mirror of
				https://github.com/Alfresco/alfresco-community-repo.git
				synced 2025-10-22 15:12:38 +00:00 
			
		
		
		
	41591: MT: ALF-12732 - fix move between two sites (via Share -> ScriptSiteService) git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@41595 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
		
			
				
	
	
		
			154 lines
		
	
	
		
			6.6 KiB
		
	
	
	
		
			Java
		
	
	
	
	
	
			
		
		
	
	
			154 lines
		
	
	
		
			6.6 KiB
		
	
	
	
		
			Java
		
	
	
	
	
	
| /*
 | |
|  * Copyright (C) 2005-2012 Alfresco Software Limited.
 | |
|  *
 | |
|  * This file is part of Alfresco
 | |
|  *
 | |
|  * Alfresco is free software: you can redistribute it and/or modify
 | |
|  * it under the terms of the GNU Lesser General Public License as published by
 | |
|  * the Free Software Foundation, either version 3 of the License, or
 | |
|  * (at your option) any later version.
 | |
|  *
 | |
|  * Alfresco is distributed in the hope that it will be useful,
 | |
|  * but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
|  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | |
|  * GNU Lesser General Public License for more details.
 | |
|  *
 | |
|  * You should have received a copy of the GNU Lesser General Public License
 | |
|  * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
 | |
|  */
 | |
| package org.alfresco.repo.site;
 | |
| 
 | |
| import java.util.List;
 | |
| 
 | |
| import org.alfresco.repo.domain.node.NodeDAO;
 | |
| import org.alfresco.repo.domain.node.NodeIdAndAclId;
 | |
| import org.alfresco.repo.domain.permissions.Acl;
 | |
| import org.alfresco.repo.domain.permissions.AclDAO;
 | |
| import org.alfresco.repo.security.permissions.ACLType;
 | |
| import org.alfresco.repo.security.permissions.AccessControlEntry;
 | |
| import org.alfresco.repo.security.permissions.AccessControlList;
 | |
| import org.alfresco.repo.tenant.TenantService;
 | |
| import org.alfresco.service.cmr.repository.NodeRef;
 | |
| import org.alfresco.service.cmr.repository.NodeService;
 | |
| import org.alfresco.service.cmr.security.AccessStatus;
 | |
| import org.alfresco.service.cmr.security.PermissionService;
 | |
| import org.alfresco.service.cmr.security.PublicServiceAccessService;
 | |
| import org.alfresco.service.cmr.site.SiteInfo;
 | |
| 
 | |
| /**
 | |
|  * This class handles the permissions cleanup which is sometimes necessary after a node has been moved
 | |
|  * or copied between sites. It removes any permissions that pertain to the former site that may be present
 | |
|  * on the relocated node.
 | |
|  * 
 | |
|  * @author Neil Mc Erlean
 | |
|  * @since 3.5.0
 | |
|  */
 | |
| public class SitesPermissionCleaner
 | |
| {
 | |
|     private NodeService nodeService;
 | |
|     private PermissionService permissionService;
 | |
|     private PublicServiceAccessService publicServiceAccessService;
 | |
|     private SiteServiceImpl siteServiceImpl;
 | |
|     
 | |
|     private AclDAO aclDAO;
 | |
|     private NodeDAO nodeDAO;
 | |
|     private TenantService tenantService;
 | |
|     
 | |
|     public void setNodeService(NodeService nodeService)
 | |
|     {
 | |
|         this.nodeService = nodeService;
 | |
|     }
 | |
|     
 | |
|     public void setPermissionService(PermissionService permissionService)
 | |
|     {
 | |
|         this.permissionService = permissionService;
 | |
|     }
 | |
|     
 | |
|     public void setSiteServiceImpl(SiteServiceImpl siteServiceImpl)
 | |
|     {
 | |
|         this.siteServiceImpl = siteServiceImpl;
 | |
|     }
 | |
|     
 | |
|     public void setPublicServiceAccessService(PublicServiceAccessService publicServiceAccessService)
 | |
|     {
 | |
|         this.publicServiceAccessService = publicServiceAccessService;
 | |
|     }
 | |
|     
 | |
|     public void setAclDAO(AclDAO aclDAO)
 | |
|     {
 | |
|         this.aclDAO = aclDAO;
 | |
|     }
 | |
|     
 | |
|     public void setNodeDAO(NodeDAO nodeDAO)
 | |
|     {
 | |
|         this.nodeDAO = nodeDAO;
 | |
|     }
 | |
|     
 | |
|     public void setTenantService(TenantService tenantService)
 | |
|     {
 | |
|         this.tenantService = tenantService;
 | |
|     }
 | |
|     
 | |
|     
 | |
|     public void cleanSitePermissions(final NodeRef targetNode, SiteInfo containingSite)
 | |
|     {
 | |
|         if (nodeService.exists(targetNode))
 | |
|         {
 | |
|             // We can calculate the containing site at the start of a recursive call & then reuse it on subsequent calls.
 | |
|             if (containingSite == null)
 | |
|             {
 | |
|                 containingSite = siteServiceImpl.getSite(targetNode);
 | |
|             }
 | |
| 
 | |
|             // Short-circuit at this point if the node is not in a Site.
 | |
|             if (containingSite != null)
 | |
|             {
 | |
|                 // For performance reasons we navigate down the containment hierarchy using the DAOs
 | |
|                 // rather than the NodeService. Note: direct use of NodeDAO requires tenantService (ALF-12732).
 | |
|                 final Long targetNodeID = nodeDAO.getNodePair(tenantService.getName(targetNode)).getFirst();
 | |
|                 final Long targetNodeAclID = nodeDAO.getNodeAclId(targetNodeID);
 | |
|                 Acl targetNodeAcl = aclDAO.getAcl(targetNodeAclID);
 | |
|                 
 | |
|                 // Nodes that don't have defining ACLs do not need to be considered.
 | |
|                 if (targetNodeAcl.getAclType() == ACLType.DEFINING)
 | |
|                 {
 | |
|                     AccessControlList targetNodeAccessControlList = aclDAO.getAccessControlList(targetNodeAclID);
 | |
|                     List<AccessControlEntry> targetNodeAclEntries = targetNodeAccessControlList.getEntries();
 | |
|                     for (AccessControlEntry entry : targetNodeAclEntries)
 | |
|                     {
 | |
|                         String authority = entry.getAuthority();
 | |
|                         
 | |
|                         String thisSiteGroupPrefix = siteServiceImpl.getSiteGroup(containingSite.getShortName(), true);
 | |
|                         
 | |
|                         // If it's a group site permission for a site other than the current site
 | |
|                         if (authority.startsWith(PermissionService.GROUP_PREFIX) &&
 | |
|                                 !authority.startsWith(PermissionService.ALL_AUTHORITIES) && // And it's not GROUP_EVERYONE
 | |
|                                 !authority.startsWith(thisSiteGroupPrefix))
 | |
|                         {
 | |
|                             // And if the current user has permissions to do it
 | |
|                             if (publicServiceAccessService.hasAccess("PermissionService", "clearPermission", targetNode, authority) == AccessStatus.ALLOWED)
 | |
|                             {
 | |
|                                 // Then remove it.
 | |
|                                 permissionService.clearPermission(targetNode, authority);
 | |
|                             }
 | |
|                             if (publicServiceAccessService.hasAccess("PermissionService", "setInheritParentPermissions", targetNode, true) == AccessStatus.ALLOWED)
 | |
|                             {
 | |
|                                 // And reenable permission inheritance.
 | |
|                                 permissionService.setInheritParentPermissions(targetNode, true);
 | |
|                             }
 | |
|                         }
 | |
|                         
 | |
|                     }
 | |
|                 }
 | |
|                 
 | |
|                 // Recurse
 | |
|                 List<NodeIdAndAclId> childNodeIds = nodeDAO.getPrimaryChildrenAcls(targetNodeID);
 | |
|                 for (NodeIdAndAclId nextChild : childNodeIds)
 | |
|                 {
 | |
|                     cleanSitePermissions(nodeDAO.getNodePair(nextChild.getId()).getSecond(), containingSite);
 | |
|                 }
 | |
|             }
 | |
|         }
 | |
|     }
 | |
| }
 |