Search in sources :

Example 41 with AccessDeniedException

use of org.alfresco.repo.security.permissions.AccessDeniedException in project alfresco-remote-api by Alfresco.

the class SurfConfigTest method testSurfConfigPermissions.

// MNT-16371
public void testSurfConfigPermissions() throws Exception {
    // Create a site as USER_ONE
    String shortName = UUID.randomUUID().toString();
    JSONObject result = createSite("myPreset", shortName, "myTitle", "myDescription", SiteVisibility.PUBLIC, 200);
    assertEquals("myPreset", result.get("sitePreset"));
    assertEquals(shortName, result.get("shortName"));
    assertEquals("myTitle", result.get("title"));
    assertEquals("myDescription", result.get("description"));
    assertEquals(SiteVisibility.PUBLIC.toString(), result.get("visibility"));
    // Make ADMRemoteStore to create the surf-config folder and the dashboard.xml file.
    sendRequest(new PostRequest(URL_ADM + "CREATE/alfresco/site-data/pages/site/" + shortName + "/dashboard.xml?s=sitestore", new JSONObject().toString(), "application/json"), 200);
    // {siteName}/cm:surf-config/
    NodeRef surfConfigFolderRef = nodeService.getChildByName(siteService.getSite(shortName).getNodeRef(), ContentModel.ASSOC_CONTAINS, "surf-config");
    assertEquals("surf-config", nodeService.getProperty(surfConfigFolderRef, ContentModel.PROP_NAME));
    String owner = (String) nodeService.getProperty(surfConfigFolderRef, ContentModel.PROP_OWNER);
    assertFalse(USER_ONE.equalsIgnoreCase(owner));
    assertEquals(AuthenticationUtil.getAdminUserName(), owner);
    assertFalse("Inherit Permissions should be off.", permissionService.getInheritParentPermissions(surfConfigFolderRef));
    Set<AccessPermission> permissions = permissionService.getAllSetPermissions(surfConfigFolderRef);
    assertEquals(1, permissions.size());
    String siteManagerGroup = siteService.getSiteRoleGroup(shortName, SiteModel.SITE_MANAGER);
    AccessPermission accessPermission = permissions.iterator().next();
    assertEquals(siteManagerGroup, accessPermission.getAuthority());
    assertEquals(SiteModel.SITE_MANAGER, accessPermission.getPermission());
    assertTrue(accessPermission.getAccessStatus() == AccessStatus.ALLOWED);
    // This is the method that finally gets called when ALF-21643 steps are followed.
    PagingResults<FileInfo> pageResults = fileFolderService.list(surfConfigFolderRef, true, true, null, null, null, new PagingRequest(CannedQueryPageDetails.DEFAULT_PAGE_SIZE));
    List<FileInfo> fileInfos = pageResults.getPage();
    assertNotNull(fileInfos);
    assertEquals(1, fileInfos.size());
    // {siteName}/cm:surf-config/pages
    assertEquals("pages", fileInfos.get(0).getName());
    // Add USER_TWO as a site collaborator
    JSONObject membership = new JSONObject();
    membership.put("role", SiteModel.SITE_COLLABORATOR);
    JSONObject person = new JSONObject();
    person.put("userName", USER_TWO);
    membership.put("person", person);
    // Post the membership
    Response response = sendRequest(new PostRequest(URL_SITES + "/" + shortName + URL_MEMBERSHIPS, membership.toString(), "application/json"), 200);
    result = new JSONObject(response.getContentAsString());
    assertEquals(SiteModel.SITE_COLLABORATOR, result.get("role"));
    assertEquals(USER_TWO, result.getJSONObject("authority").get("userName"));
    // Add USER_THREE as a site manager
    membership.put("role", SiteModel.SITE_MANAGER);
    person.put("userName", USER_THREE);
    membership.put("person", person);
    // Post the membership
    response = sendRequest(new PostRequest(URL_SITES + "/" + shortName + URL_MEMBERSHIPS, membership.toString(), "application/json"), 200);
    result = new JSONObject(response.getContentAsString());
    assertEquals(SiteModel.SITE_MANAGER, result.get("role"));
    assertEquals(USER_THREE, result.getJSONObject("authority").get("userName"));
    // USER_TWO is a site collaborator so he should not be able to access the surf-config folder
    AuthenticationUtil.setFullyAuthenticatedUser(USER_TWO);
    try {
        fileFolderService.list(surfConfigFolderRef, true, true, null, null, null, new PagingRequest(CannedQueryPageDetails.DEFAULT_PAGE_SIZE));
        fail("USER_TWO dose not have the appropriate permissions to perform this operation.");
    } catch (AccessDeniedException ex) {
    // expected
    }
    // USER_THREE is a site manager so he is able to access the surf-config folder
    AuthenticationUtil.setFullyAuthenticatedUser(USER_THREE);
    pageResults = fileFolderService.list(surfConfigFolderRef, true, true, null, null, null, new PagingRequest(CannedQueryPageDetails.DEFAULT_PAGE_SIZE));
    fileInfos = pageResults.getPage();
    assertNotNull(fileInfos);
    assertEquals(1, fileInfos.size());
    // {siteName}/cm:surf-config/pages
    assertEquals("pages", fileInfos.get(0).getName());
    // Update USER_ONE role from SiteManager to SiteContributor.
    membership.put("role", SiteModel.SITE_CONTRIBUTOR);
    person.put("userName", USER_ONE);
    membership.put("person", person);
    response = sendRequest(new PutRequest(URL_SITES + "/" + shortName + URL_MEMBERSHIPS, membership.toString(), "application/json"), 200);
    result = new JSONObject(response.getContentAsString());
    assertEquals(SiteModel.SITE_CONTRIBUTOR, result.get("role"));
    assertEquals(USER_ONE, result.getJSONObject("authority").get("userName"));
    // USER_ONE is no longer a site manager
    // USER_ONE tries to access "{siteName}/cm:surf-config" children
    AuthenticationUtil.setFullyAuthenticatedUser(USER_ONE);
    try {
        fileFolderService.list(surfConfigFolderRef, true, true, null, null, null, new PagingRequest(CannedQueryPageDetails.DEFAULT_PAGE_SIZE));
        fail("USER_ONE is not the owner and he is no longer a site manager, so does not have the appropriate permissions to perform this operation");
    } catch (AccessDeniedException ex) {
    // expected
    }
    // USER_ONE tries to access "{siteName}/cm:surf-config/pages" children
    try {
        fileFolderService.list(fileInfos.get(0).getNodeRef(), true, true, null, null, null, new PagingRequest(CannedQueryPageDetails.DEFAULT_PAGE_SIZE));
        fail("USER_ONE is not the owner and he is no longer a site manager, so does not have the appropriate permissions to perform this operation");
    } catch (AccessDeniedException ex) {
    // expected
    }
}
Also used : AccessDeniedException(org.alfresco.repo.security.permissions.AccessDeniedException) AccessPermission(org.alfresco.service.cmr.security.AccessPermission) PutRequest(org.springframework.extensions.webscripts.TestWebScriptServer.PutRequest) PagingRequest(org.alfresco.query.PagingRequest) Response(org.springframework.extensions.webscripts.TestWebScriptServer.Response) NodeRef(org.alfresco.service.cmr.repository.NodeRef) PostRequest(org.springframework.extensions.webscripts.TestWebScriptServer.PostRequest) JSONObject(org.json.JSONObject) FileInfo(org.alfresco.service.cmr.model.FileInfo)

Example 42 with AccessDeniedException

use of org.alfresco.repo.security.permissions.AccessDeniedException in project records-management by Alfresco.

the class HoldServiceImpl method deleteHold.

/**
 * @see org.alfresco.module.org_alfresco_module_rm.hold.HoldService#deleteHold(org.alfresco.service.cmr.repository.NodeRef)
 */
@Override
public void deleteHold(final NodeRef hold) {
    ParameterCheck.mandatory("hold", hold);
    if (!isHold(hold)) {
        throw new AlfrescoRuntimeException("Can't delete hold, becuase passed node is not a hold. (hold=" + hold.toString() + ")");
    }
    List<NodeRef> held = AuthenticationUtil.runAsSystem(new RunAsWork<List<NodeRef>>() {

        @Override
        public List<NodeRef> doWork() {
            return getHeld(hold);
        }
    });
    List<String> heldNames = new ArrayList<String>();
    for (NodeRef nodeRef : held) {
        try {
            if (permissionService.hasPermission(nodeRef, RMPermissionModel.FILING) == AccessStatus.DENIED) {
                heldNames.add((String) nodeService.getProperty(nodeRef, ContentModel.PROP_NAME));
            }
        } catch (AccessDeniedException ade) {
            throw new AlfrescoRuntimeException("Can't delete hold, because you don't have filling permissions on all the items held within the hold.", ade);
        }
    }
    if (heldNames.size() > 0) {
        StringBuilder sb = new StringBuilder();
        for (String name : heldNames) {
            sb.append("\n ");
            sb.append("'");
            sb.append(name);
            sb.append("'");
        }
        throw new AlfrescoRuntimeException("Can't delete hold, because filing permissions for the following items are needed: " + sb.toString());
    }
    // delete the hold node
    nodeService.deleteNode(hold);
}
Also used : NodeRef(org.alfresco.service.cmr.repository.NodeRef) AccessDeniedException(org.alfresco.repo.security.permissions.AccessDeniedException) ArrayList(java.util.ArrayList) AlfrescoRuntimeException(org.alfresco.error.AlfrescoRuntimeException) ArrayList(java.util.ArrayList) List(java.util.List)

Example 43 with AccessDeniedException

use of org.alfresco.repo.security.permissions.AccessDeniedException in project records-management by Alfresco.

the class TransferEvaluator method evaluateImpl.

/**
 * @see org.alfresco.module.org_alfresco_module_rm.jscript.app.BaseEvaluator#evaluateImpl(org.alfresco.service.cmr.repository.NodeRef)
 */
@Override
protected boolean evaluateImpl(NodeRef nodeRef) {
    boolean result = false;
    NodeRef transfer = getTransferNodeRef(nodeRef);
    if (transfer != null) {
        try {
            boolean actual = ((Boolean) nodeService.getProperty(transfer, RecordsManagementModel.PROP_TRANSFER_ACCESSION_INDICATOR)).booleanValue();
            result = (actual == transferAccessionIndicator);
        } catch (AccessDeniedException ade) {
            logger.info("The user '" + AuthenticationUtil.getFullyAuthenticatedUser() + "' does not have permissions on the node '" + transfer + "'.");
        }
    }
    return result;
}
Also used : NodeRef(org.alfresco.service.cmr.repository.NodeRef) AccessDeniedException(org.alfresco.repo.security.permissions.AccessDeniedException)

Example 44 with AccessDeniedException

use of org.alfresco.repo.security.permissions.AccessDeniedException in project records-management by Alfresco.

the class FrozenAspect method checkChildren.

/**
 * Checks the children for frozen nodes. Throws security error if any are
 * found.
 *
 * @param assocs
 */
private void checkChildren(List<ChildAssociationRef> assocs) {
    for (ChildAssociationRef assoc : assocs) {
        // we only care about primary children
        if (assoc.isPrimary()) {
            NodeRef nodeRef = assoc.getChildRef();
            if (freezeService.isFrozen(nodeRef)) {
                // never allowed to delete a node with a frozen child
                throw new AccessDeniedException("Can not delete node, because it contains a frozen child node.");
            }
            // check children
            checkChildren(nodeService.getChildAssocs(nodeRef));
        }
    }
}
Also used : NodeRef(org.alfresco.service.cmr.repository.NodeRef) AccessDeniedException(org.alfresco.repo.security.permissions.AccessDeniedException) ChildAssociationRef(org.alfresco.service.cmr.repository.ChildAssociationRef)

Example 45 with AccessDeniedException

use of org.alfresco.repo.security.permissions.AccessDeniedException in project records-management by Alfresco.

the class CreateRecordTest method testCreateRecordViaCoreServices.

/**
 * Given I have ViewRecord and CreateRecord capabilities
 * And I have filling on a record folder
 * When I create content via ScriptNode (simulated)
 * Then the record is successfully created
 *
 * @see https://issues.alfresco.com/jira/browse/RM-1956
 */
public void testCreateRecordViaCoreServices() throws Exception {
    doBehaviourDrivenTest(new BehaviourDrivenTest() {

        /**
         * test data
         */
        String roleName = GUID.generate();

        String user = GUID.generate();

        NodeRef recordFolder;

        NodeRef record;

        public void given() {
            // create a role with view and create capabilities
            Set<Capability> capabilities = new HashSet<Capability>(2);
            capabilities.add(capabilityService.getCapability("ViewRecords"));
            capabilities.add(capabilityService.getCapability("CreateRecords"));
            filePlanRoleService.createRole(filePlan, roleName, roleName, capabilities);
            // create user and assign to role
            createPerson(user, true);
            filePlanRoleService.assignRoleToAuthority(filePlan, roleName, user);
            // create file plan structure
            NodeRef rc = filePlanService.createRecordCategory(filePlan, GUID.generate());
            recordFolder = recordFolderService.createRecordFolder(rc, GUID.generate());
        }

        public void when() {
            // give read and file permissions to user
            filePlanPermissionService.setPermission(recordFolder, user, RMPermissionModel.FILING);
            record = AuthenticationUtil.runAs(new RunAsWork<NodeRef>() {

                public NodeRef doWork() throws Exception {
                    NodeRef record = fileFolderService.create(recordFolder, "testRecord.txt", ContentModel.TYPE_CONTENT).getNodeRef();
                    ContentData content = (ContentData) nodeService.getProperty(record, PROP_CONTENT);
                    nodeService.setProperty(record, PROP_CONTENT, ContentData.setMimetype(content, MimetypeMap.MIMETYPE_TEXT_PLAIN));
                    return record;
                }
            }, user);
        }

        public void then() {
            // check the details of the record
            assertTrue(recordService.isRecord(record));
            AuthenticationUtil.runAs(new RunAsWork<Void>() {

                public Void doWork() throws Exception {
                    // we are expecting an expception here
                    try {
                        ContentData content = (ContentData) nodeService.getProperty(record, PROP_CONTENT);
                        nodeService.setProperty(record, PROP_CONTENT, ContentData.setMimetype(content, MimetypeMap.MIMETYPE_TEXT_PLAIN));
                        fail("Expecting access denied exception");
                    } catch (AccessDeniedException exception) {
                    // expceted
                    }
                    return null;
                }
            }, user);
        }
    });
}
Also used : NodeRef(org.alfresco.service.cmr.repository.NodeRef) AccessDeniedException(org.alfresco.repo.security.permissions.AccessDeniedException) Set(java.util.Set) HashSet(java.util.HashSet) ContentData(org.alfresco.service.cmr.repository.ContentData) Capability(org.alfresco.module.org_alfresco_module_rm.capability.Capability) RunAsWork(org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork) AccessDeniedException(org.alfresco.repo.security.permissions.AccessDeniedException)

Aggregations

AccessDeniedException (org.alfresco.repo.security.permissions.AccessDeniedException)46 NodeRef (org.alfresco.service.cmr.repository.NodeRef)30 HashMap (java.util.HashMap)17 IOException (java.io.IOException)8 AlfrescoRuntimeException (org.alfresco.error.AlfrescoRuntimeException)8 InvalidNodeRefException (org.alfresco.service.cmr.repository.InvalidNodeRefException)8 ArrayList (java.util.ArrayList)7 WebScriptException (org.springframework.extensions.webscripts.WebScriptException)7 FacesContext (javax.faces.context.FacesContext)6 FileNotFoundException (org.alfresco.service.cmr.model.FileNotFoundException)6 JSONObject (org.json.simple.JSONObject)6 Serializable (java.io.Serializable)5 EntityNotFoundException (org.alfresco.rest.framework.core.exceptions.EntityNotFoundException)5 FileExistsException (org.alfresco.service.cmr.model.FileExistsException)5 SocketException (java.net.SocketException)4 Map (java.util.Map)4 FileInfo (org.alfresco.service.cmr.model.FileInfo)4 ContentIOException (org.alfresco.service.cmr.repository.ContentIOException)4 QName (org.alfresco.service.namespace.QName)4 ResourceBundle (java.util.ResourceBundle)3