[maven-release-plugin][skip ci] prepare release 23.3.0.94

* ACS-8370 Switch to new tags for tomcat base images in Dockerfiles

* ACS-8370 Update fontconfig package

* ACS-8370 Update tomcat image SHA

.github/workflows/ci.yml

@@ -138,7 +138,7 @@ jobs:
       - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v1.35.2
       - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v1.35.2
       - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v1.35.2
-      - uses: Alfresco/ya-pmd-scan@v3.0.2
+      - uses: Alfresco/ya-pmd-scan@v4.0.0
         with:
           classpath-build-command: "mvn test-compile -ntp -Pags -pl \"-:alfresco-community-repo-docker\""
 

README.md

@@ -2,38 +2,57 @@
 
 [![Build Status](https://github.com/Alfresco/alfresco-community-repo/actions/workflows/master_release.yml/badge.svg?branch=master)](https://github.com/Alfresco/alfresco-community-repo/actions/workflows/master_release.yml)
 
-#### Alfresco Core
+## Table of Contents
+1. [Content](#content)
+2. [Artifacts](#artifacts)
+3. [Setup](#setting-up-and-building-your-development-environment)
+4. [Branches](#branches)
+5. [Contributing](#contributing-guide)
+6. [Helpful links](#helpful-links)
+
+
+## Content
+Alfresco Community Repository contains following libraries:
+
+### Alfresco Core
+Core is a library packaged as a jar file which contains the following:
 
-Alfresco Core is a library packaged as a jar file which contains the following:
 * Various helpers and utils
 * Canned queries interface and supporting classes
 * Generic encryption supporting classes
 
-#### Alfresco Data Model
-Data model is a library packaged as a jar file which  contains the following:
+### Alfresco Data Model
+
+Data Model is a library packaged as a jar file which  contains the following:
+
 * Dictionary, Repository and Search Services interfaces
 * Models for data types and Dictionary implementation
 * Parsers
 
-#### Alfresco Repository
+### Alfresco Repository
 
 Repository is a library packaged as a jar file which contains the following:
+
 * DAOs and SQL scripts
 * Various Service implementations
 * Utility classes
 
-#### Alfresco Remote API
+### Alfresco Remote API
 
 Remote API is a library packaged as a jar file which contains the following:
+
 * REST API framework
 * WebScript implementations including [V1 REST APIs](https://hub.alfresco.com/t5/alfresco-content-services-blog/v1-rest-api-10-things-you-should-know/ba-p/287692)
 * [OpenCMIS](https://chemistry.apache.org/java/opencmis.html) implementations
 
-#### Artifacts
+## Artifacts
+
 The artifacts can be obtained by:
-* downloading from [Alfresco maven repository](https://artifacts.alfresco.com/nexus/content/groups/public)
+* downloading from [Alfresco maven repository](https://artifacts.alfresco.com/nexus/#browse/browse:public)
 * as Maven dependency by adding the dependency to your pom file:
-~~~
+
+~~~xml
+
 <dependency>
   <groupId>org.alfresco</groupId>
   <artifactId>alfresco-core</artifactId>
@@ -64,34 +83,46 @@ The artifacts can be obtained by:
     <version>version</version>
     <type>war</type>
 </dependency>
+
 ~~~
+
 and Alfresco maven repository:
-~~~
+
+~~~xml
+
 <repository>
   <id>alfresco-maven-repo</id>
   <url>https://artifacts.alfresco.com/nexus/content/groups/public</url>
 </repository>
+
 ~~~
+
 The SNAPSHOT versions of the artifact are not published.
 
 ## Setting up and building your development environment
-See the [Development Tomcat Environment](https://github.com/Alfresco/acs-community-packaging/tree/master/dev/README.md)
-page which will show you how to try out your repository changes in a local tomcat instance.
-If you wish to use Docker images, take a look at the aliases ending in `D` and the docker-compose files in this
-project's test modules.    
+
+See the [**Development Tomcat Environment**](https://github.com/Alfresco/acs-community-packaging/tree/master/dev/README.md)
+page which will show you how to try out your repository changes in a local Tomcat instance or using Docker containers. 
 
 ## Branches
-This project has a branch for each ACS release. For example the code in ACS 6.2.1 is a
-branch called `releases/6.2.2`. In addition to the original 6.2.2 release it will also contain Hot Fixes
-added later. The latest unreleased code is on the `master` branch. There are also `.N` branches, such as 
-`releases/7.1.N` on which we gather unreleased fixes for future service pack releases. They do not indicate
+
+This project has a branch for each ACS release. For example the code in ACS 6.2.2 is a
+branch called **`release/6.2.2`**. In addition to the original 6.2.2 release it will also contain Hot Fixes
+added later. The latest unreleased code is on the **`master`** branch. There are also **`.N`** branches, such as 
+**`release/7.1.N`** on which we gather unreleased fixes for future service pack releases. They do not indicate
 that one is planned.
 
 For historic reasons the version of artifacts created on each branch do not match the ACS version.
-For example artifact in ACS 7.2.0 will be `14.<something>`.
+For example artifact in ACS 7.2.0 will be **`14.<something>`**.
 
-The enterprise projects which extend the `alfresco-community-repo` use the same branch names and leading
+The enterprise projects which extend the **`alfresco-community-repo`** use the same branch names and leading
 artifact version number.
 
-### Contributing guide
-Please use [this guide](CONTRIBUTING.md) to make a contribution to the project.
+## Contributing guide
+
+Please use [**this guide**](CONTRIBUTING.md) to make a contribution to the project.
+
+## Helpful links
+
+- [Alfresco Content Services Documentation](https://docs.alfresco.com/content-services/latest/)
+- [Alfresco Platform](https://www.hyland.com/en/products/alfresco-platform)

amps/ags/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-community-repo-amps</artifactId>
-      <version>23.3.0.80</version>
+      <version>23.3.0.94</version>
    </parent>
 
    <modules>

amps/ags/rm-automation/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-governance-services-community-parent</artifactId>
-      <version>23.3.0.80</version>
+      <version>23.3.0.94</version>
    </parent>
 
    <modules>

amps/ags/rm-automation/rm-automation-community-rest-api/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-governance-services-automation-community-repo</artifactId>
-      <version>23.3.0.80</version>
+      <version>23.3.0.94</version>
    </parent>
 
    <build>

amps/ags/rm-community/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-governance-services-community-parent</artifactId>
-      <version>23.3.0.80</version>
+      <version>23.3.0.94</version>
    </parent>
 
    <modules>

amps/ags/rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-recordfolder-context.xml

@@ -125,7 +125,7 @@
          parent="declarativeCapability">
       <property name="name" value="DeleteRecordFolder"/>
       <property name="private" value="true"/>
-      <property name="permission" value="CreateModifyDestroyFolders"/>
+      <property name="permission" value="DeleteRecords"/>
       <property name="kinds">
          <list>
             <value>RECORD_FOLDER</value>

amps/ags/rm-community/rm-community-repo/pom.xml

@@ -8,7 +8,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-governance-services-community-repo-parent</artifactId>
-      <version>23.3.0.80</version>
+      <version>23.3.0.94</version>
    </parent>
 
    <properties>

amps/ags/rm-community/rm-community-rest-api-explorer/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-governance-services-community-repo-parent</artifactId>
-        <version>23.3.0.80</version>
+        <version>23.3.0.94</version>
     </parent>
 
     <build>

amps/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.80</version>
+        <version>23.3.0.94</version>
     </parent>
 
     <modules>

amps/share-services/pom.xml

@@ -8,7 +8,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-amps</artifactId>
-        <version>23.3.0.80</version>
+        <version>23.3.0.94</version>
     </parent>
 
     <properties>

core/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-community-repo</artifactId>
-      <version>23.3.0.80</version>
+      <version>23.3.0.94</version>
    </parent>
 
    <dependencies>

data-model/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.80</version>
+        <version>23.3.0.94</version>
     </parent>
 
     <properties>

mmt/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.80</version>
+        <version>23.3.0.94</version>
     </parent>
 
     <dependencies>

packaging/distribution/pom.xml

@@ -9,6 +9,6 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>23.3.0.80</version>
+        <version>23.3.0.94</version>
     </parent>
 </project>

packaging/docker-alfresco/Dockerfile

@@ -1,6 +1,5 @@
-# Fetch image based on Tomcat 9.0, Java 17 and Rocky Linux 8
 # More infos about this image: https://github.com/Alfresco/alfresco-docker-base-tomcat
-FROM alfresco/alfresco-base-tomcat:tomcat10-jre17-rockylinux8-202306291245
+FROM alfresco/alfresco-base-tomcat:tomcat10-jre17-rockylinux9@sha256:395664f9d9be0c9f73d3b722a58fd559ee7231609b263dfe19502617652740e3
 
 # Set default docker_context.
 ARG resource_path=target
@@ -14,6 +13,9 @@ ARG USERID=33000
 # Set default environment args
 ARG TOMCAT_DIR=/usr/local/tomcat
 
+# Needed for installation but make sure another USER directive is added after
+# this with a non-root user
+USER root
 
 # Create prerequisite to store tools and properties
 RUN mkdir -p ${TOMCAT_DIR}/shared/classes/alfresco/extension/mimetypes && \
@@ -61,13 +63,7 @@ RUN sed -i -e "s_appender.rolling.fileName\=alfresco.log_appender.rolling.fileNa
     sed -i -e "\$a\grant\ codeBase\ \"file:\$\{catalina.base\}\/webapps\/alfresco\/-\" \{\n\    permission\ java.security.AllPermission\;\n\};\ngrant\ codeBase\ \"file:\$\{catalina.base\}\/webapps\/_vti_bin\/-\" \{\n\    permission\ java.security.AllPermission\;\n\};\ngrant\ codeBase\ \"file:\$\{catalina.base\}\/webapps\/ROOT\/-\" \{\n\    permission org.apache.catalina.security.DeployXmlPermission \"ROOT\";\n\};" ${TOMCAT_DIR}/conf/catalina.policy
 
 # fontconfig is required by Activiti worflow diagram generator
-# installing pinned dependencies as well
-RUN yum install -y fontconfig-2.13.1-4.el8 \
-                   dejavu-fonts-common-2.35-7.el8 \
-                   fontpackages-filesystem-1.44-22.el8 \
-                   freetype-2.9.1-9.el8 \
-                   libpng-1.6.34-5.el8 \
-                   dejavu-sans-fonts-2.35-7.el8 && \
+RUN yum install -y fontconfig-2.14.0-2.el9_1 && \
     yum clean all
 
 # The standard configuration is to have all Tomcat files owned by root with group GROUPNAME and whilst owner has read/write privileges, 

packaging/docker-alfresco/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>23.3.0.80</version>
+        <version>23.3.0.94</version>
     </parent>
 
     <properties>

packaging/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.80</version>
+        <version>23.3.0.94</version>
     </parent>
 
     <modules>

packaging/tests/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>23.3.0.80</version>
+        <version>23.3.0.94</version>
     </parent>
 
     <modules>

packaging/tests/tas-cmis/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>23.3.0.80</version>
+        <version>23.3.0.94</version>
     </parent>
 
     <organization>

packaging/tests/tas-email/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>23.3.0.80</version>
+        <version>23.3.0.94</version>
     </parent>
 
     <developers>

packaging/tests/tas-integration/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>23.3.0.80</version>
+        <version>23.3.0.94</version>
     </parent>
 
     <developers>

packaging/tests/tas-restapi/pom.xml

@@ -8,7 +8,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>23.3.0.80</version>
+        <version>23.3.0.94</version>
     </parent>
 
     <properties>

packaging/tests/tas-webdav/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>23.3.0.80</version>
+        <version>23.3.0.94</version>
     </parent>
 
     <developers>

packaging/war/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>23.3.0.80</version>
+        <version>23.3.0.94</version>
     </parent>
 
     <properties>

pom.xml

@@ -2,7 +2,7 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <artifactId>alfresco-community-repo</artifactId>
-    <version>23.3.0.80</version>
+    <version>23.3.0.94</version>
     <packaging>pom</packaging>
     <name>Alfresco Community Repo Parent</name>
 
@@ -51,8 +51,8 @@
         <dependency.alfresco-server-root.version>7.0.1</dependency.alfresco-server-root.version>
         <dependency.activiti-engine.version>5.23.0</dependency.activiti-engine.version>
         <dependency.activiti.version>5.23.0</dependency.activiti.version>
-        <dependency.alfresco-transform-core.version>5.1.3</dependency.alfresco-transform-core.version>
-        <dependency.alfresco-transform-service.version>4.1.3</dependency.alfresco-transform-service.version>
+        <dependency.alfresco-transform-core.version>5.1.4-A3</dependency.alfresco-transform-core.version>
+        <dependency.alfresco-transform-service.version>4.1.4-A2</dependency.alfresco-transform-service.version>
         <dependency.alfresco-greenmail.version>7.0</dependency.alfresco-greenmail.version>
         <dependency.acs-event-model.version>0.0.27</dependency.acs-event-model.version>
 
@@ -113,13 +113,13 @@
         <dependency.jakarta-json-path.version>2.9.0</dependency.jakarta-json-path.version>
         <dependency.json-smart.version>2.5.1</dependency.json-smart.version>
         <alfresco.googledrive.version>4.1.0</alfresco.googledrive.version>
-        <alfresco.aos-module.version>3.1.0-A1</alfresco.aos-module.version>
+        <alfresco.aos-module.version>3.1.0-A2</alfresco.aos-module.version>
         <alfresco.api-explorer.version>23.2.0</alfresco.api-explorer.version> <!-- Also in alfresco-enterprise-share -->
 
         <alfresco.maven-plugin.version>2.2.0</alfresco.maven-plugin.version>
         <license-maven-plugin.version>2.0.1</license-maven-plugin.version>
 
-        <dependency.postgresql.version>42.6.0</dependency.postgresql.version>
+        <dependency.postgresql.version>42.7.3</dependency.postgresql.version>
         <dependency.mysql.version>8.0.30</dependency.mysql.version>
         <dependency.mysql-image.version>8</dependency.mysql-image.version>
         <dependency.mariadb.version>2.7.4</dependency.mariadb.version>
@@ -151,7 +151,7 @@
         <connection>scm:git:https://github.com/Alfresco/alfresco-community-repo.git</connection>
         <developerConnection>scm:git:https://github.com/Alfresco/alfresco-community-repo.git</developerConnection>
         <url>https://github.com/Alfresco/alfresco-community-repo</url>
-        <tag>23.3.0.80</tag>
+        <tag>23.3.0.94</tag>
     </scm>
 
     <distributionManagement>
@@ -1004,7 +1004,7 @@
                 <plugin>
                     <groupId>io.fabric8</groupId>
                     <artifactId>docker-maven-plugin</artifactId>
-                    <version>0.43.4</version>
+                    <version>0.45.0</version>
                 </plugin>
                 <plugin>
                     <artifactId>maven-surefire-plugin</artifactId>

remote-api/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.80</version>
+        <version>23.3.0.94</version>
     </parent>
 
     <dependencies>

remote-api/src/main/java/org/alfresco/rest/api/impl/PeopleImpl.java

@@ -125,7 +125,7 @@ public class PeopleImpl implements People
     protected ResetPasswordService resetPasswordService;
     protected UserRegistrySynchronizer userRegistrySynchronizer;
     protected Renditions renditions;
-
+    private Boolean allowImmutableEnabledUpdate;
 
     private final static Map<String, QName> sort_params_to_qnames;
     static
@@ -202,6 +202,11 @@ public class PeopleImpl implements People
         this.userRegistrySynchronizer = userRegistrySynchronizer;
     }
 
+    public void setAllowImmutableEnabledUpdate(Boolean allowImmutableEnabledUpdate)
+    {
+        this.allowImmutableEnabledUpdate = allowImmutableEnabledUpdate;
+    }
+
     /**
      * Validate, perform -me- substitution and canonicalize the person ID.
      * 
@@ -708,16 +713,26 @@ public class PeopleImpl implements People
         // if requested, update password
         updatePassword(isAdmin, personIdToUpdate, person);
 
-        if (person.isEnabled() != null)
+        Set<QName> immutableProperties = userRegistrySynchronizer.getPersonMappedProperties(personIdToUpdate);
+
+        Boolean isEnabled = person.isEnabled();
+        if (isEnabled != null)
         {
             if (isAdminAuthority(personIdToUpdate))
             {
                 throw new PermissionDeniedException("Admin authority cannot be disabled.");
             }
 
-            // note: if current user is not an admin then permission denied exception is thrown
-            MutableAuthenticationService mutableAuthenticationService = (MutableAuthenticationService) authenticationService;
-            mutableAuthenticationService.setAuthenticationEnabled(personIdToUpdate, person.isEnabled());
+            if (allowImmutableEnabledStatusUpdate(personIdToUpdate, isAdmin, immutableProperties))
+            {
+                LOGGER.info("User " + personIdToUpdate + " is immutable but enabled status will be set to: " + isEnabled);
+            }
+            else
+            {
+                // note: if current user is not an admin then permission denied exception is thrown
+                MutableAuthenticationService mutableAuthenticationService = (MutableAuthenticationService) authenticationService;
+                mutableAuthenticationService.setAuthenticationEnabled(personIdToUpdate, person.isEnabled());
+            }
         }
 
 		NodeRef personNodeRef = personService.getPerson(personIdToUpdate, false);
@@ -742,9 +757,7 @@ public class PeopleImpl implements People
 			properties.putAll(nodes.mapToNodeProperties(customProps));
 		}
 
-        // MNT-21150 LDAP synced attributes can be changed using REST API
-        Set<QName> immutableProperties = userRegistrySynchronizer.getPersonMappedProperties(personIdToUpdate);
-
+        // MNT-21150 LDAP synced attributes can't be changed using REST API
         immutableProperties.forEach(immutableProperty -> {
             if (properties.containsKey(immutableProperty))
             {
@@ -768,6 +781,28 @@ public class PeopleImpl implements People
         return getPerson(personId);
     }
 
+    private boolean allowImmutableEnabledStatusUpdate(String userId, boolean isAdmin, Set<QName> immutableProperties)
+    {
+        if (allowImmutableEnabledUpdate)
+        {
+            boolean containLdapUserAccountStatus = false;
+            QName propertyNameToCheck = QName.createQName(NamespaceService.CONTENT_MODEL_1_0_URI, "userAccountStatusProperty");
+
+            for (QName immutableProperty : immutableProperties)
+            {
+                if (immutableProperty.equals(propertyNameToCheck))
+                {
+                    containLdapUserAccountStatus = true;
+                    break;
+                }
+            }
+
+            return isAdmin && !containLdapUserAccountStatus && !isMutableAuthority(userId);
+        }
+
+        return false;
+    }
+
     private boolean checkCurrentUserOrAdmin(String personId)
     {
         boolean isAdmin = isAdminAuthority();

remote-api/src/main/resources/alfresco/public-rest-context.xml

@@ -764,6 +764,7 @@
         <property name="thumbnailService" ref="ThumbnailService" />
         <property name="resetPasswordService" ref="resetPasswordService" />
         <property name="userRegistrySynchronizer" ref="userRegistrySynchronizer" />
+        <property name="allowImmutableEnabledUpdate" value="${allow.immutable.user.enabled.status.update}" />
     </bean>
 
     <bean id="People" class="org.springframework.aop.framework.ProxyFactoryBean">

repository/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>23.3.0.80</version>
+        <version>23.3.0.94</version>
     </parent>
 
     <dependencies>

repository/src/main/java/org/alfresco/repo/domain/permissions/FixedAclUpdater.java

@@ -235,6 +235,11 @@ public class FixedAclUpdater extends TransactionListenerAdapter implements Appli
 
         int countNodesWithAspects()
         {
+            if (maxItems < DEFAULT_MAX_ITEMS) {
+                log.info("Job limited to process a maximum of " + maxItems + " Pending Acls");
+                return maxItems;
+            }
+
             final CountNodesWithAspectCallback countNodesCallback = new CountNodesWithAspectCallback();
             int count = transactionService.getRetryingTransactionHelper()
                     .doInTransaction(new RetryingTransactionCallback<Integer>()
@@ -246,12 +251,6 @@ public class FixedAclUpdater extends TransactionListenerAdapter implements Appli
                             return countNodesCallback.getCount();
                         }
                     }, false, true);
-
-            if (count > maxItems)
-            {
-                log.info("Total nodes with pending acl: " + count + " Limiting work to " + maxItems);
-                return maxItems;
-            }
             return count;
         }
     }

repository/src/main/java/org/alfresco/repo/security/authentication/AuthenticationContextImpl.java

@@ -36,7 +36,11 @@ import net.sf.acegisecurity.UserDetails;
 import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
 import net.sf.acegisecurity.providers.dao.User;
 
+import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
 import org.alfresco.repo.tenant.TenantService;
+import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
+import org.alfresco.service.cmr.security.PersonService;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
@@ -49,12 +53,30 @@ public class AuthenticationContextImpl implements AuthenticationContext
     private final Log logger = LogFactory.getLog(getClass());
     
     private TenantService tenantService;
+    private PersonService personService;
+    private AuthenticationService authenticationService;
+    private Boolean allowImmutableEnabledUpdate;
 
     public void setTenantService(TenantService tenantService)
     {
         this.tenantService = tenantService;
     }
 
+    public void setPersonService(PersonService personService)
+    {
+        this.personService = personService;
+    }
+
+    public void setAuthenticationService(AuthenticationService authenticationService)
+    {
+        this.authenticationService = authenticationService;
+    }
+
+    public void setAllowImmutableEnabledUpdate(Boolean allowImmutableEnabledUpdate)
+    {
+        this.allowImmutableEnabledUpdate = allowImmutableEnabledUpdate;
+    }
+
     /**
      * Explicitly set the given validated user details to be authenticated.
      * 
@@ -70,7 +92,7 @@ public class AuthenticationContextImpl implements AuthenticationContext
         {
             // Apply the same validation that ACEGI would have to the user details - we may be going through a 'back
             // door'.
-            if (!ud.isEnabled())
+            if (isDisabled(userId, ud))
             {
                 throw new DisabledException("User is disabled");
             }
@@ -114,6 +136,43 @@ public class AuthenticationContextImpl implements AuthenticationContext
         }
     }
 
+    private boolean isDisabled(String userId, UserDetails ud)
+    {
+        boolean isDisabled = !ud.isEnabled();
+        boolean isSystemUser = isSystemUserName(userId);
+
+        if (allowImmutableEnabledUpdate && !isSystemUser)
+        {
+            try
+            {
+                boolean isImmutable = isImmutableAuthority(userId);
+                boolean isPersonEnabled = personService.isEnabled(userId);
+                isDisabled = isDisabled || (isImmutable && !isPersonEnabled);
+            }
+            catch (Exception e)
+            {
+                if (logger.isWarnEnabled())
+                {
+                    logger.warn("Failed to determine if person is enabled: " + userId + ", using user details status: " + isDisabled);
+                }
+            }
+        }
+
+        return isDisabled;
+    }
+
+    private boolean isImmutableAuthority(String authorityName)
+    {
+        return AuthenticationUtil.runAsSystem(new RunAsWork<Boolean>()
+        {
+            @Override public Boolean doWork() throws Exception
+            {
+                MutableAuthenticationService mutableAuthenticationService = (MutableAuthenticationService) authenticationService;
+                return !mutableAuthenticationService.isAuthenticationMutable(authorityName);
+            }
+        });
+    }
+
     public Authentication setSystemUserAsCurrentUser()
     {
         return setSystemUserAsCurrentUser(TenantService.DEFAULT_DOMAIN);

repository/src/main/resources/alfresco/authentication-services-context.xml

@@ -274,6 +274,15 @@
         <property name="tenantService">
             <ref bean="tenantService" />
         </property>
+        <property name="personService">
+            <ref bean="personService" />
+        </property>
+        <property name="authenticationService">
+            <ref bean="AuthenticationService" />
+        </property>
+        <property name="allowImmutableEnabledUpdate">
+            <value>${allow.immutable.user.enabled.status.update}</value>
+        </property>
     </bean>
 
     <!-- Simple Authentication component that rejects all authentication requests -->

repository/src/main/resources/alfresco/core-services-context.xml

@@ -1342,6 +1342,8 @@
       </property>
    </bean>
 
+    <bean id="search.suggesterService" class="org.alfresco.repo.search.impl.DummySuggesterServiceImpl">
+    </bean>
    <!-- Custom property editors -->
    <bean class="org.springframework.beans.factory.config.CustomEditorConfigurer">
       <property name="propertyEditorRegistrars">

repository/src/main/resources/alfresco/repository.properties

@@ -435,6 +435,9 @@ repo.remote.endpoint=/service
 # persisted.
 create.missing.people=${server.transaction.allow-writes}
 
+# Allow an immutable user to have its enabled status changed
+allow.immutable.user.enabled.status.update=false
+
 # Create home folders (unless disabled, see next property) as people are created (true) or create them lazily (false)
 home.folder.creation.eager=true
 # Disable home folder creation - if true then home folders are not created (neither eagerly nor lazily)