Merge ACS-3652_LinkToCategoryValidation into ACS-3652_ImportValidation.

# Conflicts:
#	remote-api/src/main/java/org/alfresco/rest/api/impl/mapper/rules/RestRuleActionModelMapper.java

packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/rules/CreateRulesTests.java

@@ -26,18 +26,21 @@
 package org.alfresco.rest.rules;
 
 import static java.util.stream.Collectors.toList;
-
 import static org.alfresco.rest.actions.access.AccessRestrictionUtil.ERROR_MESSAGE_ACCESS_RESTRICTED;
+import static org.alfresco.rest.actions.access.AccessRestrictionUtil.MAIL_ACTION;
+import static org.alfresco.rest.rules.RulesTestsUtils.CHECKIN_ACTION;
 import static org.alfresco.rest.rules.RulesTestsUtils.ID;
 import static org.alfresco.rest.rules.RulesTestsUtils.INVERTED;
 import static org.alfresco.rest.rules.RulesTestsUtils.IS_SHARED;
 import static org.alfresco.rest.rules.RulesTestsUtils.RULE_NAME_DEFAULT;
+import static org.alfresco.rest.rules.RulesTestsUtils.TEMPLATE_PARAM;
 import static org.alfresco.utility.constants.UserRole.SiteCollaborator;
 import static org.alfresco.utility.constants.UserRole.SiteConsumer;
 import static org.alfresco.utility.constants.UserRole.SiteContributor;
 import static org.alfresco.utility.constants.UserRole.SiteManager;
 import static org.alfresco.utility.model.FileModel.getRandomFileModel;
 import static org.alfresco.utility.model.FileType.TEXT_PLAIN;
+import static org.alfresco.utility.model.UserModel.getRandomUserModel;
 import static org.alfresco.utility.report.log.Step.STEP;
 import static org.junit.Assert.assertEquals;
 import static org.springframework.http.HttpStatus.BAD_REQUEST;
@@ -45,21 +48,29 @@ import static org.springframework.http.HttpStatus.CREATED;
 import static org.springframework.http.HttpStatus.FORBIDDEN;
 import static org.springframework.http.HttpStatus.NOT_FOUND;
 
+import java.io.Serializable;
+import java.util.Arrays;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.stream.IntStream;
 
 import org.alfresco.rest.RestTest;
 import org.alfresco.rest.model.RestActionBodyExecTemplateModel;
+import org.alfresco.rest.model.RestActionConstraintModel;
+import org.alfresco.rest.model.RestActionDefinitionModel;
 import org.alfresco.rest.model.RestCompositeConditionDefinitionModel;
+import org.alfresco.rest.model.RestParameterDefinitionModel;
 import org.alfresco.rest.model.RestRuleModel;
 import org.alfresco.rest.model.RestRuleModelsCollection;
 import org.alfresco.utility.constants.UserRole;
+import org.alfresco.utility.model.ContentModel;
 import org.alfresco.utility.model.FileModel;
 import org.alfresco.utility.model.FolderModel;
 import org.alfresco.utility.model.SiteModel;
 import org.alfresco.utility.model.TestGroup;
 import org.alfresco.utility.model.UserModel;
+import org.apache.chemistry.opencmis.client.api.CmisObject;
 import org.testng.annotations.BeforeClass;
 import org.testng.annotations.Test;
 
@@ -368,10 +379,10 @@ public class CreateRulesTests extends RestTest
         final UserModel admin = dataUser.getAdminUser();
 
         final RestRuleModel rule = restClient.authenticateUser(admin).withPrivateAPI().usingNode(ruleFolder).usingDefaultRuleSet()
-                .createSingleRule(rulesUtils.createVariousActions());
+                .createSingleRule(rulesUtils.createRuleWithVariousActions());
 
         RestRuleModel expectedRuleModel = rulesUtils.createRuleModelWithDefaultValues();
-        expectedRuleModel.setActions(rulesUtils.createVariousActions().getActions());
+        expectedRuleModel.setActions(rulesUtils.createRuleWithVariousActions().getActions());
         expectedRuleModel.setTriggers(List.of("inbound"));
 
         restClient.assertStatusCodeIs(CREATED);
@@ -379,6 +390,23 @@ public class CreateRulesTests extends RestTest
                 .assertThat().field(IS_SHARED).isNull();
     }
 
+    /**
+     * Check we can create a rule with check in action with empty description parameter.
+     */
+    @Test(groups = {TestGroup.REST_API, TestGroup.RULES})
+    public void createRuleWithCheckInActionAndEmptyCheckInDescription()
+    {
+        final RestRuleModel ruleModel = rulesUtils.createRuleModelWithDefaultValues();
+        final RestActionBodyExecTemplateModel checkinAction = new RestActionBodyExecTemplateModel();
+        checkinAction.setActionDefinitionId(CHECKIN_ACTION);
+        checkinAction.setParams(Map.of("description", ""));
+        ruleModel.setActions(Arrays.asList(checkinAction));
+
+        restClient.authenticateUser(user).withPrivateAPI().usingNode(ruleFolder).usingDefaultRuleSet().createSingleRule(ruleModel);
+
+        restClient.assertStatusCodeIs(CREATED);
+    }
+
     /** Check that a normal user cannot create rules that use private actions. */
     @Test
     public void createRuleWithActions_userCannotUsePrivateAction()
@@ -400,6 +428,39 @@ public class CreateRulesTests extends RestTest
         restClient.assertStatusCodeIs(CREATED);
     }
 
+    /**
+     * Check that an administrator can create rules with email (private) action with reference to an email template.
+     */
+    @Test
+    public void createRuleWithActions_adminCanUseMailActionWithTemplate()
+    {
+        final RestRuleModel ruleModel = rulesUtils.createRuleModelWithDefaultValues();
+        final RestActionBodyExecTemplateModel mailAction = new RestActionBodyExecTemplateModel();
+        mailAction.setActionDefinitionId(MAIL_ACTION);
+        final Map<String, Serializable> params = new HashMap<>();
+        final UserModel sender = getRandomUserModel();
+        final UserModel recipient = getRandomUserModel();
+        params.put("from", sender.getEmailAddress());
+        params.put("to", recipient.getEmailAddress());
+        params.put("subject", "Test");
+        final RestActionDefinitionModel actionDef =
+                restClient.authenticateUser(user).withCoreAPI().usingActions().getActionDefinitionById(MAIL_ACTION);
+        final RestParameterDefinitionModel paramDef =
+                actionDef.getParameterDefinitions().stream().filter(param -> param.getName().equals(TEMPLATE_PARAM)).findFirst().get();
+        final String constraintName = paramDef.getParameterConstraintName();
+        final RestActionConstraintModel constraint =
+                restClient.authenticateUser(user).withCoreAPI().usingActions().getActionConstraintByName(constraintName);
+        String templateScriptRef = constraint.getConstraintValues().stream().findFirst().get().getValue();
+        params.put(TEMPLATE_PARAM, templateScriptRef);
+        mailAction.setParams(params);
+        ruleModel.setActions(Arrays.asList(mailAction));
+
+        restClient.authenticateUser(dataUser.getAdminUser()).withPrivateAPI().usingNode(ruleFolder).usingDefaultRuleSet()
+                .createSingleRule(ruleModel);
+
+        restClient.assertStatusCodeIs(CREATED);
+    }
+
     /**
      * Check we get error when attempt to create a rule without any actions.
      */
@@ -565,6 +626,239 @@ public class CreateRulesTests extends RestTest
         restClient.assertLastError().containsSummary("The entity with id: " + privateFolder.getNodeRef() + " was not found");
     }
 
+    /**
+     * Check we get error when attempting to create a rule that copies files to a folder that a user only has read permission for.
+     */
+    @Test (groups = { TestGroup.REST_API, TestGroup.RULES })
+    public void createRuleThatWritesToNodeWithoutPermission()
+    {
+        SiteModel privateSite = dataSite.usingAdmin().createPrivateRandomSite();
+        FolderModel privateFolder = dataContent.usingAdmin().usingSite(privateSite).createFolder();
+        dataUser.usingAdmin().addUserToSite(user, privateSite, SiteConsumer);
+
+        RestRuleModel ruleModel = rulesUtils.createRuleModelWithDefaultValues();
+        RestActionBodyExecTemplateModel invalidAction = new RestActionBodyExecTemplateModel();
+        String actionDefinitionId = "copy";
+        invalidAction.setActionDefinitionId(actionDefinitionId);
+        invalidAction.setParams(Map.of("destination-folder", privateFolder.getNodeRef()));
+        ruleModel.setActions(List.of(invalidAction));
+
+        restClient.authenticateUser(user).withPrivateAPI().usingNode(ruleFolder).usingDefaultRuleSet()
+                  .createSingleRule(ruleModel);
+
+        restClient.assertStatusCodeIs(FORBIDDEN);
+        restClient.assertLastError().containsSummary("No proper permissions for node: " + privateFolder.getNodeRef());
+    }
+
+    /**
+     * Check we get error when attempting to create a rule that moves files to a folder that a user only has read permission for.
+     */
+    @Test(groups = {TestGroup.REST_API, TestGroup.RULES})
+    public void createRuleThatMovesToNodeWithoutPermission()
+    {
+        SiteModel privateSite = dataSite.usingAdmin().createPrivateRandomSite();
+        FolderModel privateFolder = dataContent.usingAdmin().usingSite(privateSite).createFolder();
+        dataUser.usingAdmin().addUserToSite(user, privateSite, SiteConsumer);
+
+        RestRuleModel ruleModel = rulesUtils.createRuleModelWithDefaultValues();
+        RestActionBodyExecTemplateModel invalidAction = new RestActionBodyExecTemplateModel();
+        String actionDefinitionId = "move";
+        invalidAction.setActionDefinitionId(actionDefinitionId);
+        invalidAction.setParams(Map.of("destination-folder", privateFolder.getNodeRef()));
+        ruleModel.setActions(List.of(invalidAction));
+
+        restClient.authenticateUser(user).withPrivateAPI().usingNode(ruleFolder).usingDefaultRuleSet()
+                .createSingleRule(ruleModel);
+
+        restClient.assertStatusCodeIs(FORBIDDEN);
+        restClient.assertLastError().containsSummary("No proper permissions for node: " + privateFolder.getNodeRef());
+    }
+
+
+    /**
+     * Check we get error when attempting to create a rule with mail action defined with non-existing mail template.
+     */
+    @Test(groups = {TestGroup.REST_API, TestGroup.RULES})
+    public void createRuleWithMailActionReferringToNonExistingTemplate()
+    {
+        final RestRuleModel ruleModel = rulesUtils.createRuleModelWithDefaultValues();
+        final RestActionBodyExecTemplateModel mailAction = new RestActionBodyExecTemplateModel();
+        mailAction.setActionDefinitionId(MAIL_ACTION);
+        final Map<String, Serializable> params = new HashMap<>();
+        final UserModel sender = getRandomUserModel();
+        final UserModel recipient = getRandomUserModel();
+        params.put("from", sender.getEmailAddress());
+        params.put("to", recipient.getEmailAddress());
+        params.put("subject", "Test");
+        final String mailTemplate = "non-existing-node-id";
+        params.put(TEMPLATE_PARAM, mailTemplate);
+        mailAction.setParams(params);
+        ruleModel.setActions(Arrays.asList(mailAction));
+
+        restClient.authenticateUser(user).withPrivateAPI().usingNode(ruleFolder).usingDefaultRuleSet()
+                  .createSingleRule(ruleModel);
+
+        restClient.assertStatusCodeIs(BAD_REQUEST);
+        restClient.assertLastError().containsSummary("Action parameter: template has invalid value (" + mailTemplate +
+                "). Look up possible values for constraint name ac-email-templates");
+    }
+
+    /**
+     * Check the admin user can create a rule with a script.
+     */
+    @Test (groups = { TestGroup.REST_API, TestGroup.RULES })
+    public void checkAdminCanUseScriptInRule()
+    {
+        RestRuleModel ruleModel = rulesUtils.createRuleModelWithDefaultValues();
+        RestActionBodyExecTemplateModel scriptAction = new RestActionBodyExecTemplateModel();
+        scriptAction.setActionDefinitionId("script");
+        scriptAction.setParams(Map.of("script-ref", rulesUtils.getReviewAndApproveWorkflowNode()));
+        ruleModel.setActions(List.of(scriptAction));
+
+        restClient.authenticateUser(dataUser.getAdminUser()).withPrivateAPI().usingNode(ruleFolder).usingDefaultRuleSet()
+                  .createSingleRule(ruleModel);
+
+        restClient.assertStatusCodeIs(CREATED);
+    }
+
+    /**
+     * Check the script has to be stored in the scripts directory in the data dictionary.
+     */
+    @Test (groups = { TestGroup.REST_API, TestGroup.RULES })
+    public void checkCantUseNodeOutsideScriptsDirectory()
+    {
+        STEP("Copy script to location outside data dictionary.");
+        FolderModel folderOutsideDataDictionary = dataContent.usingUser(user).usingSite(site).createFolder();
+        String sourceNodeId = rulesUtils.getReviewAndApproveWorkflowNode();
+        ContentModel sourceNode = new ContentModel("/Data Dictionary/Scripts/start-pooled-review-workflow.js");
+        sourceNode.setNodeRef("/workspace://SpacesStore/" + sourceNodeId);
+        CmisObject scriptOutsideDataDictionary = dataContent.getContentActions().copyTo(dataUser.getAdminUser().getUsername(),
+                dataUser.getAdminUser().getPassword(),
+                sourceNode.getCmisLocation(),
+                folderOutsideDataDictionary.getCmisLocation());
+        String scriptId = scriptOutsideDataDictionary.getId().substring(0, scriptOutsideDataDictionary.getId().indexOf(";"));
+
+        STEP("Try to use this script in rule.");
+        RestRuleModel ruleModel = rulesUtils.createRuleModelWithDefaultValues();
+        RestActionBodyExecTemplateModel scriptAction = new RestActionBodyExecTemplateModel();
+        scriptAction.setActionDefinitionId("script");
+        scriptAction.setParams(Map.of("script-ref", scriptId));
+        ruleModel.setActions(List.of(scriptAction));
+
+        restClient.authenticateUser(user).withPrivateAPI().usingNode(ruleFolder).usingDefaultRuleSet()
+                  .createSingleRule(ruleModel);
+
+        restClient.assertStatusCodeIs(BAD_REQUEST)
+                  .assertLastError().containsSummary("script-ref has invalid value");
+    }
+
+    /**
+     * Check we get error when a non-admin user tries to create a rule with a script.
+     */
+    @Test (groups = { TestGroup.REST_API, TestGroup.RULES })
+    public void checkNormalUserCantUseScriptInRule()
+    {
+        RestRuleModel ruleModel = rulesUtils.createRuleModelWithDefaultValues();
+        RestActionBodyExecTemplateModel scriptAction = new RestActionBodyExecTemplateModel();
+        scriptAction.setActionDefinitionId("script");
+        scriptAction.setParams(Map.of("script-ref", rulesUtils.getReviewAndApproveWorkflowNode()));
+        ruleModel.setActions(List.of(scriptAction));
+
+        restClient.authenticateUser(user).withPrivateAPI().usingNode(ruleFolder).usingDefaultRuleSet()
+                  .createSingleRule(ruleModel);
+
+        restClient.assertStatusCodeIs(FORBIDDEN);
+        restClient.assertLastError().containsSummary("Only admin or system user is allowed to define uses of or directly execute this action");
+    }
+
+    /**
+     * Check a rule can link nodes to a category.
+     */
+    @Test (groups = { TestGroup.REST_API, TestGroup.RULES })
+    public void checkLinkToCategoryAction()
+    {
+        STEP("Get a category id using the action constraints API.");
+        String actionId = "link-category";
+        String constraintName = "category-value";
+        String categoryId = rulesUtils.findConstraintValue(user, actionId, constraintName, "");
+
+        STEP("Create rule that links to category.");
+        RestRuleModel ruleModel = rulesUtils.createRuleModelWithDefaultValues();
+        RestActionBodyExecTemplateModel categoryAction = new RestActionBodyExecTemplateModel();
+        categoryAction.setActionDefinitionId(actionId);
+        categoryAction.setParams(Map.of(constraintName, categoryId));
+        ruleModel.setActions(List.of(categoryAction));
+
+        restClient.authenticateUser(user).withPrivateAPI().usingNode(ruleFolder).usingDefaultRuleSet()
+                  .createSingleRule(ruleModel);
+
+        restClient.assertStatusCodeIs(CREATED);
+    }
+
+    /**
+     * Check a real category needs to be supplied when linking to a category.
+     */
+    @Test (groups = { TestGroup.REST_API, TestGroup.RULES })
+    public void checkLinkToCategoryNeedsRealCategory()
+    {
+        STEP("Attempt to link to a category with a folder node, rather than a category node.");
+        String nonCategoryNodeRef = ruleFolder.getNodeRef();
+        RestRuleModel ruleModel = rulesUtils.createRuleModelWithDefaultValues();
+        RestActionBodyExecTemplateModel categoryAction = new RestActionBodyExecTemplateModel();
+        categoryAction.setActionDefinitionId("link-category");
+        categoryAction.setParams(Map.of("category-value", nonCategoryNodeRef));
+        ruleModel.setActions(List.of(categoryAction));
+
+        restClient.authenticateUser(user).withPrivateAPI().usingNode(ruleFolder).usingDefaultRuleSet()
+                  .createSingleRule(ruleModel);
+
+        restClient.assertStatusCodeIs(BAD_REQUEST);
+    }
+
+    /**
+     * Check the import action works when the destination is a valid folder node.
+     */
+    @Test (groups = { TestGroup.REST_API, TestGroup.RULES })
+    public void checkCanUseImportAction()
+    {
+        STEP("Create a destination folder");
+        FolderModel destinationFolder = dataContent.usingUser(user).usingSite(site).createFolder();
+
+        STEP("Create rule that links to category.");
+        RestRuleModel ruleModel = rulesUtils.createRuleModelWithDefaultValues();
+        RestActionBodyExecTemplateModel importAction = new RestActionBodyExecTemplateModel();
+        importAction.setActionDefinitionId("import");
+        importAction.setParams(Map.of("destination", destinationFolder.getNodeRef()));
+        ruleModel.setActions(List.of(importAction));
+
+        restClient.authenticateUser(user).withPrivateAPI().usingNode(ruleFolder).usingDefaultRuleSet()
+                  .createSingleRule(ruleModel);
+
+        restClient.assertStatusCodeIs(CREATED);
+    }
+
+    /**
+     * Check an error is throw if the import action works when the destination is a valid folder node.
+     */
+    @Test (groups = { TestGroup.REST_API, TestGroup.RULES })
+    public void checkImportDestinationLocationMustBeFolder()
+    {
+        STEP("Create a content node");
+        ContentModel contentNode = dataContent.usingUser(user).usingSite(site).createContent(getRandomFileModel(TEXT_PLAIN));
+
+        STEP("Create rule that tries to import to the node.");
+        RestRuleModel ruleModel = rulesUtils.createRuleModelWithDefaultValues();
+        RestActionBodyExecTemplateModel importAction = new RestActionBodyExecTemplateModel();
+        importAction.setActionDefinitionId("import");
+        importAction.setParams(Map.of("destination", contentNode.getNodeRef()));
+        ruleModel.setActions(List.of(importAction));
+
+        restClient.authenticateUser(user).withPrivateAPI().usingNode(ruleFolder).usingDefaultRuleSet()
+                  .createSingleRule(ruleModel);
+
+        restClient.assertStatusCodeIs(BAD_REQUEST);
+    }
+
     /**
      * Check we can create a rule with multiple conditions
      */

packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/rules/GetRulesTests.java

@@ -314,9 +314,11 @@ public class GetRulesTests extends RestTest
     public void getRuleActions()
     {
         STEP("Create a rule with a few actions");
-        FolderModel folder = dataContent.usingUser(user).usingSite(site).createFolder();
-        final RestRuleModel rule = restClient.authenticateUser(user).withPrivateAPI().usingNode(folder).usingDefaultRuleSet()
-                .createSingleRule(rulesUtils.createVariousActions());
+        final FolderModel folder = dataContent.usingUser(user).usingSite(site).createFolder();
+        final RestRuleModel ruleWithVariousActions = rulesUtils.createRuleWithVariousActions();
+        final UserModel admin = dataUser.getAdminUser();
+        final RestRuleModel rule = restClient.authenticateUser(admin).withPrivateAPI().usingNode(folder).usingDefaultRuleSet()
+                .createSingleRule(ruleWithVariousActions);
 
         STEP("Retrieve the created rule via the GET endpoint");
         final RestRuleModel getRuleBody = restClient.authenticateUser(user).withPrivateAPI().usingNode(folder).usingDefaultRuleSet().getSingleRule(rule.getId());

packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/rules/RulesTestsUtils.java

@@ -66,6 +66,7 @@ public class RulesTestsUtils
     static final String RULE_SCRIPT_ID = "script";
     static final String RULE_SCRIPT_PARAM_ID = "script-ref";
     static final String RULE_ERROR_SCRIPT_LABEL = "Start Pooled Review and Approve Workflow";
+    public static final String CHECKIN_ACTION = "check-in";
     static final String INBOUND = "inbound";
     static final String UPDATE = "update";
     static final String OUTBOUND = "outbound";
@@ -76,6 +77,7 @@ public class RulesTestsUtils
     static final String IS_SHARED = "isShared";
     static final String AUDIO_ASPECT = "audio:audio";
     static final String LOCKABLE_ASPECT = "cm:lockable";
+    public static final String TEMPLATE_PARAM = "template";
 
     @Autowired
     private RestWrapper restClient;
@@ -95,6 +97,29 @@ public class RulesTestsUtils
     /** Destination folder for check out action used by these helper methods. This is populated by the getter and should not be accessed directly. */
     private FolderModel checkOutDestinationFolder;
 
+    /**
+     * Get the constraint value for a given action parameter label.
+     *
+     * @param user The user to use to obtain the information.
+     * @param actionId The id of the action definition.
+     * @param paramId The id of the parameter for the action.
+     * @param constraintLabel The label of the desired value of the parameter.
+     * @return The value to use for the parameter.
+     */
+    public String findConstraintValue(UserModel user, String actionId, String paramId, String constraintLabel)
+    {
+        RestActionDefinitionModel actionDef = restClient.authenticateUser(user).withCoreAPI().usingActions().getActionDefinitionById(actionId);
+        RestParameterDefinitionModel paramDef = actionDef.getParameterDefinitions().stream().filter(param -> param.getName().equals(paramId)).findFirst().get();
+        if (paramDef.getParameterConstraintName() == null)
+        {
+            throw new IllegalArgumentException("Supplied parameter " + paramId + " for action " + actionId + " does not have a defined constraint.");
+        }
+        String constraintName = paramDef.getParameterConstraintName();
+        RestActionConstraintModel constraintDef = restClient.authenticateUser(user).withCoreAPI().usingActions().getActionConstraintByName(constraintName);
+        RestActionConstraintDataModel constraintDataModel = constraintDef.getConstraintValues().stream().filter(constraintValue -> constraintValue.getLabel().equals(constraintLabel)).findFirst().get();
+        return constraintDataModel.getValue();
+    }
+
     /**
      * Get the review and approve workflow node (throwing an exception if this utility class has not been initialised).
      *
@@ -105,13 +130,7 @@ public class RulesTestsUtils
         if (reviewAndApproveWorkflowNode == null)
         {
             UserModel admin = dataUser.getAdminUser();
-            // Obtain the node ref for the review and approve workflow.
-            RestActionDefinitionModel actionDef = restClient.authenticateUser(admin).withCoreAPI().usingActions().getActionDefinitionById(RULE_SCRIPT_ID);
-            RestParameterDefinitionModel paramDef = actionDef.getParameterDefinitions().stream().filter(param -> param.getName().equals(RULE_SCRIPT_PARAM_ID)).findFirst().get();
-            String constraintName = paramDef.getParameterConstraintName();
-            RestActionConstraintModel constraintDef = restClient.authenticateUser(admin).withCoreAPI().usingActions().getActionConstraintByName(constraintName);
-            RestActionConstraintDataModel reviewAndApprove = constraintDef.getConstraintValues().stream().filter(constraintValue -> constraintValue.getLabel().equals(RULE_ERROR_SCRIPT_LABEL)).findFirst().get();
-            reviewAndApproveWorkflowNode = reviewAndApprove.getValue();
+            reviewAndApproveWorkflowNode = findConstraintValue(admin, RULE_SCRIPT_ID, RULE_SCRIPT_PARAM_ID, RULE_ERROR_SCRIPT_LABEL);
         }
         return reviewAndApproveWorkflowNode;
     }
@@ -247,7 +266,7 @@ public class RulesTestsUtils
         ));
     }
 
-    public RestRuleModel createVariousActions()
+    public RestRuleModel createRuleWithVariousActions()
     {
         final Map<String, Serializable> copyParams =
                 Map.of("destination-folder", getCopyDestinationFolder().getNodeRef(), "deep-copy", true);

packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/rules/UpdateRulesTests.java

@@ -459,12 +459,10 @@ public class UpdateRulesTests extends RestTest
         final RestRuleModel rule = createAndSaveRule(rulesUtils.createRuleModelWithModifiedValues());
 
         STEP("Try to update the rule by adding several actions");
-        final Map<String, Serializable> copyParams =
-                Map.of("destination-folder", rulesUtils.getCopyDestinationFolder().getNodeRef(), "deep-copy", true);
-        final RestActionBodyExecTemplateModel copyAction = rulesUtils.createCustomActionModel("copy", copyParams);
+        final RestActionBodyExecTemplateModel counterAction = rulesUtils.createCustomActionModel("counter", null);
         final Map<String, Serializable> addAspectParams = Map.of("aspect-name", "cm:taggable");
         final RestActionBodyExecTemplateModel addAspectAction = rulesUtils.createCustomActionModel("add-features", addAspectParams);
-        rule.setActions(Arrays.asList(copyAction, addAspectAction));
+        rule.setActions(Arrays.asList(counterAction, addAspectAction));
 
         final RestRuleModel updatedRule = restClient.authenticateUser(user).withPrivateAPI().usingNode(ruleFolder).usingDefaultRuleSet()
                 .updateRule(rule.getId(), rule);
@@ -489,7 +487,8 @@ public class UpdateRulesTests extends RestTest
         final RestActionBodyExecTemplateModel checkOutAction = rulesUtils.createCustomActionModel("check-out", checkOutParams);
         rule.setActions(List.of(checkOutAction));
 
-        restClient.authenticateUser(user).withPrivateAPI().usingNode(ruleFolder).usingDefaultRuleSet()
+        final UserModel admin = dataUser.getAdminUser();
+        restClient.authenticateUser(admin).withPrivateAPI().usingNode(ruleFolder).usingDefaultRuleSet()
                 .updateRule(rule.getId(), rule);
 
         restClient.assertStatusCodeIs(BAD_REQUEST);

remote-api/src/main/java/org/alfresco/rest/api/actions/ActionValidator.java

@@ -26,13 +26,39 @@
 
 package org.alfresco.rest.api.actions;
 
+import java.util.List;
+
 import org.alfresco.rest.api.model.rules.Action;
 import org.alfresco.service.Experimental;
 
 @Experimental
 public interface ActionValidator
 {
+
+    String ALL_ACTIONS = "all";
+
+    /**
+     * Provides validation logic for given action.
+     */
     void validate(Action action);
 
+    /**
+     * Indicates whether validation is enabled. Could be based on property value in a specific implementation.
+     */
     boolean isEnabled();
+
+    /**
+     * Returns priority of validator (applied to bulk validation in @see {@link org.alfresco.rest.api.impl.mapper.rules.RestRuleActionModelMapper})
+     * @return priority expressed as int
+     */
+    int getPriority();
+
+    /**
+     * By default validator is applied to all actions
+     *
+     * @return indicator for all defined action definition ids
+     */
+    default List<String> getActionDefinitionIds() {
+        return List.of(ALL_ACTIONS);
+    }
 }

remote-api/src/main/java/org/alfresco/rest/api/impl/mapper/rules/RestRuleActionModelMapper.java

@@ -29,10 +29,12 @@ package org.alfresco.rest.api.impl.mapper.rules;
 import static java.util.Collections.emptyMap;
 
 import static org.alfresco.repo.action.access.ActionAccessRestriction.ACTION_CONTEXT_PARAM_NAME;
+import static org.alfresco.rest.api.actions.ActionValidator.ALL_ACTIONS;
 
 import java.io.Serializable;
 import java.util.Collection;
 import java.util.HashMap;
+import java.util.Comparator;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
@@ -117,6 +119,9 @@ public class RestRuleActionModelMapper implements RestModelMapper<Action, org.al
     private void validateAction(Action action) {
         actionValidators.stream()
                 .filter(ActionValidator::isEnabled)
-                .forEach(v -> v.validate(action));
+                .filter(v -> (v.getActionDefinitionIds().contains(action.getActionDefinitionId()) ||
+                        v.getActionDefinitionIds().equals(List.of(ALL_ACTIONS))))
+                .sorted(Comparator.comparing(ActionValidator::getPriority))
+                .forEachOrdered(v -> v.validate(action));
     }
 }

remote-api/src/main/java/org/alfresco/rest/api/impl/validator/actions/ActionNodeParameterValidator.java

@@ -0,0 +1,147 @@
+/*
+ * #%L
+ * Alfresco Remote API
+ * %%
+ * Copyright (C) 2005 - 2022 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+
+package org.alfresco.rest.api.impl.validator.actions;
+
+import static org.alfresco.service.cmr.dictionary.DataTypeDefinition.NODE_REF;
+import static org.alfresco.service.cmr.security.AccessStatus.ALLOWED;
+import static org.alfresco.service.cmr.security.PermissionService.WRITE;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
+import org.alfresco.repo.action.executer.CheckOutActionExecuter;
+import org.alfresco.repo.action.executer.CopyActionExecuter;
+import org.alfresco.repo.action.executer.ImageTransformActionExecuter;
+import org.alfresco.repo.action.executer.ImporterActionExecuter;
+import org.alfresco.repo.action.executer.LinkCategoryActionExecuter;
+import org.alfresco.repo.action.executer.MailActionExecuter;
+import org.alfresco.repo.action.executer.MoveActionExecuter;
+import org.alfresco.repo.action.executer.ScriptActionExecuter;
+import org.alfresco.repo.action.executer.SimpleWorkflowActionExecuter;
+import org.alfresco.repo.action.executer.TransformActionExecuter;
+import org.alfresco.rest.api.Actions;
+import org.alfresco.rest.api.Nodes;
+import org.alfresco.rest.api.actions.ActionValidator;
+import org.alfresco.rest.api.model.ActionDefinition;
+import org.alfresco.rest.api.model.rules.Action;
+import org.alfresco.rest.framework.core.exceptions.EntityNotFoundException;
+import org.alfresco.rest.framework.core.exceptions.PermissionDeniedException;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.security.PermissionService;
+import org.alfresco.service.namespace.NamespaceService;
+import org.apache.commons.collections.MapUtils;
+
+/**
+ * This class provides logic for validation of permissions for action parameters which reference node.
+ */
+public class ActionNodeParameterValidator implements ActionValidator
+{
+    private static final boolean IS_ENABLED = true;
+    /**
+     * This list holds action parameter names which require only READ permission on a referenced node
+     * That means, all other parameters that reference nodes will require WRITE permission
+     */
+    static final List<String> REQUIRE_READ_PERMISSION_PARAMS =
+            List.of(MailActionExecuter.PARAM_TEMPLATE, LinkCategoryActionExecuter.PARAM_CATEGORY_VALUE, ScriptActionExecuter.PARAM_SCRIPTREF);
+
+    static final String NO_PROPER_PERMISSIONS_FOR_NODE = "No proper permissions for node: ";
+
+    private final Actions actions;
+    private final NamespaceService namespaceService;
+    private final Nodes nodes;
+    private final PermissionService permissionService;
+
+    public ActionNodeParameterValidator(Actions actions, NamespaceService namespaceService, Nodes nodes,
+                                        PermissionService permissionService)
+    {
+        this.actions = actions;
+        this.namespaceService = namespaceService;
+        this.nodes = nodes;
+        this.permissionService = permissionService;
+    }
+
+    /**
+     * Validates action parameters that reference nodes against access permissions for executing user.
+     * @param action Action to be validated
+     */
+    @Override
+    public void validate(Action action)
+    {
+        final ActionDefinition actionDefinition = actions.getActionDefinitionById(action.getActionDefinitionId());
+        final List<ActionDefinition.ParameterDefinition> nodeRefParams = actionDefinition.getParameterDefinitions().stream()
+                .filter(pd -> NODE_REF.toPrefixString(namespaceService).equals(pd.getType())).collect(
+                        Collectors.toList());
+        validateNodePermissions(nodeRefParams, action);
+    }
+
+    @Override
+    public boolean isEnabled()
+    {
+        return IS_ENABLED;
+    }
+
+    @Override
+    public List<String> getActionDefinitionIds()
+    {
+        return List.of(CopyActionExecuter.NAME, MoveActionExecuter.NAME, CheckOutActionExecuter.NAME, ImporterActionExecuter.NAME,
+                LinkCategoryActionExecuter.NAME, MailActionExecuter.NAME, ScriptActionExecuter.NAME, SimpleWorkflowActionExecuter.NAME,
+                TransformActionExecuter.NAME, ImageTransformActionExecuter.NAME);
+    }
+
+    @Override
+    public int getPriority()
+    {
+        return Integer.MIN_VALUE + 1;
+    }
+
+    private void validateNodePermissions(final List<ActionDefinition.ParameterDefinition> nodeRefParamDefinitions,
+                                         final Action action)
+    {
+        if (MapUtils.isNotEmpty(action.getParams()))
+        {
+            nodeRefParamDefinitions.stream()
+                    .filter(pd -> action.getParams().containsKey(pd.getName()))
+                    .forEach(p -> validatePermission(p.getName(), action.getParams().get(p.getName()).toString()));
+        }
+    }
+
+    private void validatePermission(final String paramName, final String nodeId)
+    {
+        final NodeRef nodeRef = nodes.validateNode(nodeId);
+        if (permissionService.hasReadPermission(nodeRef) != ALLOWED)
+        {
+            throw new EntityNotFoundException(nodeId);
+        }
+        if (!REQUIRE_READ_PERMISSION_PARAMS.contains(paramName))
+        {
+            if (permissionService.hasPermission(nodeRef, WRITE) != ALLOWED)
+            {
+                throw new PermissionDeniedException(NO_PROPER_PERMISSIONS_FOR_NODE + nodeId);
+            }
+        }
+    }
+}

remote-api/src/main/java/org/alfresco/rest/api/impl/validator/actions/ActionParameterDefinitionValidator.java

@@ -27,6 +27,7 @@
 package org.alfresco.rest.api.impl.validator.actions;
 
 import java.io.Serializable;
+import java.util.List;
 import java.util.Map;
 
 import org.alfresco.rest.api.Actions;
@@ -47,6 +48,7 @@ import org.apache.commons.collections.MapUtils;
 public class ActionParameterDefinitionValidator implements ActionValidator
 {
     private static final boolean IS_ENABLED = true;
+
     static final String INVALID_PARAMETER_VALUE =
             "Action parameter: %s has invalid value (%s). Look up possible values for constraint name %s";
     static final String MISSING_PARAMETER = "Missing action's mandatory parameter: %s";
@@ -74,7 +76,8 @@ public class ActionParameterDefinitionValidator implements ActionValidator
         try
         {
             actionDefinition = actions.getActionDefinitionById(action.getActionDefinitionId());
-        } catch (NotFoundException e) {
+        } catch (NotFoundException e)
+        {
             throw new InvalidArgumentException(String.format(INVALID_ACTION_DEFINITION, action.getActionDefinitionId()));
         }
         validateParametersSize(action.getParams(), actionDefinition);
@@ -92,6 +95,27 @@ public class ActionParameterDefinitionValidator implements ActionValidator
         return IS_ENABLED;
     }
 
+    /**
+     * This validator should be applied to all actions
+     *
+     * @return list of all defined action definition ids
+     */
+    @Override
+    public List<String> getActionDefinitionIds()
+    {
+        return List.of(ALL_ACTIONS);
+    }
+
+    /**
+     * This validator should have highest priority and be executed first of all.
+     * @return minimal integer value
+     */
+    @Override
+    public int getPriority()
+    {
+        return Integer.MIN_VALUE;
+    }
+
     private void validateParametersSize(final Map<String, Serializable> params, final ActionDefinition actionDefinition)
     {
         if (CollectionUtils.isNotEmpty(actionDefinition.getParameterDefinitions()) && MapUtils.isEmpty(params))
@@ -128,6 +152,4 @@ public class ActionParameterDefinitionValidator implements ActionValidator
             throw new IllegalArgumentException(String.format(MUST_NOT_CONTAIN_PARAMETER, actionDefinition.getName(), parameterName));
         }
     }
-
-
 }

remote-api/src/main/resources/alfresco/public-rest-context.xml

@@ -593,6 +593,12 @@
     <bean id="actionParameterConstraintsValidator" class="org.alfresco.rest.api.impl.validator.actions.ActionParameterDefinitionValidator">
         <constructor-arg name="actions" ref="Actions"/>
     </bean>
+    <bean id="actionNodeParameterValidator" class="org.alfresco.rest.api.impl.validator.actions.ActionNodeParameterValidator">
+        <constructor-arg name="actions" ref="Actions"/>
+        <constructor-arg name="namespaceService" ref="NamespaceService"/>
+        <constructor-arg name="nodes" ref="Nodes"/>
+        <constructor-arg name="permissionService" ref="PermissionService"/>
+    </bean>
 
     <!--    action parameter validators end here-->
 
@@ -977,6 +983,7 @@
         <constructor-arg name="actionValidators">
             <list>
                 <ref bean="actionParameterConstraintsValidator"/>
+                <ref bean="actionNodeParameterValidator"/>
             </list>
         </constructor-arg>
     </bean>

remote-api/src/test/java/org/alfresco/rest/api/impl/validator/actions/ActionNodeParameterValidatorTest.java

@@ -0,0 +1,287 @@
+/*
+ * #%L
+ * Alfresco Remote API
+ * %%
+ * Copyright (C) 2005 - 2022 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+
+package org.alfresco.rest.api.impl.validator.actions;
+
+import static org.alfresco.rest.api.impl.validator.actions.ActionNodeParameterValidator.NO_PROPER_PERMISSIONS_FOR_NODE;
+import static org.alfresco.rest.api.impl.validator.actions.ActionNodeParameterValidator.REQUIRE_READ_PERMISSION_PARAMS;
+import static org.alfresco.service.cmr.dictionary.DataTypeDefinition.NODE_REF;
+import static org.alfresco.service.cmr.dictionary.DataTypeDefinition.TEXT;
+import static org.alfresco.service.cmr.repository.StoreRef.STORE_REF_WORKSPACE_SPACESSTORE;
+import static org.alfresco.service.namespace.NamespaceService.DEFAULT_PREFIX;
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.junit.Assert.assertEquals;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.BDDMockito.then;
+
+import java.util.List;
+import java.util.Map;
+
+import org.alfresco.repo.action.executer.CheckOutActionExecuter;
+import org.alfresco.repo.action.executer.CopyActionExecuter;
+import org.alfresco.repo.action.executer.ImageTransformActionExecuter;
+import org.alfresco.repo.action.executer.ImporterActionExecuter;
+import org.alfresco.repo.action.executer.LinkCategoryActionExecuter;
+import org.alfresco.repo.action.executer.MailActionExecuter;
+import org.alfresco.repo.action.executer.MoveActionExecuter;
+import org.alfresco.repo.action.executer.ScriptActionExecuter;
+import org.alfresco.repo.action.executer.SimpleWorkflowActionExecuter;
+import org.alfresco.repo.action.executer.TransformActionExecuter;
+import org.alfresco.rest.api.Actions;
+import org.alfresco.rest.api.Nodes;
+import org.alfresco.rest.api.model.ActionDefinition;
+import org.alfresco.rest.api.model.rules.Action;
+import org.alfresco.rest.framework.core.exceptions.EntityNotFoundException;
+import org.alfresco.rest.framework.core.exceptions.PermissionDeniedException;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.security.AccessStatus;
+import org.alfresco.service.cmr.security.PermissionService;
+import org.alfresco.service.namespace.NamespaceService;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+
+@RunWith(MockitoJUnitRunner.class)
+public class ActionNodeParameterValidatorTest
+{
+    private static final String NODE_REF_PARAM = REQUIRE_READ_PERMISSION_PARAMS.get(0);
+    private static final String WRITE_REQUIRED_NODE_REF_PARAM = "dummyNodeParam";
+    private static final String NODE_ID = "node-id";
+    private static final String DUMMY_ACTION = "dummy-action";
+
+    @Mock
+    private Actions actionsMock;
+    @Mock
+    private NamespaceService namespaceServiceMock;
+    @Mock
+    private Nodes nodesMock;
+    @Mock
+    private PermissionService permissionServiceMock;
+
+    @InjectMocks
+    private ActionNodeParameterValidator objectUnderTest;
+
+    @Test
+    public void testProperPermissionsForReadRights()
+    {
+        final Action action = new Action();
+        action.setActionDefinitionId(DUMMY_ACTION);
+        action.setParams(Map.of(NODE_REF_PARAM, NODE_ID));
+        ActionDefinition.ParameterDefinition parameterDef =
+                new ActionDefinition.ParameterDefinition(NODE_REF_PARAM, NODE_REF.toPrefixString(), false, true, null, null);
+        final ActionDefinition actionDefinition =
+                new ActionDefinition(DUMMY_ACTION, DUMMY_ACTION, null, null, null, false, false,
+                        List.of(parameterDef));
+        given(actionsMock.getActionDefinitionById(DUMMY_ACTION)).willReturn(actionDefinition);
+        given(namespaceServiceMock.getPrefixes(NODE_REF.getNamespaceURI())).willReturn(List.of(DEFAULT_PREFIX));
+        final NodeRef nodeRef = new NodeRef(STORE_REF_WORKSPACE_SPACESSTORE, NODE_ID);
+        given(nodesMock.validateNode(NODE_ID)).willReturn(nodeRef);
+        given(permissionServiceMock.hasReadPermission(nodeRef)).willReturn(AccessStatus.ALLOWED);
+
+        //when
+        objectUnderTest.validate(action);
+
+        then(actionsMock).should().getActionDefinitionById(DUMMY_ACTION);
+        then(actionsMock).shouldHaveNoMoreInteractions();
+        then(namespaceServiceMock).should().getPrefixes(NODE_REF.getNamespaceURI());
+        then(namespaceServiceMock).shouldHaveNoMoreInteractions();
+        then(nodesMock).should().validateNode(NODE_ID);
+        then(nodesMock).shouldHaveNoMoreInteractions();
+        then(permissionServiceMock).should().hasReadPermission(nodeRef);
+        then(permissionServiceMock).shouldHaveNoMoreInteractions();
+    }
+
+    @Test
+    public void testNotEnoughPermissionsForReadRights()
+    {
+        final Action action = new Action();
+        action.setActionDefinitionId(DUMMY_ACTION);
+        action.setParams(Map.of(NODE_REF_PARAM, NODE_ID));
+        ActionDefinition.ParameterDefinition parameterDef =
+                new ActionDefinition.ParameterDefinition(NODE_REF_PARAM, NODE_REF.toPrefixString(), false, true, null, null);
+        final ActionDefinition actionDefinition =
+                new ActionDefinition(DUMMY_ACTION, DUMMY_ACTION, null, null, null, false, false,
+                        List.of(parameterDef));
+        given(actionsMock.getActionDefinitionById(DUMMY_ACTION)).willReturn(actionDefinition);
+        given(namespaceServiceMock.getPrefixes(NODE_REF.getNamespaceURI())).willReturn(List.of(DEFAULT_PREFIX));
+        final NodeRef nodeRef = new NodeRef(STORE_REF_WORKSPACE_SPACESSTORE, NODE_ID);
+        given(nodesMock.validateNode(NODE_ID)).willReturn(nodeRef);
+        given(permissionServiceMock.hasReadPermission(nodeRef)).willReturn(AccessStatus.DENIED);
+
+        //when
+        assertThatExceptionOfType(EntityNotFoundException.class).isThrownBy(() -> objectUnderTest.validate(action));
+
+        then(actionsMock).should().getActionDefinitionById(DUMMY_ACTION);
+        then(actionsMock).shouldHaveNoMoreInteractions();
+        then(namespaceServiceMock).should().getPrefixes(NODE_REF.getNamespaceURI());
+        then(namespaceServiceMock).shouldHaveNoMoreInteractions();
+        then(nodesMock).should().validateNode(NODE_ID);
+        then(nodesMock).shouldHaveNoMoreInteractions();
+        then(permissionServiceMock).should().hasReadPermission(nodeRef);
+        then(permissionServiceMock).shouldHaveNoMoreInteractions();
+    }
+
+    @Test
+    public void testValidateForNodeNotFound()
+    {
+        final Action action = new Action();
+        action.setActionDefinitionId(DUMMY_ACTION);
+        action.setParams(Map.of(NODE_REF_PARAM, NODE_ID));
+        ActionDefinition.ParameterDefinition parameterDef =
+                new ActionDefinition.ParameterDefinition(NODE_REF_PARAM, NODE_REF.toPrefixString(), false, true, null, null);
+        final ActionDefinition actionDefinition =
+                new ActionDefinition(DUMMY_ACTION, DUMMY_ACTION, null, null, null, false, false,
+                        List.of(parameterDef));
+        given(actionsMock.getActionDefinitionById(DUMMY_ACTION)).willReturn(actionDefinition);
+        given(namespaceServiceMock.getPrefixes(NODE_REF.getNamespaceURI())).willReturn(List.of(DEFAULT_PREFIX));
+        given(nodesMock.validateNode(NODE_ID)).willThrow(EntityNotFoundException.class);
+
+        //when
+        assertThatExceptionOfType(EntityNotFoundException.class).isThrownBy(() -> objectUnderTest.validate(action));
+
+        then(actionsMock).should().getActionDefinitionById(DUMMY_ACTION);
+        then(actionsMock).shouldHaveNoMoreInteractions();
+        then(namespaceServiceMock).should().getPrefixes(NODE_REF.getNamespaceURI());
+        then(namespaceServiceMock).shouldHaveNoMoreInteractions();
+        then(nodesMock).should().validateNode(NODE_ID);
+        then(nodesMock).shouldHaveNoMoreInteractions();
+        then(permissionServiceMock).shouldHaveNoInteractions();
+    }
+
+    @Test
+    public void testProperPermissionsForWriteRights()
+    {
+        final Action action = new Action();
+        action.setActionDefinitionId(DUMMY_ACTION);
+        action.setParams(Map.of(WRITE_REQUIRED_NODE_REF_PARAM, NODE_ID));
+        ActionDefinition.ParameterDefinition parameterDef =
+                new ActionDefinition.ParameterDefinition(WRITE_REQUIRED_NODE_REF_PARAM, NODE_REF.toPrefixString(), false, true, null, null);
+        final ActionDefinition actionDefinition =
+                new ActionDefinition(DUMMY_ACTION, DUMMY_ACTION, null, null, null, false, false,
+                        List.of(parameterDef));
+        given(actionsMock.getActionDefinitionById(DUMMY_ACTION)).willReturn(actionDefinition);
+        given(namespaceServiceMock.getPrefixes(NODE_REF.getNamespaceURI())).willReturn(List.of(DEFAULT_PREFIX));
+        final NodeRef nodeRef = new NodeRef(STORE_REF_WORKSPACE_SPACESSTORE, NODE_ID);
+        given(nodesMock.validateNode(NODE_ID)).willReturn(nodeRef);
+        given(permissionServiceMock.hasReadPermission(nodeRef)).willReturn(AccessStatus.ALLOWED);
+        given(permissionServiceMock.hasPermission(nodeRef, PermissionService.WRITE)).willReturn(AccessStatus.ALLOWED);
+
+        //when
+        objectUnderTest.validate(action);
+
+        then(actionsMock).should().getActionDefinitionById(DUMMY_ACTION);
+        then(actionsMock).shouldHaveNoMoreInteractions();
+        then(namespaceServiceMock).should().getPrefixes(NODE_REF.getNamespaceURI());
+        then(namespaceServiceMock).shouldHaveNoMoreInteractions();
+        then(nodesMock).should().validateNode(NODE_ID);
+        then(nodesMock).shouldHaveNoMoreInteractions();
+        then(permissionServiceMock).should().hasReadPermission(nodeRef);
+        then(permissionServiceMock).should().hasPermission(nodeRef, PermissionService.WRITE);
+        then(permissionServiceMock).shouldHaveNoMoreInteractions();
+    }
+
+    @Test
+    public void testNotEnoughPermissionsForWriteRights()
+    {
+        final Action action = new Action();
+        action.setActionDefinitionId(DUMMY_ACTION);
+        action.setParams(Map.of(WRITE_REQUIRED_NODE_REF_PARAM, NODE_ID));
+        ActionDefinition.ParameterDefinition parameterDef =
+                new ActionDefinition.ParameterDefinition(WRITE_REQUIRED_NODE_REF_PARAM, NODE_REF.toPrefixString(), false, true, null, null);
+        final ActionDefinition actionDefinition =
+                new ActionDefinition(DUMMY_ACTION, DUMMY_ACTION, null, null, null, false, false,
+                        List.of(parameterDef));
+        given(actionsMock.getActionDefinitionById(DUMMY_ACTION)).willReturn(actionDefinition);
+        given(namespaceServiceMock.getPrefixes(NODE_REF.getNamespaceURI())).willReturn(List.of(DEFAULT_PREFIX));
+        final NodeRef nodeRef = new NodeRef(STORE_REF_WORKSPACE_SPACESSTORE, NODE_ID);
+        given(nodesMock.validateNode(NODE_ID)).willReturn(nodeRef);
+        given(permissionServiceMock.hasReadPermission(nodeRef)).willReturn(AccessStatus.ALLOWED);
+        given(permissionServiceMock.hasPermission(nodeRef, PermissionService.WRITE)).willReturn(AccessStatus.DENIED);
+
+        //when
+        assertThatExceptionOfType(PermissionDeniedException.class).isThrownBy(() -> objectUnderTest.validate(action))
+                .withMessageContaining(NO_PROPER_PERMISSIONS_FOR_NODE + NODE_ID);
+
+        then(actionsMock).should().getActionDefinitionById(DUMMY_ACTION);
+        then(actionsMock).shouldHaveNoMoreInteractions();
+        then(namespaceServiceMock).should().getPrefixes(NODE_REF.getNamespaceURI());
+        then(namespaceServiceMock).shouldHaveNoMoreInteractions();
+        then(nodesMock).should().validateNode(NODE_ID);
+        then(nodesMock).shouldHaveNoMoreInteractions();
+        then(permissionServiceMock).should().hasReadPermission(nodeRef);
+        then(permissionServiceMock).should().hasPermission(nodeRef, PermissionService.WRITE);
+        then(permissionServiceMock).shouldHaveNoMoreInteractions();
+    }
+
+    @Test
+    public void testNoValidationExecutedForNonNodeRefParam()
+    {
+        final Action action = new Action();
+        action.setActionDefinitionId(DUMMY_ACTION);
+        final String dummyParam = "dummyParam";
+        action.setParams(Map.of(dummyParam, "dummyValue"));
+        ActionDefinition.ParameterDefinition parameterDef =
+                new ActionDefinition.ParameterDefinition(dummyParam, TEXT.toPrefixString(), false, true, null, null);
+        final ActionDefinition actionDefinition =
+                new ActionDefinition(DUMMY_ACTION, DUMMY_ACTION, null, null, null, false, false,
+                        List.of(parameterDef));
+        given(actionsMock.getActionDefinitionById(DUMMY_ACTION)).willReturn(actionDefinition);
+        given(namespaceServiceMock.getPrefixes(NODE_REF.getNamespaceURI())).willReturn(List.of(DEFAULT_PREFIX));
+
+        //when
+        objectUnderTest.validate(action);
+
+        then(actionsMock).should().getActionDefinitionById(DUMMY_ACTION);
+        then(actionsMock).shouldHaveNoMoreInteractions();
+        then(namespaceServiceMock).should().getPrefixes(NODE_REF.getNamespaceURI());
+        then(namespaceServiceMock).shouldHaveNoMoreInteractions();
+        then(nodesMock).shouldHaveNoInteractions();
+        then(permissionServiceMock).shouldHaveNoInteractions();
+    }
+
+    @Test
+    public void testGetDefinitionIds()
+    {
+        final List<String> expectedIds =
+                List.of(CopyActionExecuter.NAME, MoveActionExecuter.NAME, CheckOutActionExecuter.NAME, ImporterActionExecuter.NAME,
+                        LinkCategoryActionExecuter.NAME, MailActionExecuter.NAME, ScriptActionExecuter.NAME,
+                        SimpleWorkflowActionExecuter.NAME, TransformActionExecuter.NAME, ImageTransformActionExecuter.NAME);
+        final List<String> actualIds = objectUnderTest.getActionDefinitionIds();
+
+        assertEquals(expectedIds, actualIds);
+    }
+
+    @Test
+    public void testHasProperPriority()
+    {
+        final int expectedPriority = Integer.MIN_VALUE + 1;
+        final int actualPriority = objectUnderTest.getPriority();
+
+        assertEquals(expectedPriority, actualPriority);
+    }
+}

remote-api/src/test/java/org/alfresco/rest/api/impl/validator/actions/ActionParameterDefinitionValidatorTest.java

@@ -32,6 +32,7 @@ import static org.alfresco.rest.api.impl.validator.actions.ActionParameterDefini
 import static org.alfresco.service.cmr.dictionary.DataTypeDefinition.BOOLEAN;
 import static org.alfresco.service.cmr.dictionary.DataTypeDefinition.TEXT;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.junit.Assert.assertEquals;
 import static org.mockito.BDDMockito.then;
 
 import java.util.Collections;
@@ -201,6 +202,15 @@ public class ActionParameterDefinitionValidatorTest
         then(actionsMock).shouldHaveNoMoreInteractions();
     }
 
+    @Test
+    public void testHasProperPriority()
+    {
+        final int expectedPriority = Integer.MIN_VALUE;
+        final int actualPriority = objectUnderTest.getPriority();
+
+        assertEquals(expectedPriority, actualPriority);
+    }
+
     private ActionDefinition createActionDefinition(final String actionDefinitionId,
                                                     List<ActionDefinition.ParameterDefinition> parameterDefinitions)
     {