Example 31 with AccessPermission
use of org.alfresco.service.cmr.security.AccessPermission in project records-management by Alfresco.
the class ExtendedSecurityServiceImplUnitTest method addExtendedSecurityToNodeWithExtendedSecurity.
/**
* Given that a node already has extended security
* When I add extended security
* Then the existing extended security is replaced with the new extended security
*/
@Test
public void addExtendedSecurityToNodeWithExtendedSecurity() {
// group names
String readGroup = extendedSecurityService.getIPRGroupShortName(READER_GROUP_FULL_PREFIX, READERS, 0);
String writeGroup = extendedSecurityService.getIPRGroupShortName(WRITER_GROUP_FULL_PREFIX, WRITERS, 0);
// setup permissions
Set<AccessPermission> permissions = Stream.of(new AccessPermissionImpl(AlfMock.generateText(), AccessStatus.ALLOWED, readGroup, 0), new AccessPermissionImpl(AlfMock.generateText(), AccessStatus.ALLOWED, AlfMock.generateText(), 1), new AccessPermissionImpl(AlfMock.generateText(), AccessStatus.ALLOWED, writeGroup, 2)).collect(Collectors.toSet());
when(mockedPermissionService.getAllSetPermissions(nodeRef)).thenReturn(permissions);
// set revised reader and writers
String user = generateText();
String group = generateText();
String userW = generateText();
String groupW = generateText();
Set<String> newReaders = Stream.of(user, group).collect(Collectors.toSet());
Set<String> newWriters = Stream.of(userW, groupW).collect(Collectors.toSet());
// new group names
String newReadGroup = extendedSecurityService.getIPRGroupShortName(READER_GROUP_PREFIX, newReaders, 0);
String newWriteGroup = extendedSecurityService.getIPRGroupShortName(WRITER_GROUP_PREFIX, newWriters, 0);
// make sure users and groups exist
Stream.of(user, group, userW, groupW).forEach((a) -> when(mockedAuthorityService.authorityExists(a)).thenReturn(true));
// setup query results for no group matches
when(mockedReadPagingResults.getPage()).thenReturn(Collections.emptyList());
when(mockedAuthorityService.getAuthorities(eq(AuthorityType.GROUP), eq(RMAuthority.ZONE_APP_RM), any(String.class), eq(false), eq(false), any(PagingRequest.class))).thenReturn(mockedReadPagingResults);
// set extended security
extendedSecurityService.set(nodeRef, newReaders, newWriters);
// verify that the old permissions are cleared
verify(mockedPermissionService).clearPermission(nodeRef, readGroup);
verify(mockedPermissionService).clearPermission(nodeRef, writeGroup);
// verify read group created correctly
verify(mockedAuthorityService).createAuthority(AuthorityType.GROUP, newReadGroup, newReadGroup, Collections.singleton(RMAuthority.ZONE_APP_RM));
newReadGroup = GROUP_PREFIX + newReadGroup;
verify(mockedAuthorityService).addAuthority(GROUP_PREFIX + ROOT_IPR_GROUP, newReadGroup);
verify(mockedAuthorityService).addAuthority(newReadGroup, user);
verify(mockedAuthorityService).addAuthority(newReadGroup, group);
// verify write group created correctly
verify(mockedAuthorityService).createAuthority(AuthorityType.GROUP, newWriteGroup, newWriteGroup, Collections.singleton(RMAuthority.ZONE_APP_RM));
newWriteGroup = GROUP_PREFIX + newWriteGroup;
verify(mockedAuthorityService).addAuthority(GROUP_PREFIX + ROOT_IPR_GROUP, newWriteGroup);
verify(mockedAuthorityService).addAuthority(newWriteGroup, userW);
verify(mockedAuthorityService).addAuthority(newWriteGroup, groupW);
// verify groups assigned to RM roles
verify(mockedFilePlanRoleService).assignRoleToAuthority(filePlan, FilePlanRoleService.ROLE_EXTENDED_READERS, newReadGroup);
verify(mockedFilePlanRoleService).assignRoleToAuthority(filePlan, FilePlanRoleService.ROLE_EXTENDED_WRITERS, newWriteGroup);
// verify permissions are assigned to node
verify(mockedPermissionService).setPermission(nodeRef, newReadGroup, RMPermissionModel.READ_RECORDS, true);
verify(mockedPermissionService).setPermission(nodeRef, newWriteGroup, RMPermissionModel.FILING, true);
}
Also used :
AccessPermission(org.alfresco.service.cmr.security.AccessPermission)
AccessPermissionImpl(org.alfresco.repo.security.permissions.impl.AccessPermissionImpl)
Matchers.anyString(org.mockito.Matchers.anyString)
PagingRequest(org.alfresco.query.PagingRequest)
Test(org.junit.Test)
Example 32 with AccessPermission
use of org.alfresco.service.cmr.security.AccessPermission in project records-management by Alfresco.
the class ExtendedSecurityServiceImplUnitTest method removeExtendedSecurityFromRenditions.
/**
* Given that node has renditions
* When I remove the extended security for a node
* Then the extended security is also removed from the renditions
*/
@Test
public void removeExtendedSecurityFromRenditions() {
// group names
String readGroup = extendedSecurityService.getIPRGroupShortName(READER_GROUP_FULL_PREFIX, READERS, 0);
String writeGroup = extendedSecurityService.getIPRGroupShortName(WRITER_GROUP_FULL_PREFIX, WRITERS, 0);
// setup renditions
NodeRef renditionNodeRef = AlfMock.generateNodeRef(mockedNodeService);
when(mockedNodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_RECORD)).thenReturn(true);
when(mockedChildAssociationRef.getChildRef()).thenReturn(renditionNodeRef);
when(mockedNodeService.getChildAssocs(nodeRef, RenditionModel.ASSOC_RENDITION, RegexQNamePattern.MATCH_ALL)).thenReturn(Collections.singletonList(mockedChildAssociationRef));
// setup permissions
Set<AccessPermission> permissions = Stream.of(new AccessPermissionImpl(AlfMock.generateText(), AccessStatus.ALLOWED, readGroup, 0), new AccessPermissionImpl(AlfMock.generateText(), AccessStatus.ALLOWED, AlfMock.generateText(), 1), new AccessPermissionImpl(AlfMock.generateText(), AccessStatus.ALLOWED, writeGroup, 2)).collect(Collectors.toSet());
when(mockedPermissionService.getAllSetPermissions(nodeRef)).thenReturn(permissions);
// remove extended security
extendedSecurityService.remove(nodeRef);
// verify that the groups permissions have been removed
verify(mockedPermissionService).clearPermission(nodeRef, readGroup);
verify(mockedPermissionService).clearPermission(nodeRef, writeGroup);
// verify that the groups permissions have been removed from the rendition
verify(mockedPermissionService).clearPermission(renditionNodeRef, readGroup);
verify(mockedPermissionService).clearPermission(renditionNodeRef, writeGroup);
}
Also used :
NodeRef(org.alfresco.service.cmr.repository.NodeRef)
AccessPermission(org.alfresco.service.cmr.security.AccessPermission)
AccessPermissionImpl(org.alfresco.repo.security.permissions.impl.AccessPermissionImpl)
Matchers.anyString(org.mockito.Matchers.anyString)
Test(org.junit.Test)
Example 33 with AccessPermission
use of org.alfresco.service.cmr.security.AccessPermission in project records-management by Alfresco.
the class FilePlanPermissionServiceImplUnitTest method setupPermissions.
/**
* Helper method to setup permissions on mock objects
*/
private void setupPermissions(NodeRef nodeRef) {
Set<AccessPermission> perms = new HashSet<AccessPermission>(4);
// setup basic file and read for authorities
perms.add(new AccessPermissionImpl(RMPermissionModel.READ_RECORDS, AccessStatus.ALLOWED, AUTHORITY, 0));
perms.add(new AccessPermissionImpl(RMPermissionModel.FILING, AccessStatus.ALLOWED, AUTHORITY2, 1));
doReturn(perms).when(mockedPermissionService).getAllSetPermissions(nodeRef);
}
Also used :
AccessPermission(org.alfresco.service.cmr.security.AccessPermission)
AccessPermissionImpl(org.alfresco.repo.security.permissions.impl.AccessPermissionImpl)
HashSet(java.util.HashSet)
Example 34 with AccessPermission
use of org.alfresco.service.cmr.security.AccessPermission in project records-management by Alfresco.
the class RecordServiceImpl method isPropertyEditable.
/**
* @see org.alfresco.module.org_alfresco_module_rm.record.RecordService#isPropertyEditable(org.alfresco.service.cmr.repository.NodeRef, org.alfresco.service.namespace.QName)
*/
@Override
public boolean isPropertyEditable(NodeRef record, QName property) {
ParameterCheck.mandatory("record", record);
ParameterCheck.mandatory("property", property);
if (!isRecord(record)) {
throw new AlfrescoRuntimeException("Cannot check if the property " + property.toString() + " is editable, because node reference is not a record.");
}
NodeRef filePlan = getFilePlan(record);
// DEBUG ...
boolean debugEnabled = LOGGER.isDebugEnabled();
if (debugEnabled) {
LOGGER.debug("Checking whether property " + property.toString() + " is editable for user " + AuthenticationUtil.getRunAsUser());
Set<Role> roles = filePlanRoleService.getRolesByUser(filePlan, AuthenticationUtil.getRunAsUser());
LOGGER.debug(" ... users roles");
for (Role role : roles) {
LOGGER.debug(" ... user has role " + role.getName() + " with capabilities ");
for (Capability cap : role.getCapabilities()) {
LOGGER.debug(" ... " + cap.getName());
}
}
LOGGER.debug(" ... user has the following set permissions on the file plan");
Set<AccessPermission> perms = permissionService.getAllSetPermissions(filePlan);
for (AccessPermission perm : perms) {
if ((perm.getPermission().contains(RMPermissionModel.EDIT_NON_RECORD_METADATA) || perm.getPermission().contains(RMPermissionModel.EDIT_RECORD_METADATA))) {
LOGGER.debug(" ... " + perm.getAuthority() + " - " + perm.getPermission() + " - " + perm.getAccessStatus().toString());
}
}
if (permissionService.hasPermission(filePlan, RMPermissionModel.EDIT_NON_RECORD_METADATA).equals(AccessStatus.ALLOWED)) {
LOGGER.debug(" ... user has the edit non record metadata permission on the file plan");
}
}
// END DEBUG ...
boolean result = alwaysEditProperty(property);
if (result) {
LOGGER.debug(" ... property marked as always editable.");
} else {
boolean allowRecordEdit = false;
boolean allowNonRecordEdit = false;
AccessStatus accessNonRecord = capabilityService.getCapabilityAccessState(record, RMPermissionModel.EDIT_NON_RECORD_METADATA);
AccessStatus accessDeclaredRecord = capabilityService.getCapabilityAccessState(record, RMPermissionModel.EDIT_DECLARED_RECORD_METADATA);
AccessStatus accessRecord = capabilityService.getCapabilityAccessState(record, RMPermissionModel.EDIT_RECORD_METADATA);
if (AccessStatus.ALLOWED.equals(accessNonRecord)) {
LOGGER.debug(" ... user has edit nonrecord metadata capability");
allowNonRecordEdit = true;
}
if (AccessStatus.ALLOWED.equals(accessRecord) || AccessStatus.ALLOWED.equals(accessDeclaredRecord)) {
LOGGER.debug(" ... user has edit record or declared metadata capability");
allowRecordEdit = true;
}
if (allowNonRecordEdit && allowRecordEdit) {
LOGGER.debug(" ... so all properties can be edited.");
result = true;
} else if (allowNonRecordEdit && !allowRecordEdit) {
// can only edit non record properties
if (!isRecordMetadata(filePlan, property)) {
LOGGER.debug(" ... property is not considered record metadata so editable.");
result = true;
} else {
LOGGER.debug(" ... property is considered record metadata so not editable.");
}
} else if (!allowNonRecordEdit && allowRecordEdit) {
// can only edit record properties
if (isRecordMetadata(filePlan, property)) {
LOGGER.debug(" ... property is considered record metadata so editable.");
result = true;
} else {
LOGGER.debug(" ... property is not considered record metadata so not editable.");
}
}
// otherwise we can't edit any properties so just return the empty set
}
return result;
}
Also used :
Role(org.alfresco.module.org_alfresco_module_rm.role.Role)
NodeRef(org.alfresco.service.cmr.repository.NodeRef)
Capability(org.alfresco.module.org_alfresco_module_rm.capability.Capability)
AccessPermission(org.alfresco.service.cmr.security.AccessPermission)
AlfrescoRuntimeException(org.alfresco.error.AlfrescoRuntimeException)
AccessStatus(org.alfresco.service.cmr.security.AccessStatus)
Example 35 with AccessPermission
use of org.alfresco.service.cmr.security.AccessPermission in project alfresco-remote-api by Alfresco.
the class NodesImpl method getFolderOrDocument.
@Override
public Node getFolderOrDocument(final NodeRef nodeRef, NodeRef parentNodeRef, QName nodeTypeQName, List<String> includeParam, Map<String, UserInfo> mapUserInfo) {
if (mapUserInfo == null) {
mapUserInfo = new HashMap<>(2);
}
if (includeParam == null) {
includeParam = Collections.emptyList();
}
Node node;
Map<QName, Serializable> properties = nodeService.getProperties(nodeRef);
PathInfo pathInfo = null;
if (includeParam.contains(PARAM_INCLUDE_PATH)) {
ChildAssociationRef archivedParentAssoc = (ChildAssociationRef) properties.get(ContentModel.PROP_ARCHIVED_ORIGINAL_PARENT_ASSOC);
pathInfo = lookupPathInfo(nodeRef, archivedParentAssoc);
}
if (nodeTypeQName == null) {
nodeTypeQName = getNodeType(nodeRef);
}
if (parentNodeRef == null) {
parentNodeRef = getParentNodeRef(nodeRef);
}
Type type = getType(nodeTypeQName, nodeRef);
if (type == null) {
// not direct folder (or file) ...
// might be sub-type of cm:cmobject (or a cm:link pointing to cm:cmobject or possibly even another cm:link)
node = new Node(nodeRef, parentNodeRef, properties, mapUserInfo, sr);
node.setIsFolder(false);
node.setIsFile(false);
} else if (type.equals(Type.DOCUMENT)) {
node = new Document(nodeRef, parentNodeRef, properties, mapUserInfo, sr);
} else if (type.equals(Type.FOLDER)) {
node = new Folder(nodeRef, parentNodeRef, properties, mapUserInfo, sr);
} else {
throw new RuntimeException("Unexpected - should not reach here: " + type);
}
if (includeParam.size() > 0) {
node.setProperties(mapFromNodeProperties(properties, includeParam, mapUserInfo, EXCLUDED_NS, EXCLUDED_PROPS));
}
Set<QName> aspects = null;
if (includeParam.contains(PARAM_INCLUDE_ASPECTNAMES)) {
aspects = nodeService.getAspects(nodeRef);
node.setAspectNames(mapFromNodeAspects(aspects, EXCLUDED_NS, EXCLUDED_ASPECTS));
}
if (includeParam.contains(PARAM_INCLUDE_ISLINK)) {
boolean isLink = isSubClass(nodeTypeQName, ContentModel.TYPE_LINK);
node.setIsLink(isLink);
}
if (includeParam.contains(PARAM_INCLUDE_ISLOCKED)) {
boolean isLocked = isLocked(nodeRef, aspects);
node.setIsLocked(isLocked);
}
if (includeParam.contains(PARAM_INCLUDE_ISFAVORITE)) {
boolean isFavorite = isFavorite(nodeRef);
node.setIsFavorite(isFavorite);
}
if (includeParam.contains(PARAM_INCLUDE_ALLOWABLEOPERATIONS)) {
// note: refactor when requirements change
Map<String, String> mapPermsToOps = new HashMap<>(3);
mapPermsToOps.put(PermissionService.DELETE, OP_DELETE);
mapPermsToOps.put(PermissionService.ADD_CHILDREN, OP_CREATE);
mapPermsToOps.put(PermissionService.WRITE, OP_UPDATE);
mapPermsToOps.put(PermissionService.CHANGE_PERMISSIONS, OP_UPDATE_PERMISSIONS);
List<String> allowableOperations = new ArrayList<>(3);
for (Entry<String, String> kv : mapPermsToOps.entrySet()) {
String perm = kv.getKey();
String op = kv.getValue();
if (perm.equals(PermissionService.ADD_CHILDREN) && Type.DOCUMENT.equals(type)) {
// special case: do not return "create" (as an allowable op) for file/content types - note: 'type' can be null
continue;
} else if (perm.equals(PermissionService.DELETE) && (isSpecialNode(nodeRef, nodeTypeQName))) {
// special case: do not return "delete" (as an allowable op) for specific system nodes
continue;
} else if (permissionService.hasPermission(nodeRef, perm) == AccessStatus.ALLOWED) {
allowableOperations.add(op);
}
}
node.setAllowableOperations((allowableOperations.size() > 0) ? allowableOperations : null);
}
if (includeParam.contains(PARAM_INCLUDE_PERMISSIONS)) {
Boolean inherit = permissionService.getInheritParentPermissions(nodeRef);
List<NodePermissions.NodePermission> inheritedPerms = new ArrayList<>(5);
List<NodePermissions.NodePermission> setDirectlyPerms = new ArrayList<>(5);
Set<String> settablePerms = null;
boolean allowRetrievePermission = true;
try {
for (AccessPermission accessPerm : permissionService.getAllSetPermissions(nodeRef)) {
NodePermissions.NodePermission nodePerm = new NodePermissions.NodePermission(accessPerm.getAuthority(), accessPerm.getPermission(), accessPerm.getAccessStatus().toString());
if (accessPerm.isSetDirectly()) {
setDirectlyPerms.add(nodePerm);
} else {
inheritedPerms.add(nodePerm);
}
}
settablePerms = permissionService.getSettablePermissions(nodeRef);
} catch (AccessDeniedException ade) {
// ignore - ie. denied access to retrieve permissions, eg. non-admin on root (Company Home)
allowRetrievePermission = false;
}
// returned only node info that he's allowed to see
if (allowRetrievePermission) {
NodePermissions nodePerms = new NodePermissions(inherit, inheritedPerms, setDirectlyPerms, settablePerms);
node.setPermissions(nodePerms);
}
}
if (includeParam.contains(PARAM_INCLUDE_ASSOCIATION)) {
// Ugh ... can we optimise this and return the actual assoc directly (via FileFolderService/GetChildrenCQ) ?
ChildAssociationRef parentAssocRef = nodeService.getPrimaryParent(nodeRef);
// note: parentAssocRef.parentRef can be null for -root- node !
if ((parentAssocRef == null) || (parentAssocRef.getParentRef() == null) || (!parentAssocRef.getParentRef().equals(parentNodeRef))) {
List<ChildAssociationRef> parentAssocRefs = nodeService.getParentAssocs(nodeRef);
for (ChildAssociationRef pAssocRef : parentAssocRefs) {
if (pAssocRef.getParentRef().equals(parentNodeRef)) {
// for now, assume same parent/child cannot appear more than once (due to unique name)
parentAssocRef = pAssocRef;
break;
}
}
}
if (parentAssocRef != null) {
QName assocTypeQName = parentAssocRef.getTypeQName();
if ((assocTypeQName != null) && (!EXCLUDED_NS.contains(assocTypeQName.getNamespaceURI()))) {
AssocChild childAssoc = new AssocChild(assocTypeQName.toPrefixString(namespaceService), parentAssocRef.isPrimary());
node.setAssociation(childAssoc);
}
}
}
if (includeParam.contains(PARAM_INCLUDE_DEFINITION)) {
NodeDefinition nodeDefinition = nodeDefinitionMapper.fromTypeDefinition(getTypeDefinition(nodeRef), dictionaryService);
node.setDefinition(nodeDefinition);
}
node.setNodeType(nodeTypeQName.toPrefixString(namespaceService));
node.setPath(pathInfo);
return node;
}
Also used :
Serializable(java.io.Serializable)
AccessDeniedException(org.alfresco.repo.security.permissions.AccessDeniedException)
NodePermissions(org.alfresco.rest.api.model.NodePermissions)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
HashMap(java.util.HashMap)
Node(org.alfresco.rest.api.model.Node)
ArrayList(java.util.ArrayList)
AssocChild(org.alfresco.rest.api.model.AssocChild)
NodeDefinition(org.alfresco.rest.api.model.NodeDefinition)
Document(org.alfresco.rest.api.model.Document)
Folder(org.alfresco.rest.api.model.Folder)
FilterPropBoolean(org.alfresco.repo.node.getchildren.FilterPropBoolean)
QName(org.alfresco.service.namespace.QName)
AccessPermission(org.alfresco.service.cmr.security.AccessPermission)
ChildAssociationRef(org.alfresco.service.cmr.repository.ChildAssociationRef)
VersionType(org.alfresco.service.cmr.version.VersionType)
ActivityType(org.alfresco.repo.activities.ActivityType)
PathInfo(org.alfresco.rest.api.model.PathInfo)
Aggregations
AccessPermission (org.alfresco.service.cmr.security.AccessPermission)52
NodeRef (org.alfresco.service.cmr.repository.NodeRef)21
ArrayList (java.util.ArrayList)15
HashSet (java.util.HashSet)14
HashMap (java.util.HashMap)13
ChildAssociationRef (org.alfresco.service.cmr.repository.ChildAssociationRef)7
Test (org.junit.Test)7
Serializable (java.io.Serializable)5
List (java.util.List)5
Map (java.util.Map)5
Set (java.util.Set)5
AccessPermissionImpl (org.alfresco.repo.security.permissions.impl.AccessPermissionImpl)5
AccessStatus (org.alfresco.service.cmr.security.AccessStatus)5
QName (org.alfresco.service.namespace.QName)5
LinkedHashSet (java.util.LinkedHashSet)4
AccessDeniedException (org.alfresco.repo.security.permissions.AccessDeniedException)4
FacesContext (javax.faces.context.FacesContext)3
AlfrescoRuntimeException (org.alfresco.error.AlfrescoRuntimeException)3
FilterPropString (org.alfresco.repo.node.getchildren.FilterPropString)3
PermissionReference (org.alfresco.repo.security.permissions.PermissionReference)3
