From 7bc385c5824e20a6871cebe1942a7789598bb43c Mon Sep 17 00:00:00 2001 From: AFaust Date: Thu, 12 Sep 2024 11:28:04 +0200 Subject: [PATCH] Restrict permission cleaner to site groups - old logic cleaned ANY group permissions, not just site-related ones - extra check for GROUP_EVERYONE no longer needed if proper GROUP_site_ prefix is checked first --- .../java/org/alfresco/repo/site/SitesPermissionCleaner.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/repository/src/main/java/org/alfresco/repo/site/SitesPermissionCleaner.java b/repository/src/main/java/org/alfresco/repo/site/SitesPermissionCleaner.java index 9c655b43a70..58dfda590eb 100644 --- a/repository/src/main/java/org/alfresco/repo/site/SitesPermissionCleaner.java +++ b/repository/src/main/java/org/alfresco/repo/site/SitesPermissionCleaner.java @@ -131,11 +131,11 @@ public void cleanSitePermissions(final NodeRef targetNode, SiteInfo containingSi String authority = entry.getAuthority(); String thisSiteGroupPrefix = siteServiceImpl.getSiteGroup(containingSite.getShortName(), true); + String anySiteGroupPrefix = thisSiteGroupPrefix.substring(0, thisSiteGroupPrefix.lastIndexOf(containingSite.getShortName())); // If it's a group site permission for a site other than the current site - if (authority.startsWith(PermissionService.GROUP_PREFIX) && - // And it's not GROUP_EVERYONE - !authority.startsWith(PermissionService.ALL_AUTHORITIES) && !authority.startsWith(thisSiteGroupPrefix) && + if (authority.startsWith(anySiteGroupPrefix) && + !authority.startsWith(thisSiteGroupPrefix) && // And if the current user has permissions to do it publicServiceAccessService.hasAccess("PermissionService", "clearPermission", targetNode, authority) == AccessStatus.ALLOWED) {