Examples with PermissionDeniedException org.alfresco.rest.framework.core.exceptions.PermissionDeniedException used on opensource projects

Example 16 with PermissionDeniedException

use of org.alfresco.rest.framework.core.exceptions.PermissionDeniedException in project alfresco-remote-api by Alfresco.

the class NodesImpl method unlock.

@Override
public Node unlock(String nodeId, Parameters parameters) {
    NodeRef nodeRef = validateOrLookupNode(nodeId, null);
    if (isSpecialNode(nodeRef, getNodeType(nodeRef))) {
        throw new PermissionDeniedException("Current user doesn't have permission to unlock node " + nodeId);
    }
    if (!lockService.isLocked(nodeRef)) {
        throw new IntegrityException("Can't unlock node " + nodeId + " because it isn't locked", null);
    }
    lockService.unlock(nodeRef);
    return getFolderOrDocument(nodeId, parameters);
}

Example 17 with PermissionDeniedException

use of org.alfresco.rest.framework.core.exceptions.PermissionDeniedException in project alfresco-remote-api by Alfresco.

the class NodesImpl method makeFolders.

private NodeRef makeFolders(NodeRef parentNodeRef, List<String> pathElements) {
    NodeRef currentParentRef = parentNodeRef;
    // just loop and create if necessary
    for (final String element : pathElements) {
        final NodeRef contextNodeRef = currentParentRef;
        // does it exist?
        // Navigation should not check permissions
        NodeRef nodeRef = AuthenticationUtil.runAs(new RunAsWork<NodeRef>() {

            @Override
            public NodeRef doWork() throws Exception {
                return nodeService.getChildByName(contextNodeRef, ContentModel.ASSOC_CONTAINS, element);
            }
        }, AuthenticationUtil.getSystemUserName());
        if (nodeRef == null) {
            try {
                // Checks for create permissions as the fileFolderService is a public service.
                FileInfo createdFileInfo = fileFolderService.create(currentParentRef, element, ContentModel.TYPE_FOLDER);
                currentParentRef = createdFileInfo.getNodeRef();
            } catch (AccessDeniedException ade) {
                throw new PermissionDeniedException(ade.getMessage());
            } catch (FileExistsException fex) {
                // Assume concurrency failure, so retry
                throw new ConcurrencyFailureException(fex.getMessage());
            }
        } else if (!isSubClass(nodeRef, ContentModel.TYPE_FOLDER, false)) {
            String parentName = (String) nodeService.getProperty(contextNodeRef, ContentModel.PROP_NAME);
            throw new ConstraintViolatedException("Name [" + element + "] already exists in the target parent: " + parentName);
        } else {
            // it exists
            currentParentRef = nodeRef;
        }
    }
    return currentParentRef;
}

Example 18 with PermissionDeniedException

use of org.alfresco.rest.framework.core.exceptions.PermissionDeniedException in project alfresco-remote-api by Alfresco.

the class NodesImpl method updateNodeImpl.

protected NodeRef updateNodeImpl(String nodeId, Node nodeInfo, Parameters parameters) {
    final NodeRef nodeRef = validateOrLookupNode(nodeId, null);
    QName nodeTypeQName = getNodeType(nodeRef);
    validateCmObject(nodeTypeQName);
    Map<QName, Serializable> props = new HashMap<>(0);
    if (nodeInfo.getProperties() != null) {
        props = mapToNodeProperties(nodeInfo.getProperties());
    }
    String name = nodeInfo.getName();
    if ((name != null) && (!name.isEmpty())) {
        // update node name if needed - note: if the name is different than existing then this is equivalent of a rename (within parent folder)
        props.put(ContentModel.PROP_NAME, name);
    }
    NodePermissions nodePerms = nodeInfo.getPermissions();
    if (nodePerms != null) {
        // Cannot set inherited permissions, only direct (locally set) permissions can be set
        if ((nodePerms.getInherited() != null) && (nodePerms.getInherited().size() > 0)) {
            throw new InvalidArgumentException("Cannot set *inherited* permissions on this node");
        }
        // Check inherit from parent value and if it's changed set the new value
        if (nodePerms.getIsInheritanceEnabled() != null) {
            if (nodePerms.getIsInheritanceEnabled() != permissionService.getInheritParentPermissions(nodeRef)) {
                permissionService.setInheritParentPermissions(nodeRef, nodePerms.getIsInheritanceEnabled());
            }
        }
        // set direct permissions
        if ((nodePerms.getLocallySet() != null)) {
            // list of all directly set permissions
            Set<AccessPermission> directPerms = new HashSet<>(5);
            for (AccessPermission accessPerm : permissionService.getAllSetPermissions(nodeRef)) {
                if (accessPerm.isSetDirectly()) {
                    directPerms.add(accessPerm);
                }
            }
            // check if same permission is sent more than once
            if (hasDuplicatePermissions(nodePerms.getLocallySet())) {
                throw new InvalidArgumentException("Duplicate node permissions, there is more than one permission with the same authority and name!");
            }
            for (NodePermissions.NodePermission nodePerm : nodePerms.getLocallySet()) {
                String permName = nodePerm.getName();
                String authorityId = nodePerm.getAuthorityId();
                AccessStatus accessStatus = AccessStatus.ALLOWED;
                if (nodePerm.getAccessStatus() != null) {
                    accessStatus = AccessStatus.valueOf(nodePerm.getAccessStatus());
                }
                if (authorityId == null || authorityId.isEmpty()) {
                    throw new InvalidArgumentException("Authority Id is expected.");
                }
                if (permName == null || permName.isEmpty()) {
                    throw new InvalidArgumentException("Permission name is expected.");
                }
                if (((!authorityId.equals(PermissionService.ALL_AUTHORITIES) && (!authorityService.authorityExists(authorityId))))) {
                    throw new InvalidArgumentException("Cannot set permissions on this node - unknown authority: " + authorityId);
                }
                AccessPermission existing = null;
                boolean addPerm = true;
                boolean updatePerm = false;
                // If the permission already exists but with different access status it will be updated
                for (AccessPermission accessPerm : directPerms) {
                    if (accessPerm.getAuthority().equals(authorityId) && accessPerm.getPermission().equals(permName)) {
                        existing = accessPerm;
                        addPerm = false;
                        if (accessPerm.getAccessStatus() != accessStatus) {
                            updatePerm = true;
                        }
                        break;
                    }
                }
                if (existing != null) {
                    // ignore existing permissions
                    directPerms.remove(existing);
                }
                if (addPerm || updatePerm) {
                    try {
                        permissionService.setPermission(nodeRef, authorityId, permName, (accessStatus == AccessStatus.ALLOWED));
                    } catch (UnsupportedOperationException e) {
                        throw new InvalidArgumentException("Cannot set permissions on this node - unknown access level: " + permName);
                    }
                }
            }
            // remove any remaining direct perms
            for (AccessPermission accessPerm : directPerms) {
                permissionService.deletePermission(nodeRef, accessPerm.getAuthority(), accessPerm.getPermission());
            }
        }
    }
    String nodeType = nodeInfo.getNodeType();
    if ((nodeType != null) && (!nodeType.isEmpty())) {
        // update node type - ensure that we are performing a specialise (we do not support generalise)
        QName destNodeTypeQName = createQName(nodeType);
        if ((!destNodeTypeQName.equals(nodeTypeQName)) && isSubClass(destNodeTypeQName, nodeTypeQName) && (!isSubClass(destNodeTypeQName, ContentModel.TYPE_SYSTEM_FOLDER))) {
            nodeService.setType(nodeRef, destNodeTypeQName);
        } else {
            throw new InvalidArgumentException("Failed to change (specialise) node type - from " + nodeTypeQName + " to " + destNodeTypeQName);
        }
    }
    NodeRef parentNodeRef = nodeInfo.getParentId();
    if (parentNodeRef != null) {
        NodeRef currentParentNodeRef = getParentNodeRef(nodeRef);
        if (currentParentNodeRef == null) {
            // implies root (Company Home) hence return 403 here
            throw new PermissionDeniedException();
        }
        if (!currentParentNodeRef.equals(parentNodeRef)) {
            // moveOrCopy(nodeRef, parentNodeRef, name, false); // not currently supported - client should use explicit POST /move operation instead
            throw new InvalidArgumentException("Cannot update parentId of " + nodeId + " via PUT /nodes/{nodeId}. Please use explicit POST /nodes/{nodeId}/move operation instead");
        }
    }
    List<String> aspectNames = nodeInfo.getAspectNames();
    updateCustomAspects(nodeRef, aspectNames, EXCLUDED_ASPECTS);
    if (props.size() > 0) {
        validatePropValues(props);
        try {
            // update node properties - note: null will unset the specified property
            nodeService.addProperties(nodeRef, props);
        } catch (DuplicateChildNodeNameException dcne) {
            throw new ConstraintViolatedException(dcne.getMessage());
        }
    }
    return nodeRef;
}

Example 19 with PermissionDeniedException

use of org.alfresco.rest.framework.core.exceptions.PermissionDeniedException in project alfresco-remote-api by Alfresco.

the class PeopleImpl method updatePassword.

private void updatePassword(boolean isAdmin, String personIdToUpdate, Person person) {
    MutableAuthenticationService mutableAuthenticationService = (MutableAuthenticationService) authenticationService;
    boolean isOldPassword = person.wasSet(Person.PROP_PERSON_OLDPASSWORD);
    boolean isPassword = person.wasSet(Person.PROP_PERSON_PASSWORD);
    if (isPassword || isOldPassword) {
        if (isOldPassword && ((person.getOldPassword() == null) || (person.getOldPassword().isEmpty()))) {
            throw new IllegalArgumentException("'oldPassword' field cannot be empty.");
        }
        if (!isPassword || (person.getPassword() == null) || (person.getPassword().isEmpty())) {
            throw new IllegalArgumentException("password' field cannot be empty.");
        }
        char[] newPassword = person.getPassword().toCharArray();
        if (!isAdmin) {
            // Non-admin users can update their own password, but must provide their current password.
            if (!isOldPassword) {
                throw new IllegalArgumentException("To change password, both 'oldPassword' and 'password' fields are required.");
            }
            char[] oldPassword = person.getOldPassword().toCharArray();
            try {
                mutableAuthenticationService.updateAuthentication(personIdToUpdate, oldPassword, newPassword);
            } catch (AuthenticationException e) {
                throw new PermissionDeniedException("Incorrect password.");
            }
        } else {
            // An admin user can update without knowing the original pass - but must know their own!
            // note: is it reasonable to silently ignore oldPassword if supplied ?
            mutableAuthenticationService.setAuthentication(personIdToUpdate, newPassword);
        }
    }
}

Example 20 with PermissionDeniedException

use of org.alfresco.rest.framework.core.exceptions.PermissionDeniedException in project alfresco-remote-api by Alfresco.

the class PeopleImpl method update.

@Override
public Person update(String personId, final Person person) {
    // Validate, perform -me- substitution and canonicalize the person ID.
    personId = validatePerson(personId);
    validateUpdatePersonData(person);
    // Check if user updating *their own* details or is an admin
    boolean isAdmin = checkCurrentUserOrAdmin(personId);
    final String personIdToUpdate = validatePerson(personId);
    final Map<QName, Serializable> properties = person.toProperties();
    // if requested, update password
    updatePassword(isAdmin, personIdToUpdate, person);
    if (person.isEnabled() != null) {
        if (isAdminAuthority(personIdToUpdate)) {
            throw new PermissionDeniedException("Admin authority cannot be disabled.");
        }
        // note: if current user is not an admin then permission denied exception is thrown
        MutableAuthenticationService mutableAuthenticationService = (MutableAuthenticationService) authenticationService;
        mutableAuthenticationService.setAuthenticationEnabled(personIdToUpdate, person.isEnabled());
    }
    NodeRef personNodeRef = personService.getPerson(personIdToUpdate, false);
    if (person.wasSet(Person.PROP_PERSON_DESCRIPTION)) {
        // Remove person description from saved properties
        properties.remove(ContentModel.PROP_PERSONDESC);
        // Custom save for person description.
        savePersonDescription(person.getDescription(), personNodeRef);
    }
    // Update custom aspects - do this *before* adding custom properties. The
    // addition of custom properties may result in the auto-addition of aspects
    // and we don't want to remove them during the update of explicitly specified aspects.
    nodes.updateCustomAspects(personNodeRef, person.getAspectNames(), EXCLUDED_ASPECTS);
    // Add custom properties
    if (person.getProperties() != null) {
        Map<String, Object> customProps = person.getProperties();
        properties.putAll(nodes.mapToNodeProperties(customProps));
    }
    // The person service only allows admin users to set the properties by default.
    AuthenticationUtil.runAsSystem(new RunAsWork<Void>() {

        @Override
        public Void doWork() throws Exception {
            personService.setPersonProperties(personIdToUpdate, properties, false);
            return null;
        }
    });
    return getPerson(personId);
}