From 1253f1aeea35f3f038b744c7ddf845dcf224c975 Mon Sep 17 00:00:00 2001
From: Richard Millet <remillet@yahoo.com>
Date: Sat, 12 Oct 2019 09:26:53 -0700
Subject: [PATCH] DRYD-764: Initial work on authorization support for running
 reports.

---
 services/report/3rdparty/build.xml            |   8 +-
 .../nuxeo-platform-cs-report/build.xml        | 161 ------------------
 .../3rdparty/nuxeo-platform-cs-report/pom.xml |  44 -----
 .../src/main/resources/META-INF/MANIFEST.MF   |  23 ---
 .../resources/OSGI-INF/core-types-contrib.xml |  14 --
 .../OSGI-INF/deployment-fragment.xml          |  10 --
 .../resources/OSGI-INF/ecm-types-contrib.xml  |  29 ----
 .../resources/OSGI-INF/layouts-contrib.xml    |  59 -------
 .../resources/OSGI-INF/life-cycle-contrib.xml |  11 --
 .../main/resources/schemas/reports_common.xsd |  40 -----
 .../services/client/ReportClient.java         |   1 +
 .../src/main/resources/reports-common.xsd     |  21 +++
 services/report/service/pom.xml               |  12 ++
 .../services/report/ReportResource.java       |  18 +-
 .../nuxeo/ReportDocumentModelHandler.java     | 131 +++++++++++++-
 15 files changed, 178 insertions(+), 404 deletions(-)
 delete mode 100644 services/report/3rdparty/nuxeo-platform-cs-report/build.xml
 delete mode 100644 services/report/3rdparty/nuxeo-platform-cs-report/pom.xml
 delete mode 100644 services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/META-INF/MANIFEST.MF
 delete mode 100644 services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/OSGI-INF/core-types-contrib.xml
 delete mode 100644 services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/OSGI-INF/deployment-fragment.xml
 delete mode 100644 services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/OSGI-INF/ecm-types-contrib.xml
 delete mode 100644 services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/OSGI-INF/layouts-contrib.xml
 delete mode 100644 services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/OSGI-INF/life-cycle-contrib.xml
 delete mode 100644 services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/schemas/reports_common.xsd

diff --git a/services/report/3rdparty/build.xml b/services/report/3rdparty/build.xml
index 509e47ea9..042362b7d 100644
--- a/services/report/3rdparty/build.xml
+++ b/services/report/3rdparty/build.xml
@@ -154,14 +154,10 @@
       -->
     </target>
 
-    <target name="undeploy" depends="undeploy_report_files"
-      description="Undeploy report-related artifacts">
-        <ant antfile="nuxeo-platform-cs-report/build.xml" target="undeploy" inheritall="false"/>
+    <target name="undeploy" depends="undeploy_report_files" description="Undeploy report-related artifacts">
     </target>
 
-    <target name="dist"
-    description="Generate distribution for report" depends="package">
-        <ant antfile="nuxeo-platform-cs-report/build.xml" target="dist" inheritall="false"/>
+    <target name="dist" description="Generate distribution for report" depends="package">
     </target>
 
 
diff --git a/services/report/3rdparty/nuxeo-platform-cs-report/build.xml b/services/report/3rdparty/nuxeo-platform-cs-report/build.xml
deleted file mode 100644
index 212ee1a23..000000000
--- a/services/report/3rdparty/nuxeo-platform-cs-report/build.xml
+++ /dev/null
@@ -1,161 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project name="nuxeo-platform-cs-report" default="package" basedir=".">
-    <description>
-        report nuxeo document type
-    </description>
-    <!-- set global properties for this build -->
-    <property name="services.trunk" value="../../../.."/>
-    <!-- environment should be declared before reading build.properties -->
-    <property environment="env" />
-    <property file="${services.trunk}/build.properties" />
-    <property name="mvn.opts" value="-V" />
-    <property name="src" location="src"/>
-    <!-- JAR files used by CollectionSpace 4.0 and later -->
-    <property name="nuxeo.report.doctype.jars.all"
-        value="collectionspace.report.doctype.*.jar"/>
-    <property name="nuxeo.report.schema.jars.all"
-        value="collectionspace.report.schema.*.jar"/>
-    <!-- Legacy JAR files used by CollectionSpace 3.3 and earlier --> 
-    <property name="nuxeo.report.legacy.jars.all"
-        value="org.collectionspace.services.report.3rdparty.nuxeo-*.jar"/>
-    <property name="nuxeo.report.legacy.jar"
-        value="org.collectionspace.services.report.3rdparty.nuxeo-${cspace.release}.jar"/>
-
-    <condition property="osfamily-unix">
-        <os family="unix" />
-    </condition>
-    <condition property="osfamily-windows">
-        <os family="windows" />
-    </condition>
-
-    <target name="init" >
-        <!-- Create the time stamp -->
-        <tstamp/>
-    </target>
-
-    <target name="package" depends="package-unix,package-windows"
-        description="Package CollectionSpace Services" />
-    <target name="package-unix" if="osfamily-unix">
-        <exec executable="mvn" failonerror="true">
-            <arg value="package" />
-            <arg value="-Dmaven.test.skip=true" />
-            <arg value="-f" />
-            <arg value="${basedir}/pom.xml" />
-            <arg value="-N" />
-            <arg value="${mvn.opts}" />
-        </exec>
-    </target>
-    <target name="package-windows" if="osfamily-windows">
-        <exec executable="cmd" failonerror="true">
-            <arg value="/c" />
-            <arg value="mvn" />
-            <arg value="package" />
-            <arg value="-Dmaven.test.skip=true" />
-            <arg value="-f" />
-            <arg value="${basedir}/pom.xml" />
-            <arg value="-N" />
-            <arg value="${mvn.opts}" />
-        </exec>
-    </target>
-
-    <target name="install" depends="install-unix,install-windows"
-        description="Install" />
-    <target name="install-unix" if="osfamily-unix">
-        <exec executable="mvn" failonerror="true">
-            <arg value="install" />
-            <arg value="-Dmaven.test.skip=true" />
-            <arg value="-f" />
-            <arg value="${basedir}/pom.xml" />
-            <arg value="-N" />
-            <arg value="${mvn.opts}" />
-        </exec>
-    </target>
-    <target name="install-windows" if="osfamily-windows">
-        <exec executable="cmd" failonerror="true">
-            <arg value="/c" />
-            <arg value="mvn" />
-            <arg value="install" />
-            <arg value="-Dmaven.test.skip=true" />
-            <arg value="-f" />
-            <arg value="${basedir}/pom.xml" />
-            <arg value="-N" />
-            <arg value="${mvn.opts}" />
-        </exec>
-    </target>
-
-    <target name="clean" depends="clean-unix,clean-windows"
-        description="Delete target directories" >
-        <delete dir="${build}"/>
-    </target>
-    <target name="clean-unix" if="osfamily-unix">
-        <exec executable="mvn" failonerror="true">
-            <arg value="clean" />
-            <arg value="${mvn.opts}" />
-        </exec>
-    </target>
-    <target name="clean-windows" if="osfamily-windows">
-        <exec executable="cmd" failonerror="true">
-            <arg value="/c" />
-            <arg value="mvn" />
-            <arg value="clean" />
-            <arg value="${mvn.opts}" />
-        </exec>
-    </target>
-
-    <target name="test" depends="test-unix,test-windows" description="Run tests" />
-    <target name="test-unix" if="osfamily-unix">
-        <exec executable="mvn" failonerror="true">
-            <arg value="test" />
-            <arg value="${mvn.opts}" />
-        </exec>
-    </target>
-    <target name="test-windows" if="osfamily-windows">
-        <exec executable="cmd" failonerror="true">
-            <arg value="/c" />
-            <arg value="mvn" />
-            <arg value="test" />
-            <arg value="${mvn.opts}" />
-        </exec>
-    </target>
-
-    <target name="deploy" depends="install"
-        description="deploy report doctype in ${jee.server.nuxeo}">
-        <!-- This target is obsolete. The Nuxeo artifacts are now created
-        and deployed using the "csmake" tool, leaving this legacy call
-        only for backwards compatibility reasons. -->  
-        <copy file="${basedir}/target/${nuxeo.report.legacy.jar}"
-            todir="${jee.deploy.nuxeo.plugins}"/>
-    </target>
-
-    <target name="undeploy"
-        description="undeploy report doctypes from ${jee.server.nuxeo}">
-        <delete>
-            <!-- Undeploy doctype and schema artifacts -->
-            <fileset dir="${jee.deploy.nuxeo.plugins}">
-                <include name="${nuxeo.report.doctype.jars.all}"/>
-            </fileset>
-            <fileset dir="${jee.deploy.nuxeo.plugins}">
-                <include name="${nuxeo.report.schema.jars.all}"/>
-            </fileset>
-            <!-- Undeploy legacy artifacts -->
-            <fileset dir="${jee.deploy.nuxeo.plugins}">
-                <include name="${nuxeo.report.legacy.jars.all}"/>
-            </fileset>
-        </delete>
-        <!-- Undeploy legacy artifacts from old deployment location through release 0.6 -->
-        <delete quiet="true">
-            <fileset dir="${jee.deploy.nuxeo.system}">
-                <include name="${nuxeo.report.legacy.jars.all}"/>
-            </fileset>
-        </delete>
-    </target>
-
-    <target name="dist"
-        description="generate distribution for report doctype" depends="package">
-        <copy todir="${services.trunk}/${dist.deploy.nuxeo.plugins}">
-            <fileset file="${basedir}/target/${nuxeo.report.legacy.jar}"/>
-        </copy>
-    </target>
-
-</project>
-
diff --git a/services/report/3rdparty/nuxeo-platform-cs-report/pom.xml b/services/report/3rdparty/nuxeo-platform-cs-report/pom.xml
deleted file mode 100644
index 76cf52be4..000000000
--- a/services/report/3rdparty/nuxeo-platform-cs-report/pom.xml
+++ /dev/null
@@ -1,44 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-
-    <parent>
-        <groupId>org.collectionspace.services</groupId>
-        <artifactId>org.collectionspace.services.report.3rdparty</artifactId>
-        <version>${revision}</version>
-    </parent>
-    
-    <modelVersion>4.0.0</modelVersion>
-    <groupId>org.collectionspace.services</groupId>
-    <artifactId>org.collectionspace.services.report.3rdparty.nuxeo</artifactId>
-    <name>services.report.3rdparty.nuxeo</name>
-    <packaging>jar</packaging>
-    <description>
-        Report Nuxeo Document Type
-    </description>
-
-    <build>
-		<resources>
-            <resource>
-                <directory>src/main/resources</directory>
-                <filtering>true</filtering>
-            </resource>
-		</resources>
-        <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-jar-plugin</artifactId>
-                <configuration>
-                    <archive>
-                        <manifestFile> src/main/resources/META-INF/MANIFEST.MF </manifestFile>
-                        <manifestEntries>
-                            <Bundle-Version>${eclipseVersion}</Bundle-Version>
-                            <Bundle-ManifestVersion>2</Bundle-ManifestVersion>
-                        </manifestEntries>
-                    </archive>
-                </configuration>
-            </plugin>
-        </plugins>
-    </build>
-
-</project>
diff --git a/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/META-INF/MANIFEST.MF b/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/META-INF/MANIFEST.MF
deleted file mode 100644
index 3035f14fd..000000000
--- a/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/META-INF/MANIFEST.MF
+++ /dev/null
@@ -1,23 +0,0 @@
-Manifest-Version: 1.0 
-Bundle-ManifestVersion: 1 
-Bundle-Name: NuxeoCS
-Bundle-SymbolicName: org.collectionspace.report;singleton:=true 
-Bundle-Version: 1.0.0
-Bundle-Localization: plugin
-Bundle-Vendor: Nuxeo 
-Require-Bundle: org.nuxeo.runtime, 
- org.nuxeo.ecm.core.api, 
- org.nuxeo.ecm.core,
- org.nuxeo.ecm.core.api,
- org.nuxeo.ecm.platform.types.api,
- org.nuxeo.ecm.platform.versioning.api,
- org.nuxeo.ecm.platform.ui,
- org.nuxeo.ecm.platform.forms.layout.client,
- org.nuxeo.ecm.platform.ws,
- org.collectionspace.collectionspace_core
-Provide-Package: org.collectionspace.report
-Nuxeo-Component: OSGI-INF/core-types-contrib.xml,
- OSGI-INF/life-cycle-contrib.xml,
- OSGI-INF/ecm-types-contrib.xml,
- OSGI-INF/layouts-contrib.xml
-
diff --git a/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/OSGI-INF/core-types-contrib.xml b/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/OSGI-INF/core-types-contrib.xml
deleted file mode 100644
index 932ae66ad..000000000
--- a/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/OSGI-INF/core-types-contrib.xml
+++ /dev/null
@@ -1,14 +0,0 @@
-<?xml version="1.0"?>
-<component name="org.collectionspace.report.coreTypes">
-  <extension target="org.nuxeo.ecm.core.schema.TypeService" point="schema">
-    <schema name="reports_common" prefix="reports_common" src="schemas/reports_common.xsd"/>
-  </extension>
-  <extension target="org.nuxeo.ecm.core.schema.TypeService" point="doctype">
-    <doctype name="Report" extends="Document">
-      <schema name="common"/>
-      <schema name="dublincore"/>
-      <schema name="collectionspace_core"/>
-      <schema name="reports_common"/>
-    </doctype>
-  </extension>
-</component>
diff --git a/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/OSGI-INF/deployment-fragment.xml b/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/OSGI-INF/deployment-fragment.xml
deleted file mode 100644
index 270abbd5f..000000000
--- a/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/OSGI-INF/deployment-fragment.xml
+++ /dev/null
@@ -1,10 +0,0 @@
-<?xml version="1.0"?>
-<fragment>
-
-  <extension target="application#MODULE">
-    <module>
-      <java>${bundle.fileName}</java>
-    </module>
-  </extension>
-  
-</fragment>
diff --git a/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/OSGI-INF/ecm-types-contrib.xml b/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/OSGI-INF/ecm-types-contrib.xml
deleted file mode 100644
index a16f01191..000000000
--- a/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/OSGI-INF/ecm-types-contrib.xml
+++ /dev/null
@@ -1,29 +0,0 @@
-<?xml version="1.0"?>
-<component name="org.collectionspace.report.ecm.types">
-  <extension target="org.nuxeo.ecm.platform.types.TypeService" point="types">
-    <type id="Report" coretype="Report">
-      <label>org.collectionspace.report</label>
-      <!--icon>/icons/file.gif</icon-->
-      <default-view>view_documents</default-view>
-
-      <layouts mode="any">
-        <layout>heading</layout>
-        <layout>collectionspace_core</layout>        
-        <layout>report</layout>
-      </layouts>        
-    </type>
-
-    <type id="Folder" coretype="Folder">
-      <subtypes>
-        <type>Report</type>
-      </subtypes>
-    </type>
-    
-    <type id="Workspace" coretype="Workspace">
-      <subtypes>
-        <type>Report</type>
-      </subtypes>
-    </type>
-
-  </extension>
-</component>
diff --git a/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/OSGI-INF/layouts-contrib.xml b/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/OSGI-INF/layouts-contrib.xml
deleted file mode 100644
index 63a39d2b2..000000000
--- a/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/OSGI-INF/layouts-contrib.xml
+++ /dev/null
@@ -1,59 +0,0 @@
-<?xml version="1.0"?>
-
-<component name="org.collectionspace.report.layouts.webapp">
-
-  <extension target="org.nuxeo.ecm.platform.forms.layout.WebLayoutManager"
-    point="layouts">
-
-    <layout name="report">
-      <templates>
-        <template mode="any">/layouts/layout_default_template.xhtml</template>
-      </templates>
-      <rows>
-        <row><widget>name</widget></row>
-        <row><widget>filename</widget></row>
-        <row><widget>outputMIME</widget></row>
-      </rows>
-
-      <widget name="name" type="text">
-        <labels>
-          <label mode="any">Name</label>
-        </labels>
-        <translated>true</translated>
-        <fields>
-          <field schema="reports_common">name</field>
-        </fields>
-        <properties widgetMode="edit">
-          <property name="styleClass">dataInputText</property>
-        </properties>
-      </widget>
-      
-      <widget name="filename" type="text">
-        <labels>
-          <label mode="any">filename</label>
-        </labels>
-        <translated>true</translated>
-        <fields>
-          <field schema="reports_common">filename</field>
-        </fields>
-        <properties widgetMode="edit">
-          <property name="styleClass">dataInputText</property>
-        </properties>
-      </widget>
-      
-      <widget name="outputMIME" type="text">
-        <labels>
-          <label mode="any">outputMIME</label>
-        </labels>
-        <translated>true</translated>
-        <fields>
-          <field schema="reports_common">outputMIME</field>
-        </fields>
-        <properties widgetMode="edit">
-          <property name="styleClass">dataInputText</property>
-        </properties>
-      </widget>
-      
-    </layout>
-  </extension>
-</component>
diff --git a/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/OSGI-INF/life-cycle-contrib.xml b/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/OSGI-INF/life-cycle-contrib.xml
deleted file mode 100644
index b9fb59ce4..000000000
--- a/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/OSGI-INF/life-cycle-contrib.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<?xml version="1.0"?>
-<component name="org.collectionspace.ecm.platform.report.LifeCycleManagerExtensions">
-
-  <extension target="org.nuxeo.ecm.core.lifecycle.LifeCycleService"
-             point="types">
-    <types>
-      <type name="Report">${Lifecycle}</type>
-    </types>
-  </extension>
-
-</component>
diff --git a/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/schemas/reports_common.xsd b/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/schemas/reports_common.xsd
deleted file mode 100644
index 2c19db83f..000000000
--- a/services/report/3rdparty/nuxeo-platform-cs-report/src/main/resources/schemas/reports_common.xsd
+++ /dev/null
@@ -1,40 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-
-<!--
-    Report schema (XSD)
-
-    Entity  : Report
-    Part    : Common
-    Used for: Nuxeo EP core document type
-
-    $LastChangedRevision: 2498 $
-    $LastChangedDate: 2010-06-16 14:47:45 -0700 (Wed, 16 Jun 2010) $
--->
-
-<xs:schema 
-    xmlns:xs="http://www.w3.org/2001/XMLSchema"
-    xmlns:ns="http://collectionspace.org/report/"
-    xmlns="http://collectionspace.org/report/"
-    targetNamespace="http://collectionspace.org/report/"
-    version="0.1">
-    
-    <!-- See http://wiki.collectionspace.org/display/collectionspace/Report+Schema -->
-
-    <xs:element name="name" type="xs:string"/>
-    <xs:element name="notes" type="xs:string"/>
-    <xs:element name="forDocTypes">
-        <xs:complexType>
-            <xs:sequence>
-                <xs:element name="forDocType" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
-            </xs:sequence>
-        </xs:complexType>
-    </xs:element>
-    <xs:element name="supportsNoContext" type="xs:boolean"/>
-    <xs:element name="supportsSingleDoc" type="xs:boolean"/>
-    <xs:element name="supportsDocList" type="xs:boolean"/>
-    <xs:element name="supportsGroup" type="xs:boolean"/>
-	<!-- NYI <xs:element name="supportsQuery" type="xs:boolean"/>  -->
-    <xs:element name="filename" type="xs:string"/>
-    <xs:element name="outputMIME" type="xs:string"/>
-
-</xs:schema>
diff --git a/services/report/client/src/main/java/org/collectionspace/services/client/ReportClient.java b/services/report/client/src/main/java/org/collectionspace/services/client/ReportClient.java
index b8051a081..9062e150e 100644
--- a/services/report/client/src/main/java/org/collectionspace/services/client/ReportClient.java
+++ b/services/report/client/src/main/java/org/collectionspace/services/client/ReportClient.java
@@ -42,6 +42,7 @@ public class ReportClient extends AbstractCommonListPoxServiceClientImpl<ReportP
     public static final String SERVICE_NAME = "reports";
     public static final String SERVICE_PATH_COMPONENT = SERVICE_NAME;
     public static final String SERVICE_PATH = "/" + SERVICE_PATH_COMPONENT;
+	public static final String SERVICE_COMMON_PART_NAME = SERVICE_NAME + PART_LABEL_SEPARATOR + PART_COMMON_LABEL;
     public static final String PDF_MIME_TYPE = "application/pdf";
     public static final String CSV_MIME_TYPE = "text/csv";
     public static final String TSV_MIME_TYPE = "text/tab-separated-values";
diff --git a/services/report/jaxb/src/main/resources/reports-common.xsd b/services/report/jaxb/src/main/resources/reports-common.xsd
index 61493144d..8c46bfd1b 100644
--- a/services/report/jaxb/src/main/resources/reports-common.xsd
+++ b/services/report/jaxb/src/main/resources/reports-common.xsd
@@ -42,6 +42,14 @@
 						</xs:sequence>
 					</xs:complexType>
 				</xs:element>
+                <xs:element name="forRoles" minOccurs="0" maxOccurs="1">
+                    <xs:complexType>
+                        <xs:sequence>
+                            <xs:element name="roleDisplayName" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
+                        </xs:sequence>
+                    </xs:complexType>
+                </xs:element>
+                <xs:element name="resourceActionGroupList" type="resourceActionGroupList" minOccurs="0" maxOccurs="1"/>
 				<xs:element name="supportsNoContext" type="xs:boolean" />
 				<xs:element name="supportsSingleDoc" type="xs:boolean" />
 				<xs:element name="supportsDocList" type="xs:boolean" />
@@ -52,6 +60,19 @@
 			</xs:sequence>
 		</xs:complexType>
 	</xs:element>
+
+    <xs:complexType name="resourceActionGroupList">
+        <xs:sequence>
+            <xs:element name="resourceActionGroup" type="resourceActionGroup" minOccurs="1" maxOccurs="unbounded"/>
+        </xs:sequence>
+    </xs:complexType>
     
+    <xs:complexType name="resourceActionGroup">
+        <xs:sequence>
+            <xs:element name="resourceName" type="xs:string" minOccurs="1" maxOccurs="1"/>
+            <xs:element name="actionGroup" type="xs:string" minOccurs="1" maxOccurs="1"/>
+        </xs:sequence>
+    </xs:complexType>
+
 </xs:schema>
 
diff --git a/services/report/service/pom.xml b/services/report/service/pom.xml
index 634e4fb81..a6507bab9 100644
--- a/services/report/service/pom.xml
+++ b/services/report/service/pom.xml
@@ -13,6 +13,18 @@
     <packaging>jar</packaging>
 
     <dependencies>
+        <dependency>
+            <groupId>org.collectionspace.services</groupId>
+            <artifactId>org.collectionspace.services.authentication.service</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.collectionspace.services</groupId>
+            <artifactId>org.collectionspace.services.account.service</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>            
         <dependency>
             <groupId>org.collectionspace.services</groupId>
             <artifactId>org.collectionspace.services.config</artifactId>
diff --git a/services/report/service/src/main/java/org/collectionspace/services/report/ReportResource.java b/services/report/service/src/main/java/org/collectionspace/services/report/ReportResource.java
index 15228f36f..c87c2cfba 100644
--- a/services/report/service/src/main/java/org/collectionspace/services/report/ReportResource.java
+++ b/services/report/service/src/main/java/org/collectionspace/services/report/ReportResource.java
@@ -30,6 +30,7 @@ import org.collectionspace.services.jaxb.AbstractCommonList;
 import org.collectionspace.services.report.nuxeo.ReportDocumentModelHandler;
 import org.collectionspace.services.publicitem.PublicitemsCommon;
 import org.collectionspace.services.client.IQueryManager;
+import org.collectionspace.services.client.PayloadPart;
 import org.collectionspace.services.client.PoxPayloadIn;
 import org.collectionspace.services.client.PoxPayloadOut;
 import org.collectionspace.services.client.ReportClient;
@@ -222,12 +223,24 @@ public class ReportResource extends NuxeoBasedResource {
 			builder = builder.header("Content-Disposition","inline;filename=\""+ outFileName.toString() +"\"");
 	        response = builder.build();
         } catch (Exception e) {
-            throw bigReThrow(e, ServiceMessages.POST_FAILED);
+        	String msg = e.getMessage();
+            throw bigReThrow(e, ServiceMessages.POST_FAILED + msg != null ? msg : "");
         }
 
         return response;
     }
 
+	private ReportsCommon getReportsCommon(String csid) throws Exception {
+		ReportsCommon result = null;
+
+    	ServiceContext<PoxPayloadIn, PoxPayloadOut> ctx = createServiceContext();
+		PoxPayloadOut ppo = get(csid, ctx);
+		PayloadPart reportsCommonPart = ppo.getPart(ReportClient.SERVICE_COMMON_PART_NAME);
+		result = (ReportsCommon)reportsCommonPart.getBody();
+
+    	return result;
+    }
+	
     /*
      * Does the actual report generation and returns an InputStream with the results.
      */
@@ -251,8 +264,9 @@ public class ReportResource extends NuxeoBasedResource {
             logger.trace("invokeReport with csid=" + csid);
         }
 
+        ReportsCommon reportsCommon = getReportsCommon(csid);
         ReportDocumentModelHandler handler = (ReportDocumentModelHandler)createDocumentHandler(ctx);
-        result = handler.invokeReport(ctx, csid, invContext, outMimeType, outReportFileName);
+        result = handler.invokeReport(ctx, csid, reportsCommon, invContext, outMimeType, outReportFileName);
 
         return result;
     }
diff --git a/services/report/service/src/main/java/org/collectionspace/services/report/nuxeo/ReportDocumentModelHandler.java b/services/report/service/src/main/java/org/collectionspace/services/report/nuxeo/ReportDocumentModelHandler.java
index adbb38888..0795dc474 100644
--- a/services/report/service/src/main/java/org/collectionspace/services/report/nuxeo/ReportDocumentModelHandler.java
+++ b/services/report/service/src/main/java/org/collectionspace/services/report/nuxeo/ReportDocumentModelHandler.java
@@ -55,7 +55,17 @@ import net.sf.jasperreports.engine.export.ooxml.JRDocxExporter;
 import net.sf.jasperreports.engine.export.ooxml.JRPptxExporter;
 import net.sf.jasperreports.engine.export.ooxml.JRXlsxExporter;
 
+import org.collectionspace.authentication.AuthN;
 import org.collectionspace.services.ReportJAXBSchema;
+import org.collectionspace.services.account.AccountResource;
+import org.collectionspace.services.authorization.AuthZ;
+import org.collectionspace.services.authorization.CSpaceResource;
+import org.collectionspace.services.authorization.PermissionException;
+import org.collectionspace.services.authorization.URIResourceImpl;
+import org.collectionspace.services.authorization.perms.ActionType;
+import org.collectionspace.services.report.ResourceActionGroup;
+import org.collectionspace.services.report.ResourceActionGroupList;
+import org.collectionspace.services.report.ReportsCommon.ForRoles;
 import org.collectionspace.services.report.MIMEType;
 import org.collectionspace.services.report.MIMETypeItemType;
 import org.collectionspace.services.report.ReportsCommon;
@@ -68,6 +78,7 @@ import org.collectionspace.services.common.ServiceMain;
 import org.collectionspace.services.common.api.JEEServerDeployment;
 import org.collectionspace.services.common.api.FileTools;
 import org.collectionspace.services.common.api.Tools;
+import org.collectionspace.services.common.authorization_mgt.ActionGroup;
 import org.collectionspace.services.common.config.TenantBindingConfigReaderImpl;
 import org.collectionspace.services.common.context.ServiceBindingUtils;
 import org.collectionspace.services.common.context.ServiceContext;
@@ -152,11 +163,19 @@ public class ReportDocumentModelHandler extends NuxeoDocumentModelHandler<Report
 	public InputStream invokeReport(
 			ServiceContext<PoxPayloadIn, PoxPayloadOut> ctx,
 			String csid,
+			ReportsCommon reportsCommon,
 			InvocationContext invContext,
 			StringBuffer outMimeType,
 			StringBuffer outReportFileName) throws Exception {
 		CoreSessionInterface repoSession = null;
 		boolean releaseRepoSession = false;
+		
+		// Ensure the current user has permission to run this report
+		if (isAuthoritzed(reportsCommon) == false) {
+			String msg = String.format("Report Resource: The user '%s' is not authorized to run the report '%s' CSID='%s'", 
+					AuthN.get().getUserId(), reportsCommon.getName(), csid);
+			throw new PermissionException(msg);
+		}
 
 		String invocationMode = invContext.getMode();
 		String modeProperty = null;
@@ -167,10 +186,10 @@ public class ReportDocumentModelHandler extends NuxeoDocumentModelHandler<Report
 		// Note we set before we put in the default ones, so they cannot override tenant or CSID.
 		setParamsFromContext(params, invContext);
 		
-		if(Invocable.INVOCATION_MODE_SINGLE.equalsIgnoreCase(invocationMode)) {
+		if (Invocable.INVOCATION_MODE_SINGLE.equalsIgnoreCase(invocationMode)) {
 			modeProperty = InvocableJAXBSchema.SUPPORTS_SINGLE_DOC;
     		params.put(REPORTS_STD_CSID_PARAM, invContext.getSingleCSID());
-		} else if(Invocable.INVOCATION_MODE_LIST.equalsIgnoreCase(invocationMode)) {
+		} else if (Invocable.INVOCATION_MODE_LIST.equalsIgnoreCase(invocationMode)) {
 			modeProperty = InvocableJAXBSchema.SUPPORTS_DOC_LIST;
 			List<String> csids = null;
 			InvocationContext.ListCSIDs listThing = invContext.getListCSIDs();
@@ -209,7 +228,7 @@ public class ReportDocumentModelHandler extends NuxeoDocumentModelHandler<Report
 			releaseRepoSession = true;
 		}
 
-		// Get properties from the batch docModel, and release the session
+		// Get properties from the report docModel, and release the session
 		String reportFileNameProperty;
 		try {
 			DocumentWrapper<DocumentModel> wrapper = repoClient.getDoc(repoSession, ctx, csid);
@@ -247,12 +266,12 @@ public class ReportDocumentModelHandler extends NuxeoDocumentModelHandler<Report
 	    	}
 		} catch (PropertyException pe) {
 			if (logger.isDebugEnabled()) {
-				logger.debug("Property exception getting batch values: ", pe);
+				logger.debug("Property exception getting report values: ", pe);
 			}
 			throw pe;
 		} catch (DocumentException de) {
 			if (logger.isDebugEnabled()) {
-				logger.debug("Problem getting batch doc: ", de);
+				logger.debug("Problem getting report report: ", de);
 			}
 			throw de;
 		} catch (Exception e) {
@@ -470,5 +489,107 @@ public class ReportDocumentModelHandler extends NuxeoDocumentModelHandler<Report
     	return result;
     }
 
+	/**
+	 * Check to see if the current user is authorized to run/invoke this report.  If the report
+	 * did not specify any permissions, we assume that the current user is authorized to run the report.
+	 * @param reportsCommon
+	 * @return
+	 */
+	protected boolean isAuthoritzedWithPermissions(ReportsCommon reportsCommon) {
+		boolean result = true;
+		
+		ResourceActionGroupList resourceActionGroupList = reportsCommon.getResourceActionGroupList();
+		if (resourceActionGroupList != null) {
+			String tenantId = AuthN.get().getCurrentTenantId();
+			for (ResourceActionGroup resourceActionGroup: resourceActionGroupList.getResourceActionGroup()) {
+				String resourceName = resourceActionGroup.getResourceName();
+				ActionGroup actionGroup = ActionGroup.creatActionGroup(resourceActionGroup.getActionGroup());
+				for (ActionType actionType: actionGroup.getActions()) {
+					CSpaceResource res = new URIResourceImpl(tenantId, resourceName, AuthZ.getMethod(actionType));
+					if (AuthZ.get().isAccessAllowed(res) == false) {
+						return false;
+					}
+				}
+			}
+		}
+		
+		return result;
+	}
+
+	/**
+	 * Returns true if we found any required permissions.
+	 * 
+	 * @param reportCommon
+	 * @return
+	 */
+	private boolean hasRequiredPermissions(ReportsCommon reportCommon) {
+		boolean result = false;
+		
+		try {
+			result = reportCommon.getResourceActionGroupList().getResourceActionGroup().size() > 0;
+		} catch (NullPointerException e) {
+			// ignore exception, we're just testing to see if we have any list elements
+		}
+		
+		return result;
+	}
+	
+	/**
+	 * Returns true if we found any required roles.
+	 * 
+	 * @param reportCommon
+	 * @return
+	 */
+	private boolean hasRequiredRoles(ReportsCommon reportCommon) {
+		boolean result = false;
+		
+		try {
+			result = reportCommon.getForRoles().getRoleDisplayName().size() > 0;
+		} catch (NullPointerException e) {
+			// ignore exception, we're just testing to see if we have any list elements
+		}
+		
+		return result;
+	}
+    
+	/**
+	 * The current user is authorized to run the report if:
+	 * 	1. No permissions or roles are specified in the report
+	 *  2. No roles are specified, but permissions are specified and the current user has those permissions
+	 *  3. Roles are specified and the current user is a member of at least one of the roles.
+	 * 
+	 * @param reportsCommon
+	 * @return
+	 */
+	protected boolean isAuthoritzed(ReportsCommon reportsCommon) {
+		boolean result = true;
+		
+		if (hasRequiredRoles(reportsCommon)) { 
+			result = isAuthorizedWithRoles(reportsCommon);
+		} else if (hasRequiredPermissions(reportsCommon)) {
+			result = isAuthoritzedWithPermissions(reportsCommon);
+		}
+		 		
+		return result;
+	}
+	
+	protected boolean isAuthorizedWithRoles(ReportsCommon reportCommon) {
+		boolean result = false;
+		
+		ForRoles forRolesList = reportCommon.getForRoles();
+		if (forRolesList != null) {
+			AccountResource accountResource = new AccountResource();
+			List<String> roleDisplayNameList = accountResource.getAccountRoles(AuthN.get().getUserId(), AuthN.get().getCurrentTenantId());
+			for (String target : forRolesList.getRoleDisplayName()) {
+				if (roleDisplayNameList.contains(target)) {
+					result = true;
+					break;
+				}
+			}
+		}
+		
+		return result;
+	}
+
 }
 
-- 
2.47.3