isUnfiledRecordFolder.booleanValue()) || (isRecord != null
+                    && isRecord.booleanValue());
+    }
+
+    private static boolean checkIncludeUnfiledRecordFolders(Boolean isUnfiledRecordFolder, Boolean isRecord)
+    {
+        return (isUnfiledRecordFolder != null && isUnfiledRecordFolder.booleanValue()) || (isRecord != null
+                    && !isRecord.booleanValue());
+    }
 }

amps/ags/rm-community/rm-community-repo/unit-test/java/org/alfresco/module/org_alfresco_module_rm/patch/v33/RMv33HoldAuditEntryValuesPatchUnitTest.java

@@ -93,15 +93,15 @@ public class RMv33HoldAuditEntryValuesPatchUnitTest
         verify(mockedRecordsManagementQueryDAO, times(1)).updatePropertyStringValueEntity(deleteHoldPropertyStringValueEntity);
 
         assertEquals("Add To Hold", addToHoldPropertyStringValueEntity.getStringValue());
-        assertEquals("add to hold", addToHoldPropertyStringValueEntity.getStringEndLower());
+        assertEquals("add to hold", addToHoldPropertyStringValueEntity.getStringLower());
         assertEquals(Long.valueOf(770_786_109L), addToHoldPropertyStringValueEntity.getStringCrc());
 
         assertEquals("Remove From Hold", removeFromHoldPropertyStringValueEntity.getStringValue());
-        assertEquals("remove from hold", removeFromHoldPropertyStringValueEntity.getStringEndLower());
+        assertEquals("remove from hold", removeFromHoldPropertyStringValueEntity.getStringLower());
         assertEquals(Long.valueOf(2_967_613_012L), removeFromHoldPropertyStringValueEntity.getStringCrc());
 
         assertEquals("Delete Hold", deleteHoldPropertyStringValueEntity.getStringValue());
-        assertEquals("delete hold", deleteHoldPropertyStringValueEntity.getStringEndLower());
+        assertEquals("delete hold", deleteHoldPropertyStringValueEntity.getStringLower());
         assertEquals(Long.valueOf(132_640_810L), deleteHoldPropertyStringValueEntity.getStringCrc());
     }
 

amps/ags/rm-community/rm-community-rest-api-explorer/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-governance-services-community-repo-parent</artifactId>
-        <version>23.3.0.75</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <build>

amps/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.75</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <modules>

amps/share-services/pom.xml

@@ -8,7 +8,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-amps</artifactId>
-        <version>23.3.0.75</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <properties>

core/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-community-repo</artifactId>
-      <version>23.3.0.75</version>
+      <version>23.3.0.87-SNAPSHOT</version>
    </parent>
 
    <dependencies>

data-model/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.75</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <properties>

mmt/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.75</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <dependencies>

packaging/distribution/pom.xml

@@ -9,6 +9,6 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>23.3.0.75</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 </project>

packaging/docker-alfresco/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>23.3.0.75</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <properties>

packaging/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.75</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <modules>

packaging/tests/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>23.3.0.75</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <modules>

packaging/tests/tas-cmis/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>23.3.0.75</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <organization>

packaging/tests/tas-email/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>23.3.0.75</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <developers>

packaging/tests/tas-integration/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>23.3.0.75</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <developers>

packaging/tests/tas-restapi/pom.xml

@@ -8,7 +8,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>23.3.0.75</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <properties>

packaging/tests/tas-webdav/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>23.3.0.75</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <developers>

packaging/war/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>23.3.0.75</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <properties>
@@ -110,6 +110,11 @@
             <artifactId>mysql-connector-java</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.owasp.encoder</groupId>
+            <artifactId>encoder</artifactId>
+            <version>1.2.3</version>
+        </dependency>
     </dependencies>
 
     <build>

packaging/war/src/main/webapp/index.jsp

@@ -34,6 +34,7 @@
 <%@ page import="org.alfresco.service.cmr.module.ModuleDetails" %>
 <%@ page import="org.alfresco.service.cmr.module.ModuleInstallState" %>
 <%@ page import="java.util.Calendar" %>
+<%@ page import="org.owasp.encoder.Encode" %>
 
 <!-- Enterprise index-jsp placeholder -->
 <%
@@ -88,7 +89,7 @@ ModuleDetails shareServicesModule = moduleService.getModule("alfresco-share-serv
             <p></p>
             <p><a href="./s/index">Alfresco WebScripts Home</a> (admin only - INTERNAL)</p>
             <p></p>
-            <p><a href="<%=UrlUtil.getApiExplorerUrl(sysAdminParams, request.getRequestURL().toString(), request.getRequestURI())%>">Alfresco API Explorer</a></p>
+            <p><a href="<%=Encode.forHtmlAttribute(UrlUtil.getApiExplorerUrl(sysAdminParams, request.getRequestURL().toString(), request.getRequestURI()))%>">Alfresco API Explorer</a></p>
 <%
    if (descriptorService.getLicenseDescriptor() == null && transactionService.isReadOnly())
    {

pom.xml

@@ -2,7 +2,7 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <artifactId>alfresco-community-repo</artifactId>
-    <version>23.3.0.75</version>
+    <version>23.3.0.87-SNAPSHOT</version>
     <packaging>pom</packaging>
     <name>Alfresco Community Repo Parent</name>
 
@@ -61,7 +61,7 @@
         <dependency.spring-security.version>6.3.1</dependency.spring-security.version>
         <dependency.antlr.version>3.5.3</dependency.antlr.version>
         <dependency.jackson.version>2.15.2</dependency.jackson.version>
-        <dependency.cxf.version>4.0.4</dependency.cxf.version>
+        <dependency.cxf.version>4.0.5</dependency.cxf.version>
         <dependency.opencmis.version>1.0.0-jakarta-1</dependency.opencmis.version>
         <dependency.webscripts.version>9.0</dependency.webscripts.version>
         <dependency.bouncycastle.version>1.78.1</dependency.bouncycastle.version>
@@ -151,7 +151,7 @@
         <connection>scm:git:https://github.com/Alfresco/alfresco-community-repo.git</connection>
         <developerConnection>scm:git:https://github.com/Alfresco/alfresco-community-repo.git</developerConnection>
         <url>https://github.com/Alfresco/alfresco-community-repo</url>
-        <tag>23.3.0.75</tag>
+        <tag>HEAD</tag>
     </scm>
 
     <distributionManagement>

remote-api/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.75</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <dependencies>

remote-api/src/main/java/org/alfresco/rest/api/impl/AuditImpl.java

@@ -2,7 +2,7 @@
  * #%L
  * Alfresco Remote API
  * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
  * %%
  * This file is part of the Alfresco software. 
  * If the software was purchased under a paid Alfresco license, the terms of 
@@ -909,16 +909,14 @@ public class AuditImpl implements Audit
 
     public int getAuditEntriesCountByAppAndProperties(AuditService.AuditApplication auditApplication, AuditEntryQueryWalker propertyWalker)
     {
-        final String applicationName = auditApplication.getKey().substring(1);
-
         AuditQueryParameters parameters = new AuditQueryParameters();
-        parameters.setApplicationName(applicationName);
+        parameters.setApplicationName(auditApplication.getName());
         parameters.setFromTime(propertyWalker.getFromTime());
         parameters.setToTime(propertyWalker.getToTime());
         parameters.setFromId(propertyWalker.getFromId());
         parameters.setToId(propertyWalker.getToId());
         parameters.setUser(propertyWalker.getCreatedByUser());
 
-        return auditService.getAuditEntriesCountByAppAndProperties(applicationName, parameters);
+        return auditService.getAuditEntriesCountByAppAndProperties(parameters);
     }
 }

remote-api/src/main/java/org/alfresco/rest/api/impl/PeopleImpl.java

@@ -125,7 +125,7 @@ public class PeopleImpl implements People
     protected ResetPasswordService resetPasswordService;
     protected UserRegistrySynchronizer userRegistrySynchronizer;
     protected Renditions renditions;
-
+    private Boolean allowImmutableEnabledUpdate;
 
     private final static Map<String, QName> sort_params_to_qnames;
     static
@@ -202,6 +202,11 @@ public class PeopleImpl implements People
         this.userRegistrySynchronizer = userRegistrySynchronizer;
     }
 
+    public void setAllowImmutableEnabledUpdate(Boolean allowImmutableEnabledUpdate)
+    {
+        this.allowImmutableEnabledUpdate = allowImmutableEnabledUpdate;
+    }
+
     /**
      * Validate, perform -me- substitution and canonicalize the person ID.
      * 
@@ -708,16 +713,26 @@ public class PeopleImpl implements People
         // if requested, update password
         updatePassword(isAdmin, personIdToUpdate, person);
 
-        if (person.isEnabled() != null)
+        Set<QName> immutableProperties = userRegistrySynchronizer.getPersonMappedProperties(personIdToUpdate);
+
+        Boolean isEnabled = person.isEnabled();
+        if (isEnabled != null)
         {
             if (isAdminAuthority(personIdToUpdate))
             {
                 throw new PermissionDeniedException("Admin authority cannot be disabled.");
             }
 
-            // note: if current user is not an admin then permission denied exception is thrown
-            MutableAuthenticationService mutableAuthenticationService = (MutableAuthenticationService) authenticationService;
-            mutableAuthenticationService.setAuthenticationEnabled(personIdToUpdate, person.isEnabled());
+            if (allowImmutableEnabledStatusUpdate(personIdToUpdate, isAdmin, immutableProperties))
+            {
+                LOGGER.info("User " + personIdToUpdate + " is immutable but enabled status will be set to: " + isEnabled);
+            }
+            else
+            {
+                // note: if current user is not an admin then permission denied exception is thrown
+                MutableAuthenticationService mutableAuthenticationService = (MutableAuthenticationService) authenticationService;
+                mutableAuthenticationService.setAuthenticationEnabled(personIdToUpdate, person.isEnabled());
+            }
         }
 
 		NodeRef personNodeRef = personService.getPerson(personIdToUpdate, false);
@@ -742,9 +757,7 @@ public class PeopleImpl implements People
 			properties.putAll(nodes.mapToNodeProperties(customProps));
 		}
 
-        // MNT-21150 LDAP synced attributes can be changed using REST API
-        Set<QName> immutableProperties = userRegistrySynchronizer.getPersonMappedProperties(personIdToUpdate);
-
+        // MNT-21150 LDAP synced attributes can't be changed using REST API
         immutableProperties.forEach(immutableProperty -> {
             if (properties.containsKey(immutableProperty))
             {
@@ -768,6 +781,28 @@ public class PeopleImpl implements People
         return getPerson(personId);
     }
 
+    private boolean allowImmutableEnabledStatusUpdate(String userId, boolean isAdmin, Set<QName> immutableProperties)
+    {
+        if (allowImmutableEnabledUpdate)
+        {
+            boolean containLdapUserAccountStatus = false;
+            QName propertyNameToCheck = QName.createQName(NamespaceService.CONTENT_MODEL_1_0_URI, "userAccountStatusProperty");
+
+            for (QName immutableProperty : immutableProperties)
+            {
+                if (immutableProperty.equals(propertyNameToCheck))
+                {
+                    containLdapUserAccountStatus = true;
+                    break;
+                }
+            }
+
+            return isAdmin && !containLdapUserAccountStatus && !isMutableAuthority(userId);
+        }
+
+        return false;
+    }
+
     private boolean checkCurrentUserOrAdmin(String personId)
     {
         boolean isAdmin = isAdminAuthority();

remote-api/src/main/resources/alfresco/public-rest-context.xml

@@ -764,6 +764,7 @@
         <property name="thumbnailService" ref="ThumbnailService" />
         <property name="resetPasswordService" ref="resetPasswordService" />
         <property name="userRegistrySynchronizer" ref="userRegistrySynchronizer" />
+        <property name="allowImmutableEnabledUpdate" value="${allow.immutable.user.enabled.status.update}" />
     </bean>
 
     <bean id="People" class="org.springframework.aop.framework.ProxyFactoryBean">

repository/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.75</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <dependencies>

repository/src/main/java/org/alfresco/ibatis/IdsEntity.java

@@ -41,6 +41,8 @@ public class IdsEntity
     private Long idFour;
     private List<Long> ids;
     private boolean ordered;
+    private Integer maxResults;
+
     public Long getIdOne()
     {
         return idOne;
@@ -89,4 +91,12 @@ public class IdsEntity
     {
         this.ordered = ordered;
     }
+    public int getMaxResults()
+    {
+        return maxResults;
+    }
+    public void setMaxResults(Integer maxResults)
+    {
+        this.maxResults = maxResults;
+    }
 }

repository/src/main/java/org/alfresco/repo/audit/AuditComponent.java

@@ -2,7 +2,7 @@
  * #%L
  * Alfresco Repository
  * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
  * %%
  * This file is part of the Alfresco software. 
  * If the software was purchased under a paid Alfresco license, the terms of 
@@ -276,11 +276,10 @@ public interface AuditComponent
     /**
      * Issue an audit query to retrieve count of records for a given application and properties
      *
-     * @param applicationName             the name of the application
      * @param parameters                  audit parameters provided by the <code>where</code> clause on the ReST API
      * @return                            a map containing min/max and the associated value
      */
-    default int getAuditEntriesCountByAppAndProperties(String applicationName, AuditQueryParameters parameters)
+    default int getAuditEntriesCountByAppAndProperties(AuditQueryParameters parameters)
     {
         return -1;
     }

repository/src/main/java/org/alfresco/repo/audit/AuditComponentImpl.java

@@ -2,7 +2,7 @@
  * #%L
  * Alfresco Repository
  * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
  * %%
  * This file is part of the Alfresco software. 
  * If the software was purchased under a paid Alfresco license, the terms of 
@@ -956,10 +956,8 @@ public class AuditComponentImpl implements AuditComponent
         return auditDAO.getAuditEntriesCountByApp(applicationId);
     }
 
-    @Override public int getAuditEntriesCountByAppAndProperties(String applicationName, AuditQueryParameters parameters)
+    @Override public int getAuditEntriesCountByAppAndProperties(AuditQueryParameters parameters)
     {
-        org.alfresco.repo.domain.audit.AuditQueryParameters dbParameters = new org.alfresco.repo.domain.audit.AuditQueryParameters();
-
-        return auditDAO.getAuditEntriesCountByAppAndProperties(applicationName, parameters);
+        return auditDAO.getAuditEntriesCountByAppAndProperties(parameters);
     }
-}
+}

repository/src/main/java/org/alfresco/repo/audit/AuditServiceImpl.java

@@ -2,7 +2,7 @@
  * #%L
  * Alfresco Repository
  * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
  * %%
  * This file is part of the Alfresco software. 
  * If the software was purchased under a paid Alfresco license, the terms of 
@@ -190,8 +190,8 @@ public class AuditServiceImpl implements AuditService
     /**
      * {@inheritDoc}
      */
-    @Override public int getAuditEntriesCountByAppAndProperties(String applicationName, AuditQueryParameters parameters)
+    @Override public int getAuditEntriesCountByAppAndProperties(AuditQueryParameters parameters)
     {
-        return auditComponent.getAuditEntriesCountByAppAndProperties(applicationName, parameters);
+        return auditComponent.getAuditEntriesCountByAppAndProperties(parameters);
     }
 }

repository/src/main/java/org/alfresco/repo/domain/CrcHelper.java

@@ -1,28 +1,28 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software. 
- * If the software was purchased under a paid Alfresco license, the terms of 
- * the paid license agreement will prevail.  Otherwise, the software is 
- * provided under the following open source license terms:
- * 
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- * 
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Lesser General Public License for more details.
- * 
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
- * #L%
- */
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software. 
+ * If the software was purchased under a paid Alfresco license, the terms of 
+ * the paid license agreement will prevail.  Otherwise, the software is 
+ * provided under the following open source license terms:
+ * 
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
 
 package org.alfresco.repo.domain;
 
@@ -102,21 +102,22 @@ public class CrcHelper
         {
             throw new RuntimeException("UTF-8 encoding is not supported");
         }
-        // Get the short value (case-sensitive or not)
+        // Crc Value will change based on the case-sensitive, So we need to get the short value based on case-sensitive
         String valueShort = null;
-        int valueLen = valueLowerCase.length();
+        String currentValue = caseSensitive ? value : valueLowerCase;
+        int valueLen = currentValue.length();
         if (valueLen < dataLength)
         {
-            valueShort = valueLowerCase;
+            valueShort = currentValue;
         }
         else if (useCharsFromStart)
         {
-            valueShort = valueLowerCase.substring(0, dataLength - 1);
+            valueShort = currentValue.substring(0, dataLength - 1);
         }
         else
         {
-            valueShort = valueLowerCase.substring(valueLen - dataLength);
+            valueShort = currentValue.substring(valueLen - dataLength);
         }
         return new Pair<String, Long>(valueShort, valueCrc);
     }
-}
+}

repository/src/main/java/org/alfresco/repo/domain/audit/AuditDAO.java

@@ -2,7 +2,7 @@
  * #%L
  * Alfresco Repository
  * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
  * %%
  * This file is part of the Alfresco software. 
  * If the software was purchased under a paid Alfresco license, the terms of 
@@ -248,11 +248,10 @@ public interface AuditDAO
     /**
      * Issue an audit query to retrieve count of records for a given application and properties
      *
-     * @param applicationName   name of the application to be queried
      * @param parameters        audit parameters provided by the <code>where</code> clause on the ReST API
      * @return                  a map containing min/max and the associated value
      */
-    default int getAuditEntriesCountByAppAndProperties(String applicationName, org.alfresco.service.cmr.audit.AuditQueryParameters parameters)
+    default int getAuditEntriesCountByAppAndProperties(org.alfresco.service.cmr.audit.AuditQueryParameters parameters)
     {
         return -1;
     }

repository/src/main/java/org/alfresco/repo/domain/audit/ibatis/AuditDAOImpl.java

@@ -2,7 +2,7 @@
  * #%L
  * Alfresco Repository
  * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
  * %%
  * This file is part of the Alfresco software. 
  * If the software was purchased under a paid Alfresco license, the terms of 
@@ -237,7 +237,7 @@ public class AuditDAOImpl extends AbstractAuditDAOImpl
     }
 
     @Override
-    public int getAuditEntriesCountByAppAndProperties(String applicationName, org.alfresco.service.cmr.audit.AuditQueryParameters parameters)
+    public int getAuditEntriesCountByAppAndProperties(org.alfresco.service.cmr.audit.AuditQueryParameters parameters)
     {
         AuditQueryParameters dbParameters = convertFromRestAuditQueryParameters(parameters);
 

repository/src/main/java/org/alfresco/repo/domain/node/AbstractNodeDAOImpl.java

@@ -2785,6 +2785,23 @@ public abstract class AbstractNodeDAOImpl implements NodeDAO, BatchingDAO
         selectNodesWithAspects(qnameIds, minNodeId, maxNodeId, ordered, resultsCallback);
     }
 
+    @Override
+    public void getNodesWithAspects(
+            Set<QName> aspectQNames,
+            Long minNodeId, Long maxNodeId, boolean ordered,
+            int maxResults,
+            NodeRefQueryCallback resultsCallback)
+    {
+        Set<Long> qnameIdsSet = qnameDAO.convertQNamesToIds(aspectQNames, false);
+        if (qnameIdsSet.isEmpty())
+        {
+            // No point running a query
+            return;
+        }
+        List<Long> qnameIds = new ArrayList<>(qnameIdsSet);
+        selectNodesWithAspects(qnameIds, minNodeId, maxNodeId, ordered, maxResults, resultsCallback);
+    }
+
     /**
      * @return              Returns a writable copy of the cached aspects set
      */
@@ -4960,6 +4977,10 @@ public abstract class AbstractNodeDAOImpl implements NodeDAO, BatchingDAO
             List<Long> qnameIds,
             Long minNodeId, Long maxNodeId, boolean ordered,
             NodeRefQueryCallback resultsCallback);
+    protected abstract void selectNodesWithAspects(
+            List<Long> qnameIds,
+            Long minNodeId, Long maxNodeId, boolean ordered, int maxResults,
+            NodeRefQueryCallback resultsCallback);
     protected abstract Long insertNodeAssoc(Long sourceNodeId, Long targetNodeId, Long assocTypeQNameId, int assocIndex);
     protected abstract int updateNodeAssoc(Long id, int assocIndex);
     protected abstract int deleteNodeAssoc(Long sourceNodeId, Long targetNodeId, Long assocTypeQNameId);
@@ -5088,4 +5109,5 @@ public abstract class AbstractNodeDAOImpl implements NodeDAO, BatchingDAO
     protected abstract Long selectMinTxInNodeIdRange(Long fromNodeId, Long toNodeId);
     protected abstract Long selectMaxTxInNodeIdRange(Long fromNodeId, Long toNodeId);
     protected abstract Long selectNextTxCommitTime(Long fromCommitTime);
+
 }

repository/src/main/java/org/alfresco/repo/domain/node/NodeDAO.java

@@ -427,6 +427,22 @@ public interface NodeDAO extends NodeBulkLoader
             Long minNodeId, Long maxNodeId, boolean ordered,
             NodeRefQueryCallback resultsCallback);
 
+    /**
+     * Get nodes with aspects between the given ranges, ordering the results optionally
+     * and limit the result set
+     *
+     * @param aspectQNames              the aspects that must be on the nodes
+     * @param minNodeId                 the minimum node ID (inclusive)
+     * @param maxNodeId                 the maximum node ID (exclusive)
+     * @param ordered                   if the results are to be ordered by nodeID
+     * @param maxResults                limit query to maxResults
+     * @param resultsCallback           callback to process results
+     */
+    public void getNodesWithAspects(
+            Set<QName> aspectQNames,
+            Long minNodeId, Long maxNodeId, boolean ordered, int maxResults,
+            NodeRefQueryCallback resultsCallback);
+
     /*
      * Node Assocs
      */

repository/src/main/java/org/alfresco/repo/domain/node/ibatis/NodeDAOImpl.java

@@ -116,6 +116,7 @@ public class NodeDAOImpl extends AbstractNodeDAOImpl
     private static final String SELECT_NODE_MAX_ID = "alfresco.node.select_NodeMaxId";
     private static final String SELECT_NODE_INTERVAL_BY_TYPE = "alfresco.node.select_MinMaxNodeIdForNodeType";
     private static final String SELECT_NODES_WITH_ASPECT_IDS = "alfresco.node.select_NodesWithAspectIds";
+    private static final String SELECT_NODES_WITH_ASPECT_IDS_LIMITED = "alfresco.node.select_NodesWithAspectIds_Limited";
     private static final String INSERT_NODE_ASSOC = "alfresco.node.insert.insert_NodeAssoc";
     private static final String UPDATE_NODE_ASSOC = "alfresco.node.update_NodeAssoc";
     private static final String DELETE_NODE_ASSOC = "alfresco.node.delete_NodeAssoc";
@@ -799,6 +800,33 @@ public class NodeDAOImpl extends AbstractNodeDAOImpl
         template.select(SELECT_NODES_WITH_ASPECT_IDS, parameters, resultHandler);
     }
 
+    @Override
+    protected void selectNodesWithAspects(
+            List<Long> qnameIds,
+            Long minNodeId, Long maxNodeId, boolean ordered,
+            final int maxResults,
+            final NodeRefQueryCallback resultsCallback)
+    {
+        @SuppressWarnings("rawtypes")
+        ResultHandler resultHandler = new ResultHandler()
+        {
+            public void handleResult(ResultContext context)
+            {
+                NodeEntity entity = (NodeEntity) context.getResultObject();
+                Pair<Long, NodeRef> nodePair = new Pair<>(entity.getId(), entity.getNodeRef());
+                resultsCallback.handle(nodePair);
+            }
+        };
+
+        IdsEntity parameters = new IdsEntity();
+        parameters.setIdOne(minNodeId);
+        parameters.setIdTwo(maxNodeId);
+        parameters.setIds(qnameIds);
+        parameters.setOrdered(ordered);
+        parameters.setMaxResults(maxResults);
+        template.select(SELECT_NODES_WITH_ASPECT_IDS_LIMITED, parameters, resultHandler);
+    }
+
     @Override
     protected Long insertNodeAssoc(Long sourceNodeId, Long targetNodeId, Long assocTypeQNameId, int assocIndex)
     {

repository/src/main/java/org/alfresco/repo/domain/permissions/FixedAclUpdater.java

@@ -85,8 +85,11 @@ public class FixedAclUpdater extends TransactionListenerAdapter implements Appli
 
     public static final String FIXED_ACL_ASYNC_REQUIRED_KEY = "FIXED_ACL_ASYNC_REQUIRED";
     public static final String FIXED_ACL_ASYNC_CALL_KEY = "FIXED_ACL_ASYNC_CALL";
+
     protected static final QName LOCK_Q_NAME = QName.createQName(NamespaceService.SYSTEM_MODEL_1_0_URI, "FixedAclUpdater");
 
+    private static final int DEFAULT_MAX_ITEMS = Integer.MAX_VALUE;
+
     /** A set of listeners to receive callback events whenever permissions are updated by this class. */
     private static Set<FixedAclUpdaterListener> listeners = Sets.newConcurrentHashSet();
 
@@ -101,6 +104,8 @@ public class FixedAclUpdater extends TransactionListenerAdapter implements Appli
     private int maxItemBatchSize = 100;
     private int numThreads = 4;
     private boolean forceSharedACL = false;
+    private int maxItems = DEFAULT_MAX_ITEMS;
+    private boolean orderNodes = true;
 
     private ClassPolicyDelegate<OnInheritPermissionsDisabled> onInheritPermissionsDisabledDelegate;
     private PolicyComponent policyComponent;
@@ -147,12 +152,22 @@ public class FixedAclUpdater extends TransactionListenerAdapter implements Appli
         this.forceSharedACL = forceSharedACL;
     }
 
+    public void setOrderNodes(boolean orderNodes)
+    {
+        this.orderNodes = orderNodes;
+    }
+
     public void setLockTimeToLive(long lockTimeToLive)
     {
         this.lockTimeToLive = lockTimeToLive;
         this.lockRefreshTime = lockTimeToLive / 2;
     }
 
+    public void setMaxItems(int maxItems)
+    {
+        this.maxItems = maxItems > 0 ? maxItems : DEFAULT_MAX_ITEMS;
+    }
+
     public void setPolicyComponent(PolicyComponent policyComponent)
     {
         this.policyComponent = policyComponent;
@@ -209,7 +224,7 @@ public class FixedAclUpdater extends TransactionListenerAdapter implements Appli
                         public List<NodeRef> execute() throws Throwable
                         {
                             getNodesCallback.init();
-                            nodeDAO.getNodesWithAspects(aspects, getNodesCallback.getMinNodeId(), null, true, getNodesCallback);
+                            nodeDAO.getNodesWithAspects(aspects, getNodesCallback.getMinNodeId(), null, orderNodes, maxItemBatchSize, getNodesCallback);
                             getNodesCallback.done();
 
                             return getNodesCallback.getNodes();
@@ -220,6 +235,11 @@ public class FixedAclUpdater extends TransactionListenerAdapter implements Appli
 
         int countNodesWithAspects()
         {
+            if (maxItems < DEFAULT_MAX_ITEMS) {
+                log.info("Job limited to process a maximum of " + maxItems + " Pending Acls");
+                return maxItems;
+            }
+
             final CountNodesWithAspectCallback countNodesCallback = new CountNodesWithAspectCallback();
             int count = transactionService.getRetryingTransactionHelper()
                     .doInTransaction(new RetryingTransactionCallback<Integer>()
@@ -238,6 +258,9 @@ public class FixedAclUpdater extends TransactionListenerAdapter implements Appli
     private class AclWorkProvider implements BatchProcessWorkProvider<NodeRef>
     {
         private GetNodesWithAspects getNodesWithAspects;
+        private long estimatedUpdatedItems;
+        private long execTime;
+        private long execBatches;
 
         AclWorkProvider()
         {
@@ -259,8 +282,37 @@ public class FixedAclUpdater extends TransactionListenerAdapter implements Appli
         @Override
         public Collection<NodeRef> getNextWork()
         {
-            return getNodesWithAspects.getNodesWithAspects();
+            if(estimatedUpdatedItems >= maxItems)
+            {
+                log.info("Reached max items to process. Nodes Processed: " + estimatedUpdatedItems + "/" + maxItems);
+                return Collections.emptyList();
+            }
+
+            long initTime = System.currentTimeMillis();
+            Collection<NodeRef> batchNodes = getNodesWithAspects.getNodesWithAspects();
+            long endTime = System.currentTimeMillis();
+
+            if (log.isDebugEnabled())
+            {
+                log.debug("Query for batch executed in " + (endTime-initTime) + " ms");
+            }
+
+            if (!batchNodes.isEmpty())
+            {
+                // Increment estimatedUpdatedItems with the expected number of nodes to process
+                estimatedUpdatedItems += batchNodes.size();
+                execTime+=endTime-initTime;
+                execBatches++;
+            }
+
+            return batchNodes;
         }
+
+        public double getAverageQueryExecutionTime()
+        {
+            return execBatches > 0 ? execTime/execBatches : 0;
+        }
+
     }
 
     protected class AclWorker implements BatchProcessor.BatchProcessWorker<NodeRef>
@@ -451,6 +503,7 @@ public class FixedAclUpdater extends TransactionListenerAdapter implements Appli
 
         try
         {
+            log.info("Running FixedAclUpdater. Max Items: " + maxItems + ", Impose order: " + orderNodes);
             lockToken = jobLockService.getLock(LOCK_Q_NAME, lockTimeToLive, 0, 1);
             jobLockService.refreshLock(lockToken, LOCK_Q_NAME, lockRefreshTime, jobLockRefreshCallback);
 
@@ -460,6 +513,7 @@ public class FixedAclUpdater extends TransactionListenerAdapter implements Appli
                     transactionService.getRetryingTransactionHelper(), provider, numThreads, maxItemBatchSize, applicationContext,
                     log, 100);
             int count = bp.process(worker, true);
+            log.info("FixedAclUpdater updated " + count + ". Average query time " + provider.getAverageQueryExecutionTime() + " ms");
             return count;
         }
         catch (LockAcquisitionException e)

repository/src/main/java/org/alfresco/repo/domain/propval/PropertyStringValueEntity.java

@@ -1,28 +1,28 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software. 
- * If the software was purchased under a paid Alfresco license, the terms of 
- * the paid license agreement will prevail.  Otherwise, the software is 
- * provided under the following open source license terms:
- * 
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- * 
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Lesser General Public License for more details.
- * 
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
- * #L%
- */
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software. 
+ * If the software was purchased under a paid Alfresco license, the terms of 
+ * the paid license agreement will prevail.  Otherwise, the software is 
+ * provided under the following open source license terms:
+ * 
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
 package org.alfresco.repo.domain.propval;
 
 import org.alfresco.repo.domain.CrcHelper;
@@ -44,6 +44,7 @@ public class PropertyStringValueEntity
     private String stringValue;
     private String stringEndLower;
     private Long stringCrc;
+    private String stringLower;
     
     public PropertyStringValueEntity()
     {
@@ -115,6 +116,9 @@ public class PropertyStringValueEntity
         Pair<String, Long> crcPair = CrcHelper.getStringCrcPair(value, 16, false, true);
         stringEndLower = crcPair.getFirst();
         stringCrc = crcPair.getSecond();
+        // Calculate the crc value with case-insensitive
+        Pair<String, Long> crcPairWithCaseInSensitive = CrcHelper.getStringCrcPair(value, 16, false, false);
+        stringLower = crcPairWithCaseInSensitive.getFirst();
     }
 
     public Long getId()
@@ -156,4 +160,14 @@ public class PropertyStringValueEntity
     {
         this.stringCrc = stringCrc;
     }
+
+    public String getStringLower()
+    {
+        return stringLower;
+    }
+
+    public void setStringLower(String stringLower)
+    {
+        this.stringLower = stringLower;
+    }
 }

repository/src/main/java/org/alfresco/repo/security/authentication/AuthenticationContextImpl.java

@@ -36,7 +36,11 @@ import net.sf.acegisecurity.UserDetails;
 import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
 import net.sf.acegisecurity.providers.dao.User;
 
+import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
 import org.alfresco.repo.tenant.TenantService;
+import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
+import org.alfresco.service.cmr.security.PersonService;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
@@ -49,12 +53,30 @@ public class AuthenticationContextImpl implements AuthenticationContext
     private final Log logger = LogFactory.getLog(getClass());
     
     private TenantService tenantService;
+    private PersonService personService;
+    private AuthenticationService authenticationService;
+    private Boolean allowImmutableEnabledUpdate;
 
     public void setTenantService(TenantService tenantService)
     {
         this.tenantService = tenantService;
     }
 
+    public void setPersonService(PersonService personService)
+    {
+        this.personService = personService;
+    }
+
+    public void setAuthenticationService(AuthenticationService authenticationService)
+    {
+        this.authenticationService = authenticationService;
+    }
+
+    public void setAllowImmutableEnabledUpdate(Boolean allowImmutableEnabledUpdate)
+    {
+        this.allowImmutableEnabledUpdate = allowImmutableEnabledUpdate;
+    }
+
     /**
      * Explicitly set the given validated user details to be authenticated.
      * 
@@ -70,7 +92,7 @@ public class AuthenticationContextImpl implements AuthenticationContext
         {
             // Apply the same validation that ACEGI would have to the user details - we may be going through a 'back
             // door'.
-            if (!ud.isEnabled())
+            if (isDisabled(userId, ud))
             {
                 throw new DisabledException("User is disabled");
             }
@@ -114,6 +136,43 @@ public class AuthenticationContextImpl implements AuthenticationContext
         }
     }
 
+    private boolean isDisabled(String userId, UserDetails ud)
+    {
+        boolean isDisabled = !ud.isEnabled();
+        boolean isSystemUser = isSystemUserName(userId);
+
+        if (allowImmutableEnabledUpdate && !isSystemUser)
+        {
+            try
+            {
+                boolean isImmutable = isImmutableAuthority(userId);
+                boolean isPersonEnabled = personService.isEnabled(userId);
+                isDisabled = isDisabled || (isImmutable && !isPersonEnabled);
+            }
+            catch (Exception e)
+            {
+                if (logger.isWarnEnabled())
+                {
+                    logger.warn("Failed to determine if person is enabled: " + userId + ", using user details status: " + isDisabled);
+                }
+            }
+        }
+
+        return isDisabled;
+    }
+
+    private boolean isImmutableAuthority(String authorityName)
+    {
+        return AuthenticationUtil.runAsSystem(new RunAsWork<Boolean>()
+        {
+            @Override public Boolean doWork() throws Exception
+            {
+                MutableAuthenticationService mutableAuthenticationService = (MutableAuthenticationService) authenticationService;
+                return !mutableAuthenticationService.isAuthenticationMutable(authorityName);
+            }
+        });
+    }
+
     public Authentication setSystemUserAsCurrentUser()
     {
         return setSystemUserAsCurrentUser(TenantService.DEFAULT_DOMAIN);

repository/src/main/java/org/alfresco/service/cmr/audit/AuditService.java

@@ -2,7 +2,7 @@
  * #%L
  * Alfresco Repository
  * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
  * %%
  * This file is part of the Alfresco software. 
  * If the software was purchased under a paid Alfresco license, the terms of 
@@ -256,11 +256,10 @@ public interface AuditService
     /**
      * Issue an audit query to retrieve min / max audit record id for a given application and properties
      *
-     * @param applicationName               the name of the application
      * @param parameters                    audit parameters provided by the <code>where</code> clause on the ReST API
      * @return                              a map containing min/max and the associated value
      */
-    default int getAuditEntriesCountByAppAndProperties(String applicationName, AuditQueryParameters parameters)
+    default int getAuditEntriesCountByAppAndProperties(AuditQueryParameters parameters)
     {
         return -1;
     }

repository/src/main/resources/alfresco/authentication-services-context.xml

@@ -274,6 +274,15 @@
         <property name="tenantService">
             <ref bean="tenantService" />
         </property>
+        <property name="personService">
+            <ref bean="personService" />
+        </property>
+        <property name="authenticationService">
+            <ref bean="AuthenticationService" />
+        </property>
+        <property name="allowImmutableEnabledUpdate">
+            <value>${allow.immutable.user.enabled.status.update}</value>
+        </property>
     </bean>
 
     <!-- Simple Authentication component that rejects all authentication requests -->

repository/src/main/resources/alfresco/core-services-context.xml

@@ -1342,6 +1342,8 @@
       </property>
    </bean>
 
+    <bean id="search.suggesterService" class="org.alfresco.repo.search.impl.DummySuggesterServiceImpl">
+    </bean>
    <!-- Custom property editors -->
    <bean class="org.springframework.beans.factory.config.CustomEditorConfigurer">
       <property name="propertyEditorRegistrars">

repository/src/main/resources/alfresco/ibatis/org.alfresco.repo.domain.dialect.Dialect/node-common-SqlMap.xml

@@ -782,6 +782,25 @@
         <if test="ordered == true">order by node.id ASC</if>
     </select>
 
+    <select id="select_NodesWithAspectIds_Limited" parameterType="Ids" resultMap="result_NodeRef" >
+        select
+            node.id             as id,
+            store.protocol      as protocol,
+            store.identifier    as identifier,
+            node.uuid           as uuid
+        from
+            alf_node_aspects na
+            join alf_node node on (na.node_id = node.id)
+            left join alf_store store on (store.id = node.store_id)
+        where
+            <![CDATA[na.node_id >= #{idOne}]]>
+            <if test="idTwo != null"><![CDATA[and na.node_id < #{idTwo}]]></if>
+            and na.qname_id in
+                <foreach item="item" index="i" collection="ids" open="(" separator="," close=")">#{item}</foreach>
+        <if test="ordered == true">order by node.id ASC</if>
+        <if test="maxResults != null"><![CDATA[limit #{maxResults}]]></if>
+    </select>
+
     <!-- Common results for result_NodeAssoc -->
     <sql id="select_NodeAssoc_Results">
         select

repository/src/main/resources/alfresco/public-services-security-context.xml

@@ -121,6 +121,8 @@
         <property name="maxItemBatchSize" value="${system.fixedACLsUpdater.maxItemBatchSize}"/>
         <property name="numThreads" value="${system.fixedACLsUpdater.numThreads}"/>
         <property name="forceSharedACL" value="${system.fixedACLsUpdater.forceSharedACL}"/>
+        <property name="maxItems" value="${system.fixedACLsUpdater.maxItems}"/>
+        <property name="orderNodes" value="${system.fixedACLsUpdater.orderNodes}"/>
         <property name="lockTimeToLive" value="${system.fixedACLsUpdater.lockTTL}"/>
         <property name="policyComponent" ref="policyComponent"/>
         <property name="policyIgnoreUtil" ref="policyIgnoreUtil"/>

repository/src/main/resources/alfresco/repository.properties

@@ -435,6 +435,9 @@ repo.remote.endpoint=/service
 # persisted.
 create.missing.people=${server.transaction.allow-writes}
 
+# Allow an immutable user to have its enabled status changed
+allow.immutable.user.enabled.status.update=false
+
 # Create home folders (unless disabled, see next property) as people are created (true) or create them lazily (false)
 home.folder.creation.eager=true
 # Disable home folder creation - if true then home folders are not created (neither eagerly nor lazily)
@@ -1104,7 +1107,11 @@ system.fixedACLsUpdater.numThreads=4
 # fixedACLsUpdater - Force shared ACL to propagate through children even if there is an unexpected ACL
 system.fixedACLsUpdater.forceSharedACL=false
 # fixedACLsUpdater cron expression - fire at midnight every day
-system.fixedACLsUpdater.cronExpression=0 0 0 * * ? 
+system.fixedACLsUpdater.cronExpression=0 0 0 * * ?
+# fixedACLsUpdater - maximum number of pending ACLs to process overall
+system.fixedACLsUpdater.maxItems=-1
+# fixedACLsUpdater - Impose the order by in the query. If false, it may not process all the results but should do the queries faster
+system.fixedACLsUpdater.orderNodes=true
 
 cmis.disable.hidden.leading.period.files=false
 

repository/src/test/java/org/alfresco/repo/domain/permissions/FixedAclUpdaterTest.java

@@ -104,9 +104,9 @@ public class FixedAclUpdaterTest
     private ContentService contentService;
     private AuthorityService authorityService;
     private static final long MAX_TRANSACTION_TIME_DEFAULT = 10;
+    private static final int LARGE_TRANSACTION_TIME = 86_400_000;
     private static final int[] filesPerLevelMoreFolders = { 5, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 };
     private static final int[] filesPerLevelMoreFiles = { 5, 100 };
-    private long maxTransactionTime;
     private static HashMap<Integer, Class<?>> errors;
     private static String TEST_GROUP_NAME = "FixedACLUpdaterTest";
     private static String TEST_GROUP_NAME_FULL = PermissionService.GROUP_PREFIX + TEST_GROUP_NAME;
@@ -134,8 +134,11 @@ public class FixedAclUpdaterTest
         AuthenticationUtil.setFullyAuthenticatedUser(AuthenticationUtil.getSystemUserName());
 
         homeFolderNodeRef = repository.getCompanyHome();
-        maxTransactionTime = MAX_TRANSACTION_TIME_DEFAULT;
-        setFixedAclMaxTransactionTime(permissionsDaoComponent, homeFolderNodeRef, maxTransactionTime);
+        setFixedAclMaxTransactionTime(permissionsDaoComponent, homeFolderNodeRef, MAX_TRANSACTION_TIME_DEFAULT);
+
+        fixedAclUpdater.setForceSharedACL(false);
+        fixedAclUpdater.setMaxItems(-1);
+        fixedAclUpdater.setOrderNodes(true);
     }
 
     @After
@@ -155,8 +158,7 @@ public class FixedAclUpdaterTest
 
         try
         {
-            maxTransactionTime = 86400000;
-            setFixedAclMaxTransactionTime(permissionsDaoComponent, homeFolderNodeRef, maxTransactionTime);
+            setFixedAclMaxTransactionTime(permissionsDaoComponent, homeFolderNodeRef, LARGE_TRANSACTION_TIME);
             setPermissionsOnTree(folderRef, false, false);
             aclComparator.compareACLs();
 
@@ -164,6 +166,7 @@ public class FixedAclUpdaterTest
         }
         finally
         {
+            setFixedAclMaxTransactionTime(permissionsDaoComponent, homeFolderNodeRef, MAX_TRANSACTION_TIME_DEFAULT);
             deleteNodes(folderRef);
         }
     }
@@ -344,8 +347,7 @@ public class FixedAclUpdaterTest
 
         try
         {
-            maxTransactionTime = 86400000;
-            setFixedAclMaxTransactionTime(permissionsDaoComponent, homeFolderNodeRef, maxTransactionTime);
+            setFixedAclMaxTransactionTime(permissionsDaoComponent, homeFolderNodeRef, LARGE_TRANSACTION_TIME);
 
             // Set permissions on target folder
             txnHelper.doInTransaction((RetryingTransactionCallback<Void>) () -> {
@@ -386,6 +388,7 @@ public class FixedAclUpdaterTest
         }
         finally
         {
+            setFixedAclMaxTransactionTime(permissionsDaoComponent, homeFolderNodeRef, MAX_TRANSACTION_TIME_DEFAULT);
             deleteNodes(originalRef);
             deleteNodes(targetRefBase);
         }
@@ -1438,6 +1441,79 @@ public class FixedAclUpdaterTest
         }
     }
 
+    /*
+     * Test with maxItems limit
+     */
+    @Test
+    @RetryAtMost(3)
+    public void testWithLimits()
+    {
+        NodeRef folderRef = createFolderHierarchyInRootForFileTests("testWithLimitsFolder");
+
+        try
+        {
+            int maxItems = 200;
+            setPermissionsOnTree(folderRef, true, true);
+
+            // Get the current amount of pending ACls
+            int initialPendingAcls = getNodesCountWithPendingFixedAclAspect();
+
+            // We need at least maxItems+1 pending ACLs
+            while (initialPendingAcls <= maxItems && initialPendingAcls > 0)
+            {
+                // Trigger the job a single round each time to create new pendings until we have enough
+                triggerFixedACLJob(false,true,maxItems,1);
+                initialPendingAcls = getNodesCountWithPendingFixedAclAspect();
+            }
+
+            assertTrue("We don't have enough pending acls to test", initialPendingAcls > 0);
+
+            // Increase transaction time to not create new pending ACLs
+            setFixedAclMaxTransactionTime(permissionsDaoComponent, homeFolderNodeRef, LARGE_TRANSACTION_TIME);
+
+            // Trigger job in single round without timeout
+            triggerFixedACLJob(false,true,maxItems,1);
+
+            int finalPendingAcls = getNodesCountWithPendingFixedAclAspect();
+
+            assertTrue("Processed ACLs should not have exceeded 200", (initialPendingAcls - finalPendingAcls) <= maxItems);
+        }
+        finally
+        {
+            setFixedAclMaxTransactionTime(permissionsDaoComponent, homeFolderNodeRef, MAX_TRANSACTION_TIME_DEFAULT);
+            deleteNodes(folderRef);
+        }
+    }
+
+    /*
+     * Test without imposing the order by
+     */
+    @Test
+    @RetryAtMost(3)
+    public void testUnordered()
+    {
+        NodeRef folderRef = createFolderHierarchyInRootForFileTests("testWithLimitsFolder");
+
+        try
+        {
+            setPermissionsOnTree(folderRef, true, true);
+
+            int initialPendingAcls = getNodesCountWithPendingFixedAclAspect();
+            assertTrue("We don't have enough pending acls to test", initialPendingAcls > 0);
+
+            triggerFixedACLJob(false,true,-1,30);
+
+            int finalPendingAcls = getNodesCountWithPendingFixedAclAspect();
+
+            assertEquals("Not all ACls were processed",0, finalPendingAcls);
+        }
+        finally
+        {
+            setFixedAclMaxTransactionTime(permissionsDaoComponent, homeFolderNodeRef, MAX_TRANSACTION_TIME_DEFAULT);
+            deleteNodes(folderRef);
+        }
+    }
+
     private Long getChild(Long parentId)
     {
         List<FileInfo> children = fileFolderService.list(nodeDAO.getNodePair(parentId).getSecond());
@@ -1601,13 +1677,18 @@ public class FixedAclUpdaterTest
 
     private void triggerFixedACLJob()
     {
-        triggerFixedACLJob(false);
+        // Trigger job 30 times max to process all nodes
+        triggerFixedACLJob(false, true, -1, 30);
     }
 
     private void triggerFixedACLJob(boolean forceSharedACL)
+    {
+        triggerFixedACLJob(forceSharedACL, true, -1, 30);
+    }
+
+    private void triggerFixedACLJob(boolean forceSharedACL, boolean orderNodes, int maxItems, int rounds)
     {
         LOG.debug("Fixing ACL");
-        final int rounds = 30;
         final int enoughZeros = 3;
 
         int numberOfConsecutiveZeros = 0;
@@ -1615,6 +1696,8 @@ public class FixedAclUpdaterTest
         {
             int count = txnHelper.doInTransaction(() -> {
                 fixedAclUpdater.setForceSharedACL(forceSharedACL);
+                fixedAclUpdater.setMaxItems(maxItems);
+                fixedAclUpdater.setOrderNodes(orderNodes);
                 return fixedAclUpdater.execute();
             }, false, true);
             numberOfConsecutiveZeros = count == 0 ? numberOfConsecutiveZeros + 1 : 0;