Merge pull request #1596 from tomdesair/DS-3367_Configurable-Workflow…

…-authorization-denied-error

DS-3367: Fix authorization error on claim by non-admin user

dspace-api/src/main/java/org/dspace/xmlworkflow/WorkflowRequirementsServiceImpl.java

@@ -72,12 +72,17 @@ public void addClaimedUser(Context context, XmlWorkflowItem wfi, Step step, EPer
         ipu.setUser(user);
         ipu.setFinished(false);
         inProgressUserService.update(context, ipu);
+
+        //Make sure the user has the necessary rights to update the item after the tasks is removed from the pool
+        xmlWorkflowService.grantUserAllItemPolicies(context, wfi.getItem(), user);
+
         int totalUsers = inProgressUserService.getNumberOfInProgressUsers(context, wfi) + inProgressUserService.getNumberOfFinishedUsers(context, wfi);
 
         if(totalUsers == step.getRequiredUsers()){
             //If enough users have claimed/finished this step then remove the tasks
             xmlWorkflowService.deleteAllPooledTasks(context, wfi);
         }
+
         xmlWorkflowItemService.update(context, wfi);
     }
 
@@ -89,6 +94,8 @@ public void removeClaimedUser(Context context, XmlWorkflowItem wfi, EPerson user
         //Then remove the current user from the inProgressUsers
         inProgressUserService.delete(context, inProgressUserService.findByWorkflowItemAndEPerson(context, wfi, user));
 
+        //Make sure the removed user has his custom rights removed
+        xmlWorkflowService.removeUserItemPolicies(context, wfi.getItem(), user);
 
         Workflow workflow = workflowFactory.getWorkflow(wfi.getCollection());
         Step step = workflow.getStep(stepID);

dspace-api/src/main/java/org/dspace/xmlworkflow/XmlWorkflowServiceImpl.java

@@ -661,7 +661,7 @@ public void createOwnedTask(Context context, XmlWorkflowItem wi, Step step, Work
         grantUserAllItemPolicies(context, wi.getItem(), e);
     }
 
-    protected void grantUserAllItemPolicies(Context context, Item item, EPerson epa) throws AuthorizeException, SQLException {
+    public void grantUserAllItemPolicies(Context context, Item item, EPerson epa) throws AuthorizeException, SQLException {
         if (epa != null){
             //A list of policies the user has for this item
             List<Integer>  userHasPolicies = new ArrayList<Integer>();
@@ -739,7 +739,7 @@ protected void addGroupPolicyToItem(Context context, Item item, int type, Group
         }
     }
 
-    protected void removeUserItemPolicies(Context context, Item item, EPerson e) throws SQLException, AuthorizeException {
+    public void removeUserItemPolicies(Context context, Item item, EPerson e) throws SQLException, AuthorizeException {
         if (e != null){
             //Also remove any lingering authorizations from this user
             authorizeService.removeEPersonPolicies(context, item, e);

dspace-api/src/main/java/org/dspace/xmlworkflow/service/XmlWorkflowService.java

@@ -8,6 +8,7 @@
 package org.dspace.xmlworkflow.service;
 
 import org.dspace.authorize.AuthorizeException;
+import org.dspace.content.Item;
 import org.dspace.core.Context;
 import org.dspace.eperson.EPerson;
 import org.dspace.workflow.WorkflowService;
@@ -59,5 +60,9 @@ public void createPoolTasks(Context context, XmlWorkflowItem wi, RoleMembers ass
 
     public void createOwnedTask(Context context, XmlWorkflowItem wi, Step step, WorkflowActionConfig action, EPerson e) throws SQLException, AuthorizeException;
 
+    public void grantUserAllItemPolicies(Context context, Item item, EPerson epa) throws AuthorizeException, SQLException;
+
+    public void removeUserItemPolicies(Context context, Item item, EPerson e) throws SQLException, AuthorizeException;
+
     public String getEPersonName(EPerson ePerson);
 }