[MNT-23379] Do not remove site manager permissions from local set when inheritance flag is disabled

remote-api/src/main/java/org/alfresco/rest/api/impl/NodesImpl.java

@@ -2401,6 +2401,8 @@ public class NodesImpl implements Nodes
         NodePermissions nodePerms = nodeInfo.getPermissions();
         if (nodePerms != null)
         {
+            String siteManagerAuthority = getSiteManagerAuthority(nodeRef);
+
             // Cannot set inherited permissions, only direct (locally set) permissions can be set
             if ((nodePerms.getInherited() != null) && (nodePerms.getInherited().size() > 0))
             {
@@ -2411,7 +2413,7 @@ public class NodesImpl implements Nodes
             if (nodePerms.getIsInheritanceEnabled() != null)
             {
                 // If inheritance flag is being disabled, the site manager needs to have permission
-                setSiteManagerPermission(nodeRef, nodePerms);
+                setSiteManagerPermission(nodeRef, nodePerms, siteManagerAuthority);
 
                 if (nodePerms.getIsInheritanceEnabled() != permissionService.getInheritParentPermissions(nodeRef))
                 {
@@ -2510,8 +2512,15 @@ public class NodesImpl implements Nodes
                 }
 
                 // remove any remaining direct perms
+                boolean isInheritanceEnabled = permissionService.getInheritParentPermissions(nodeRef);                
                 for (AccessPermission accessPerm : directPerms)
                 {
+                    // prevents deletion of site manager permissions when inheritance is disabled
+                    boolean isSiteManagerAuthority = siteManagerAuthority != null && siteManagerAuthority.equals(accessPerm.getAuthority());
+                    if (!isInheritanceEnabled && isSiteManagerAuthority)
+                    {
+                        continue;
+                    }                    
                     permissionService.deletePermission(nodeRef, accessPerm.getAuthority(), accessPerm.getPermission());
                 }
             }
@@ -2776,7 +2785,21 @@ public class NodesImpl implements Nodes
         return updateExistingFile(null, nodeRef, fileName, contentInfo, stream, parameters, versionMajor, versionComment);
     }
 
-    private void setSiteManagerPermission(NodeRef nodeRef, NodePermissions nodePerms)
+    private String getSiteManagerAuthority(NodeRef nodeRef) {
+        return AuthenticationUtil.runAsSystem(() -> {
+            SiteInfo containingSite = siteService.getSite(nodeRef);
+
+            if (containingSite != null)
+            {
+                String thisSiteGroupPrefix = siteService.getSiteGroup(containingSite.getShortName());
+                return thisSiteGroupPrefix + "_" + SiteModel.SITE_MANAGER;
+            }
+
+            return null;
+        });
+    }
+
+    private void setSiteManagerPermission(NodeRef nodeRef, NodePermissions nodePerms, String siteManagerAuthority)
     {
         if (nodeRef != null && nodePerms != null)
         {
@@ -2784,16 +2807,9 @@ public class NodesImpl implements Nodes
             {
                 if (nodePerms.getIsInheritanceEnabled() != null && !nodePerms.getIsInheritanceEnabled())
                 {
-                    SiteInfo containingSite = siteService.getSite(nodeRef);
+                    if (siteManagerAuthority != null)
-
-                    if (containingSite != null)
                     {
-                        String thisSiteGroupPrefix = siteService.getSiteGroup(containingSite.getShortName());
+                        permissionService.setPermission(nodeRef, siteManagerAuthority, SiteModel.SITE_MANAGER, true);
-                        final String siteManagerAuthority = thisSiteGroupPrefix + "_" + SiteModel.SITE_MANAGER;
-                        AuthenticationUtil.runAsSystem(() -> {
-                            permissionService.setPermission(nodeRef, siteManagerAuthority, SiteModel.SITE_MANAGER, true);
-                            return null;
-                        });
                     }
                 }
             }

remote-api/src/test/java/org/alfresco/rest/api/tests/NodeApiTest.java

@@ -62,6 +62,7 @@ import org.alfresco.rest.api.model.ClassDefinition;
 import org.alfresco.rest.api.model.ConstraintDefinition;
 import org.alfresco.rest.api.model.LockInfo;
 import org.alfresco.rest.api.model.NodePermissions;
+import org.alfresco.rest.api.model.NodePermissions.NodePermission;
 import org.alfresco.rest.api.model.NodeTarget;
 import org.alfresco.rest.api.model.PropertyDefinition;
 import org.alfresco.rest.api.model.Site;
@@ -6394,6 +6395,10 @@ public class NodeApiTest extends AbstractSingleNetworkSiteTest
         Node nodeUpdate = new Node();
         NodePermissions nodePerms = new NodePermissions();
         nodePerms.setIsInheritanceEnabled(false);
+        NodePermission permission = new NodePermission("GROUP_site_" + site1Id + "_SiteConsumer", SiteRole.SiteConsumer.toString(), AccessStatus.ALLOWED.toString());
+        List<NodePermission> locallySet = new ArrayList<>();
+        locallySet.add(permission);
+        nodePerms.setLocallySet(locallySet);
         nodeUpdate.setPermissions(nodePerms);
         put(URL_NODES, content1_Id, toJsonAsStringNonNull(nodeUpdate), null, 200);