When 3rd party applications like MS-Office lock documents through protocols like WebDAV or AOS, then they are using a token based lock mechanism. It is only allowed to modify the document if the client knows the token. Alfresco already stores this token, but it is not yet properly enforced by the core repo.
Only the WebDAV and AOS clients running on top of the core Repo enforce this token.
Effects of this problem:
- Open a document with a 3rd party application from a WebDAV or AOS mapped drive for editing
- This document is locked in Alfresco
- Try to rename the document with any application except Share (e.g. Salesforce, mobile client, CMIS, ...) with the same user account
It is not possible to rename the document without the webdav token
The document is renamed and the 3rd party application is failing since it cannot find the document anymore.
We are already storing the WebDAV lock token in an Aspect that is applied by the LockService if the lock is initiated by WebDAV. There is a method in the LockService that checks access to a document based on the current user account. This method needs to be extended so that it denies access even if the same user account is used but if the Aspect on the node has a non-null token.
For WebDAV and AOS, there needs to be a method like setLockToken that can be used to set a token per thread in a ThreadLocal. So if WebDAV or AOS needs to modify a document, it can use code like this: