[maven-release-plugin][skip ci] prepare for next development iteration

Suggester feature in Share

.github/workflows/ci.yml

@@ -138,7 +138,7 @@ jobs:
       - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v1.35.2
       - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v1.35.2
       - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v1.35.2
-      - uses: Alfresco/ya-pmd-scan@v3.0.2
+      - uses: Alfresco/ya-pmd-scan@v4.0.0
         with:
           classpath-build-command: "mvn test-compile -ntp -Pags -pl \"-:alfresco-community-repo-docker\""
 

amps/ags/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-community-repo-amps</artifactId>
-      <version>23.3.0.78</version>
+      <version>23.3.0.87-SNAPSHOT</version>
    </parent>
 
    <modules>

amps/ags/rm-automation/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-governance-services-community-parent</artifactId>
-      <version>23.3.0.78</version>
+      <version>23.3.0.87-SNAPSHOT</version>
    </parent>
 
    <modules>

amps/ags/rm-automation/rm-automation-community-rest-api/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-governance-services-automation-community-repo</artifactId>
-      <version>23.3.0.78</version>
+      <version>23.3.0.87-SNAPSHOT</version>
    </parent>
 
    <build>

amps/ags/rm-community/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-governance-services-community-parent</artifactId>
-      <version>23.3.0.78</version>
+      <version>23.3.0.87-SNAPSHOT</version>
    </parent>
 
    <modules>

amps/ags/rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-recordfolder-context.xml

@@ -125,7 +125,7 @@
          parent="declarativeCapability">
       <property name="name" value="DeleteRecordFolder"/>
       <property name="private" value="true"/>
-      <property name="permission" value="CreateModifyDestroyFolders"/>
+      <property name="permission" value="DeleteRecords"/>
       <property name="kinds">
          <list>
             <value>RECORD_FOLDER</value>

amps/ags/rm-community/rm-community-repo/pom.xml

@@ -8,7 +8,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-governance-services-community-repo-parent</artifactId>
-      <version>23.3.0.78</version>
+      <version>23.3.0.87-SNAPSHOT</version>
    </parent>
 
    <properties>

amps/ags/rm-community/rm-community-rest-api-explorer/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-governance-services-community-repo-parent</artifactId>
-        <version>23.3.0.78</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <build>

amps/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.78</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <modules>

amps/share-services/pom.xml

@@ -8,7 +8,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-amps</artifactId>
-        <version>23.3.0.78</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <properties>

core/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-community-repo</artifactId>
-      <version>23.3.0.78</version>
+      <version>23.3.0.87-SNAPSHOT</version>
    </parent>
 
    <dependencies>

data-model/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.78</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <properties>

mmt/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.78</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <dependencies>

packaging/distribution/pom.xml

@@ -9,6 +9,6 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>23.3.0.78</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 </project>

packaging/docker-alfresco/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>23.3.0.78</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <properties>

packaging/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.78</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <modules>

packaging/tests/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>23.3.0.78</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <modules>

packaging/tests/tas-cmis/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>23.3.0.78</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <organization>

packaging/tests/tas-email/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>23.3.0.78</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <developers>

packaging/tests/tas-integration/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>23.3.0.78</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <developers>

packaging/tests/tas-restapi/pom.xml

@@ -8,7 +8,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>23.3.0.78</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <properties>

packaging/tests/tas-webdav/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>23.3.0.78</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <developers>

packaging/war/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>23.3.0.78</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <properties>

pom.xml

@@ -2,7 +2,7 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <artifactId>alfresco-community-repo</artifactId>
-    <version>23.3.0.78</version>
+    <version>23.3.0.87-SNAPSHOT</version>
     <packaging>pom</packaging>
     <name>Alfresco Community Repo Parent</name>
 
@@ -61,7 +61,7 @@
         <dependency.spring-security.version>6.3.1</dependency.spring-security.version>
         <dependency.antlr.version>3.5.3</dependency.antlr.version>
         <dependency.jackson.version>2.15.2</dependency.jackson.version>
-        <dependency.cxf.version>4.0.4</dependency.cxf.version>
+        <dependency.cxf.version>4.0.5</dependency.cxf.version>
         <dependency.opencmis.version>1.0.0-jakarta-1</dependency.opencmis.version>
         <dependency.webscripts.version>9.0</dependency.webscripts.version>
         <dependency.bouncycastle.version>1.78.1</dependency.bouncycastle.version>
@@ -151,7 +151,7 @@
         <connection>scm:git:https://github.com/Alfresco/alfresco-community-repo.git</connection>
         <developerConnection>scm:git:https://github.com/Alfresco/alfresco-community-repo.git</developerConnection>
         <url>https://github.com/Alfresco/alfresco-community-repo</url>
-        <tag>23.3.0.78</tag>
+        <tag>HEAD</tag>
     </scm>
 
     <distributionManagement>

remote-api/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.78</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <dependencies>

remote-api/src/main/java/org/alfresco/rest/api/impl/PeopleImpl.java

@@ -125,7 +125,7 @@ public class PeopleImpl implements People
     protected ResetPasswordService resetPasswordService;
     protected UserRegistrySynchronizer userRegistrySynchronizer;
     protected Renditions renditions;
-
+    private Boolean allowImmutableEnabledUpdate;
 
     private final static Map<String, QName> sort_params_to_qnames;
     static
@@ -202,6 +202,11 @@ public class PeopleImpl implements People
         this.userRegistrySynchronizer = userRegistrySynchronizer;
     }
 
+    public void setAllowImmutableEnabledUpdate(Boolean allowImmutableEnabledUpdate)
+    {
+        this.allowImmutableEnabledUpdate = allowImmutableEnabledUpdate;
+    }
+
     /**
      * Validate, perform -me- substitution and canonicalize the person ID.
      * 
@@ -708,16 +713,26 @@ public class PeopleImpl implements People
         // if requested, update password
         updatePassword(isAdmin, personIdToUpdate, person);
 
-        if (person.isEnabled() != null)
+        Set<QName> immutableProperties = userRegistrySynchronizer.getPersonMappedProperties(personIdToUpdate);
+
+        Boolean isEnabled = person.isEnabled();
+        if (isEnabled != null)
         {
             if (isAdminAuthority(personIdToUpdate))
             {
                 throw new PermissionDeniedException("Admin authority cannot be disabled.");
             }
 
-            // note: if current user is not an admin then permission denied exception is thrown
-            MutableAuthenticationService mutableAuthenticationService = (MutableAuthenticationService) authenticationService;
-            mutableAuthenticationService.setAuthenticationEnabled(personIdToUpdate, person.isEnabled());
+            if (allowImmutableEnabledStatusUpdate(personIdToUpdate, isAdmin, immutableProperties))
+            {
+                LOGGER.info("User " + personIdToUpdate + " is immutable but enabled status will be set to: " + isEnabled);
+            }
+            else
+            {
+                // note: if current user is not an admin then permission denied exception is thrown
+                MutableAuthenticationService mutableAuthenticationService = (MutableAuthenticationService) authenticationService;
+                mutableAuthenticationService.setAuthenticationEnabled(personIdToUpdate, person.isEnabled());
+            }
         }
 
 		NodeRef personNodeRef = personService.getPerson(personIdToUpdate, false);
@@ -742,9 +757,7 @@ public class PeopleImpl implements People
 			properties.putAll(nodes.mapToNodeProperties(customProps));
 		}
 
-        // MNT-21150 LDAP synced attributes can be changed using REST API
-        Set<QName> immutableProperties = userRegistrySynchronizer.getPersonMappedProperties(personIdToUpdate);
-
+        // MNT-21150 LDAP synced attributes can't be changed using REST API
         immutableProperties.forEach(immutableProperty -> {
             if (properties.containsKey(immutableProperty))
             {
@@ -768,6 +781,28 @@ public class PeopleImpl implements People
         return getPerson(personId);
     }
 
+    private boolean allowImmutableEnabledStatusUpdate(String userId, boolean isAdmin, Set<QName> immutableProperties)
+    {
+        if (allowImmutableEnabledUpdate)
+        {
+            boolean containLdapUserAccountStatus = false;
+            QName propertyNameToCheck = QName.createQName(NamespaceService.CONTENT_MODEL_1_0_URI, "userAccountStatusProperty");
+
+            for (QName immutableProperty : immutableProperties)
+            {
+                if (immutableProperty.equals(propertyNameToCheck))
+                {
+                    containLdapUserAccountStatus = true;
+                    break;
+                }
+            }
+
+            return isAdmin && !containLdapUserAccountStatus && !isMutableAuthority(userId);
+        }
+
+        return false;
+    }
+
     private boolean checkCurrentUserOrAdmin(String personId)
     {
         boolean isAdmin = isAdminAuthority();

remote-api/src/main/resources/alfresco/public-rest-context.xml

@@ -764,6 +764,7 @@
         <property name="thumbnailService" ref="ThumbnailService" />
         <property name="resetPasswordService" ref="resetPasswordService" />
         <property name="userRegistrySynchronizer" ref="userRegistrySynchronizer" />
+        <property name="allowImmutableEnabledUpdate" value="${allow.immutable.user.enabled.status.update}" />
     </bean>
 
     <bean id="People" class="org.springframework.aop.framework.ProxyFactoryBean">

repository/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.78</version>
+        <version>23.3.0.87-SNAPSHOT</version>
     </parent>
 
     <dependencies>

repository/src/main/java/org/alfresco/repo/domain/permissions/FixedAclUpdater.java

@@ -235,6 +235,11 @@ public class FixedAclUpdater extends TransactionListenerAdapter implements Appli
 
         int countNodesWithAspects()
         {
+            if (maxItems < DEFAULT_MAX_ITEMS) {
+                log.info("Job limited to process a maximum of " + maxItems + " Pending Acls");
+                return maxItems;
+            }
+
             final CountNodesWithAspectCallback countNodesCallback = new CountNodesWithAspectCallback();
             int count = transactionService.getRetryingTransactionHelper()
                     .doInTransaction(new RetryingTransactionCallback<Integer>()
@@ -246,12 +251,6 @@ public class FixedAclUpdater extends TransactionListenerAdapter implements Appli
                             return countNodesCallback.getCount();
                         }
                     }, false, true);
-
-            if (count > maxItems)
-            {
-                log.info("Total nodes with pending acl: " + count + " Limiting work to " + maxItems);
-                return maxItems;
-            }
             return count;
         }
     }

repository/src/main/java/org/alfresco/repo/security/authentication/AuthenticationContextImpl.java

@@ -36,7 +36,11 @@ import net.sf.acegisecurity.UserDetails;
 import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
 import net.sf.acegisecurity.providers.dao.User;
 
+import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
 import org.alfresco.repo.tenant.TenantService;
+import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
+import org.alfresco.service.cmr.security.PersonService;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
@@ -49,12 +53,30 @@ public class AuthenticationContextImpl implements AuthenticationContext
     private final Log logger = LogFactory.getLog(getClass());
     
     private TenantService tenantService;
+    private PersonService personService;
+    private AuthenticationService authenticationService;
+    private Boolean allowImmutableEnabledUpdate;
 
     public void setTenantService(TenantService tenantService)
     {
         this.tenantService = tenantService;
     }
 
+    public void setPersonService(PersonService personService)
+    {
+        this.personService = personService;
+    }
+
+    public void setAuthenticationService(AuthenticationService authenticationService)
+    {
+        this.authenticationService = authenticationService;
+    }
+
+    public void setAllowImmutableEnabledUpdate(Boolean allowImmutableEnabledUpdate)
+    {
+        this.allowImmutableEnabledUpdate = allowImmutableEnabledUpdate;
+    }
+
     /**
      * Explicitly set the given validated user details to be authenticated.
      * 
@@ -70,7 +92,7 @@ public class AuthenticationContextImpl implements AuthenticationContext
         {
             // Apply the same validation that ACEGI would have to the user details - we may be going through a 'back
             // door'.
-            if (!ud.isEnabled())
+            if (isDisabled(userId, ud))
             {
                 throw new DisabledException("User is disabled");
             }
@@ -114,6 +136,43 @@ public class AuthenticationContextImpl implements AuthenticationContext
         }
     }
 
+    private boolean isDisabled(String userId, UserDetails ud)
+    {
+        boolean isDisabled = !ud.isEnabled();
+        boolean isSystemUser = isSystemUserName(userId);
+
+        if (allowImmutableEnabledUpdate && !isSystemUser)
+        {
+            try
+            {
+                boolean isImmutable = isImmutableAuthority(userId);
+                boolean isPersonEnabled = personService.isEnabled(userId);
+                isDisabled = isDisabled || (isImmutable && !isPersonEnabled);
+            }
+            catch (Exception e)
+            {
+                if (logger.isWarnEnabled())
+                {
+                    logger.warn("Failed to determine if person is enabled: " + userId + ", using user details status: " + isDisabled);
+                }
+            }
+        }
+
+        return isDisabled;
+    }
+
+    private boolean isImmutableAuthority(String authorityName)
+    {
+        return AuthenticationUtil.runAsSystem(new RunAsWork<Boolean>()
+        {
+            @Override public Boolean doWork() throws Exception
+            {
+                MutableAuthenticationService mutableAuthenticationService = (MutableAuthenticationService) authenticationService;
+                return !mutableAuthenticationService.isAuthenticationMutable(authorityName);
+            }
+        });
+    }
+
     public Authentication setSystemUserAsCurrentUser()
     {
         return setSystemUserAsCurrentUser(TenantService.DEFAULT_DOMAIN);

repository/src/main/resources/alfresco/authentication-services-context.xml

@@ -274,6 +274,15 @@
         <property name="tenantService">
             <ref bean="tenantService" />
         </property>
+        <property name="personService">
+            <ref bean="personService" />
+        </property>
+        <property name="authenticationService">
+            <ref bean="AuthenticationService" />
+        </property>
+        <property name="allowImmutableEnabledUpdate">
+            <value>${allow.immutable.user.enabled.status.update}</value>
+        </property>
     </bean>
 
     <!-- Simple Authentication component that rejects all authentication requests -->

repository/src/main/resources/alfresco/core-services-context.xml

@@ -1342,6 +1342,8 @@
       </property>
    </bean>
 
+    <bean id="search.suggesterService" class="org.alfresco.repo.search.impl.DummySuggesterServiceImpl">
+    </bean>
    <!-- Custom property editors -->
    <bean class="org.springframework.beans.factory.config.CustomEditorConfigurer">
       <property name="propertyEditorRegistrars">

repository/src/main/resources/alfresco/repository.properties

@@ -435,6 +435,9 @@ repo.remote.endpoint=/service
 # persisted.
 create.missing.people=${server.transaction.allow-writes}
 
+# Allow an immutable user to have its enabled status changed
+allow.immutable.user.enabled.status.update=false
+
 # Create home folders (unless disabled, see next property) as people are created (true) or create them lazily (false)
 home.folder.creation.eager=true
 # Disable home folder creation - if true then home folders are not created (neither eagerly nor lazily)