use of org.alfresco.repo.security.permissions.AccessDeniedException in project alfresco-remote-api by Alfresco.
the class SurfConfigTest method testSurfConfigPermissions.
// MNT-16371
public void testSurfConfigPermissions() throws Exception {
// Create a site as USER_ONE
String shortName = UUID.randomUUID().toString();
JSONObject result = createSite("myPreset", shortName, "myTitle", "myDescription", SiteVisibility.PUBLIC, 200);
assertEquals("myPreset", result.get("sitePreset"));
assertEquals(shortName, result.get("shortName"));
assertEquals("myTitle", result.get("title"));
assertEquals("myDescription", result.get("description"));
assertEquals(SiteVisibility.PUBLIC.toString(), result.get("visibility"));
// Make ADMRemoteStore to create the surf-config folder and the dashboard.xml file.
sendRequest(new PostRequest(URL_ADM + "CREATE/alfresco/site-data/pages/site/" + shortName + "/dashboard.xml?s=sitestore", new JSONObject().toString(), "application/json"), 200);
// {siteName}/cm:surf-config/
NodeRef surfConfigFolderRef = nodeService.getChildByName(siteService.getSite(shortName).getNodeRef(), ContentModel.ASSOC_CONTAINS, "surf-config");
assertEquals("surf-config", nodeService.getProperty(surfConfigFolderRef, ContentModel.PROP_NAME));
String owner = (String) nodeService.getProperty(surfConfigFolderRef, ContentModel.PROP_OWNER);
assertFalse(USER_ONE.equalsIgnoreCase(owner));
assertEquals(AuthenticationUtil.getAdminUserName(), owner);
assertFalse("Inherit Permissions should be off.", permissionService.getInheritParentPermissions(surfConfigFolderRef));
Set<AccessPermission> permissions = permissionService.getAllSetPermissions(surfConfigFolderRef);
assertEquals(1, permissions.size());
String siteManagerGroup = siteService.getSiteRoleGroup(shortName, SiteModel.SITE_MANAGER);
AccessPermission accessPermission = permissions.iterator().next();
assertEquals(siteManagerGroup, accessPermission.getAuthority());
assertEquals(SiteModel.SITE_MANAGER, accessPermission.getPermission());
assertTrue(accessPermission.getAccessStatus() == AccessStatus.ALLOWED);
// This is the method that finally gets called when ALF-21643 steps are followed.
PagingResults<FileInfo> pageResults = fileFolderService.list(surfConfigFolderRef, true, true, null, null, null, new PagingRequest(CannedQueryPageDetails.DEFAULT_PAGE_SIZE));
List<FileInfo> fileInfos = pageResults.getPage();
assertNotNull(fileInfos);
assertEquals(1, fileInfos.size());
// {siteName}/cm:surf-config/pages
assertEquals("pages", fileInfos.get(0).getName());
// Add USER_TWO as a site collaborator
JSONObject membership = new JSONObject();
membership.put("role", SiteModel.SITE_COLLABORATOR);
JSONObject person = new JSONObject();
person.put("userName", USER_TWO);
membership.put("person", person);
// Post the membership
Response response = sendRequest(new PostRequest(URL_SITES + "/" + shortName + URL_MEMBERSHIPS, membership.toString(), "application/json"), 200);
result = new JSONObject(response.getContentAsString());
assertEquals(SiteModel.SITE_COLLABORATOR, result.get("role"));
assertEquals(USER_TWO, result.getJSONObject("authority").get("userName"));
// Add USER_THREE as a site manager
membership.put("role", SiteModel.SITE_MANAGER);
person.put("userName", USER_THREE);
membership.put("person", person);
// Post the membership
response = sendRequest(new PostRequest(URL_SITES + "/" + shortName + URL_MEMBERSHIPS, membership.toString(), "application/json"), 200);
result = new JSONObject(response.getContentAsString());
assertEquals(SiteModel.SITE_MANAGER, result.get("role"));
assertEquals(USER_THREE, result.getJSONObject("authority").get("userName"));
// USER_TWO is a site collaborator so he should not be able to access the surf-config folder
AuthenticationUtil.setFullyAuthenticatedUser(USER_TWO);
try {
fileFolderService.list(surfConfigFolderRef, true, true, null, null, null, new PagingRequest(CannedQueryPageDetails.DEFAULT_PAGE_SIZE));
fail("USER_TWO dose not have the appropriate permissions to perform this operation.");
} catch (AccessDeniedException ex) {
// expected
}
// USER_THREE is a site manager so he is able to access the surf-config folder
AuthenticationUtil.setFullyAuthenticatedUser(USER_THREE);
pageResults = fileFolderService.list(surfConfigFolderRef, true, true, null, null, null, new PagingRequest(CannedQueryPageDetails.DEFAULT_PAGE_SIZE));
fileInfos = pageResults.getPage();
assertNotNull(fileInfos);
assertEquals(1, fileInfos.size());
// {siteName}/cm:surf-config/pages
assertEquals("pages", fileInfos.get(0).getName());
// Update USER_ONE role from SiteManager to SiteContributor.
membership.put("role", SiteModel.SITE_CONTRIBUTOR);
person.put("userName", USER_ONE);
membership.put("person", person);
response = sendRequest(new PutRequest(URL_SITES + "/" + shortName + URL_MEMBERSHIPS, membership.toString(), "application/json"), 200);
result = new JSONObject(response.getContentAsString());
assertEquals(SiteModel.SITE_CONTRIBUTOR, result.get("role"));
assertEquals(USER_ONE, result.getJSONObject("authority").get("userName"));
// USER_ONE is no longer a site manager
// USER_ONE tries to access "{siteName}/cm:surf-config" children
AuthenticationUtil.setFullyAuthenticatedUser(USER_ONE);
try {
fileFolderService.list(surfConfigFolderRef, true, true, null, null, null, new PagingRequest(CannedQueryPageDetails.DEFAULT_PAGE_SIZE));
fail("USER_ONE is not the owner and he is no longer a site manager, so does not have the appropriate permissions to perform this operation");
} catch (AccessDeniedException ex) {
// expected
}
// USER_ONE tries to access "{siteName}/cm:surf-config/pages" children
try {
fileFolderService.list(fileInfos.get(0).getNodeRef(), true, true, null, null, null, new PagingRequest(CannedQueryPageDetails.DEFAULT_PAGE_SIZE));
fail("USER_ONE is not the owner and he is no longer a site manager, so does not have the appropriate permissions to perform this operation");
} catch (AccessDeniedException ex) {
// expected
}
}
use of org.alfresco.repo.security.permissions.AccessDeniedException in project records-management by Alfresco.
the class HoldServiceImpl method deleteHold.
/**
* @see org.alfresco.module.org_alfresco_module_rm.hold.HoldService#deleteHold(org.alfresco.service.cmr.repository.NodeRef)
*/
@Override
public void deleteHold(final NodeRef hold) {
ParameterCheck.mandatory("hold", hold);
if (!isHold(hold)) {
throw new AlfrescoRuntimeException("Can't delete hold, becuase passed node is not a hold. (hold=" + hold.toString() + ")");
}
List<NodeRef> held = AuthenticationUtil.runAsSystem(new RunAsWork<List<NodeRef>>() {
@Override
public List<NodeRef> doWork() {
return getHeld(hold);
}
});
List<String> heldNames = new ArrayList<String>();
for (NodeRef nodeRef : held) {
try {
if (permissionService.hasPermission(nodeRef, RMPermissionModel.FILING) == AccessStatus.DENIED) {
heldNames.add((String) nodeService.getProperty(nodeRef, ContentModel.PROP_NAME));
}
} catch (AccessDeniedException ade) {
throw new AlfrescoRuntimeException("Can't delete hold, because you don't have filling permissions on all the items held within the hold.", ade);
}
}
if (heldNames.size() > 0) {
StringBuilder sb = new StringBuilder();
for (String name : heldNames) {
sb.append("\n ");
sb.append("'");
sb.append(name);
sb.append("'");
}
throw new AlfrescoRuntimeException("Can't delete hold, because filing permissions for the following items are needed: " + sb.toString());
}
// delete the hold node
nodeService.deleteNode(hold);
}
use of org.alfresco.repo.security.permissions.AccessDeniedException in project records-management by Alfresco.
the class TransferEvaluator method evaluateImpl.
/**
* @see org.alfresco.module.org_alfresco_module_rm.jscript.app.BaseEvaluator#evaluateImpl(org.alfresco.service.cmr.repository.NodeRef)
*/
@Override
protected boolean evaluateImpl(NodeRef nodeRef) {
boolean result = false;
NodeRef transfer = getTransferNodeRef(nodeRef);
if (transfer != null) {
try {
boolean actual = ((Boolean) nodeService.getProperty(transfer, RecordsManagementModel.PROP_TRANSFER_ACCESSION_INDICATOR)).booleanValue();
result = (actual == transferAccessionIndicator);
} catch (AccessDeniedException ade) {
logger.info("The user '" + AuthenticationUtil.getFullyAuthenticatedUser() + "' does not have permissions on the node '" + transfer + "'.");
}
}
return result;
}
use of org.alfresco.repo.security.permissions.AccessDeniedException in project records-management by Alfresco.
the class FrozenAspect method checkChildren.
/**
* Checks the children for frozen nodes. Throws security error if any are
* found.
*
* @param assocs
*/
private void checkChildren(List<ChildAssociationRef> assocs) {
for (ChildAssociationRef assoc : assocs) {
// we only care about primary children
if (assoc.isPrimary()) {
NodeRef nodeRef = assoc.getChildRef();
if (freezeService.isFrozen(nodeRef)) {
// never allowed to delete a node with a frozen child
throw new AccessDeniedException("Can not delete node, because it contains a frozen child node.");
}
// check children
checkChildren(nodeService.getChildAssocs(nodeRef));
}
}
}
use of org.alfresco.repo.security.permissions.AccessDeniedException in project records-management by Alfresco.
the class CreateRecordTest method testCreateRecordViaCoreServices.
/**
* Given I have ViewRecord and CreateRecord capabilities
* And I have filling on a record folder
* When I create content via ScriptNode (simulated)
* Then the record is successfully created
*
* @see https://issues.alfresco.com/jira/browse/RM-1956
*/
public void testCreateRecordViaCoreServices() throws Exception {
doBehaviourDrivenTest(new BehaviourDrivenTest() {
/**
* test data
*/
String roleName = GUID.generate();
String user = GUID.generate();
NodeRef recordFolder;
NodeRef record;
public void given() {
// create a role with view and create capabilities
Set<Capability> capabilities = new HashSet<Capability>(2);
capabilities.add(capabilityService.getCapability("ViewRecords"));
capabilities.add(capabilityService.getCapability("CreateRecords"));
filePlanRoleService.createRole(filePlan, roleName, roleName, capabilities);
// create user and assign to role
createPerson(user, true);
filePlanRoleService.assignRoleToAuthority(filePlan, roleName, user);
// create file plan structure
NodeRef rc = filePlanService.createRecordCategory(filePlan, GUID.generate());
recordFolder = recordFolderService.createRecordFolder(rc, GUID.generate());
}
public void when() {
// give read and file permissions to user
filePlanPermissionService.setPermission(recordFolder, user, RMPermissionModel.FILING);
record = AuthenticationUtil.runAs(new RunAsWork<NodeRef>() {
public NodeRef doWork() throws Exception {
NodeRef record = fileFolderService.create(recordFolder, "testRecord.txt", ContentModel.TYPE_CONTENT).getNodeRef();
ContentData content = (ContentData) nodeService.getProperty(record, PROP_CONTENT);
nodeService.setProperty(record, PROP_CONTENT, ContentData.setMimetype(content, MimetypeMap.MIMETYPE_TEXT_PLAIN));
return record;
}
}, user);
}
public void then() {
// check the details of the record
assertTrue(recordService.isRecord(record));
AuthenticationUtil.runAs(new RunAsWork<Void>() {
public Void doWork() throws Exception {
// we are expecting an expception here
try {
ContentData content = (ContentData) nodeService.getProperty(record, PROP_CONTENT);
nodeService.setProperty(record, PROP_CONTENT, ContentData.setMimetype(content, MimetypeMap.MIMETYPE_TEXT_PLAIN));
fail("Expecting access denied exception");
} catch (AccessDeniedException exception) {
// expceted
}
return null;
}
}, user);
}
});
}
Aggregations