From 9caaefa91558a004c0cba494429184aefbfa2300 Mon Sep 17 00:00:00 2001
From: Richard Millet <remillet@berkeley.edu>
Date: Thu, 12 Apr 2012 19:42:57 -0700
Subject: [PATCH] CSPACE-4964: Fixing bugs related to authority item workflow
 related permissions.

---
 .../OSGI-INF/default-life-cycle-contrib.xml   |  7 +---
 .../common/vocabulary/AuthorityResource.java  | 16 +++++++---
 .../client/test/PermissionServiceTest.java    |  2 +-
 .../services/client/AuthorityClient.java      |  2 +-
 .../services/client/AuthorityClientImpl.java  |  4 +--
 .../services/client/AuthorityProxy.java       |  7 ++--
 .../client/test/AbstractServiceTestImpl.java  |  6 ++--
 .../client/workflow/WorkflowClient.java       |  1 +
 .../tenants/tenant-bindings-proto.xml         | 32 +------------------
 ...tMultiPartCollectionSpaceResourceImpl.java |  2 +-
 .../services/common/ServiceMain.java          |  2 +-
 .../AuthorizationCommon.java                  | 13 +-------
 .../common/security/SecurityInterceptor.java  |  4 +--
 .../common/security/SecurityUtils.java        | 21 ++++++++++++
 14 files changed, 51 insertions(+), 68 deletions(-)

diff --git a/3rdparty/nuxeo/nuxeo-platform-collectionspace/src/main/resources/OSGI-INF/default-life-cycle-contrib.xml b/3rdparty/nuxeo/nuxeo-platform-collectionspace/src/main/resources/OSGI-INF/default-life-cycle-contrib.xml
index 3d605cde6..038f3a7fd 100644
--- a/3rdparty/nuxeo/nuxeo-platform-collectionspace/src/main/resources/OSGI-INF/default-life-cycle-contrib.xml
+++ b/3rdparty/nuxeo/nuxeo-platform-collectionspace/src/main/resources/OSGI-INF/default-life-cycle-contrib.xml
@@ -45,9 +45,6 @@
         <transition name="lock" destinationState="locked">
           <description>Lock document</description>
         </transition>
-        <transition name="unlock" destinationState="project">
-          <description>Unlock the document</description>
-        </transition>
         <transition name="delete" destinationState="deleted">
           <description>Move document to trash (temporary delete)</description>
         </transition>
@@ -63,9 +60,7 @@
           </transitions>
         </state>
         <state name="locked" description="Locked state">
-          <transitions>
-            <transition>unlock</transition>
-          </transitions>
+        	<!-- No transitions allowed from locked state. -->
         </state>
         <state name="deleted" description="Document is deleted">
           <transitions>
diff --git a/services/authority/service/src/main/java/org/collectionspace/services/common/vocabulary/AuthorityResource.java b/services/authority/service/src/main/java/org/collectionspace/services/common/vocabulary/AuthorityResource.java
index 8e1c5d5a4..bf47c2dae 100644
--- a/services/authority/service/src/main/java/org/collectionspace/services/common/vocabulary/AuthorityResource.java
+++ b/services/authority/service/src/main/java/org/collectionspace/services/common/vocabulary/AuthorityResource.java
@@ -56,12 +56,14 @@ import org.collectionspace.services.common.vocabulary.nuxeo.AuthorityItemDocumen
 import org.collectionspace.services.common.workflow.service.nuxeo.WorkflowDocumentModelHandler;
 import org.collectionspace.services.config.ClientType;
 import org.collectionspace.services.jaxb.AbstractCommonList;
+import org.collectionspace.services.lifecycle.TransitionDef;
 import org.collectionspace.services.nuxeo.client.java.DocumentModelHandler;
 import org.collectionspace.services.nuxeo.client.java.RemoteDocumentModelHandlerImpl;
 import org.collectionspace.services.nuxeo.client.java.RepositoryJavaClientImpl;
 import org.collectionspace.services.relation.RelationResource;
 import org.collectionspace.services.relation.RelationsCommonList;
 import org.collectionspace.services.relation.RelationshipType;
+import org.collectionspace.services.workflow.WorkflowCommon;
 import org.jboss.resteasy.util.HttpResponseCodes;
 import org.nuxeo.ecm.core.api.DocumentModel;
 import org.nuxeo.ecm.core.api.repository.RepositoryInstance;
@@ -550,18 +552,22 @@ public abstract class AuthorityResource<AuthCommon, AuthItemHandler>
     }
 
     @PUT
-    @Path("{csid}/items/{itemcsid}" + WorkflowClient.SERVICE_PATH)
-    public byte[] updateWorkflow(
+    @Path("{csid}/items/{itemcsid}" + WorkflowClient.SERVICE_PATH + "/{transition}")
+    public byte[] updateItemWorkflowWithTransition(
             @PathParam("csid") String csid,
             @PathParam("itemcsid") String itemcsid,
-            String xmlPayload) {
+            @PathParam("transition") String transition) {
         PoxPayloadOut result = null;
         try {
+        	PoxPayloadIn input = new PoxPayloadIn(WorkflowClient.SERVICE_PAYLOAD_NAME, new WorkflowCommon(), 
+        			WorkflowClient.SERVICE_COMMONPART_NAME);
+
             ServiceContext<PoxPayloadIn, PoxPayloadOut> parentCtx = createServiceContext(getItemServiceName());
             String parentWorkspaceName = parentCtx.getRepositoryWorkspaceName();
 
-            PoxPayloadIn workflowUpdate = new PoxPayloadIn(xmlPayload);
-            MultipartServiceContext ctx = (MultipartServiceContext) createServiceContext(WorkflowClient.SERVICE_NAME, workflowUpdate);
+            TransitionDef transitionDef = getTransitionDef(parentCtx, transition);
+            MultipartServiceContext ctx = (MultipartServiceContext) createServiceContext(WorkflowClient.SERVICE_NAME, input);
+            ctx.setProperty(WorkflowClient.TRANSITION_ID, transitionDef);
             WorkflowDocumentModelHandler handler = createWorkflowDocumentHandler(ctx);
             ctx.setRespositoryWorkspaceName(parentWorkspaceName); //find the document in the parent's workspace
             getRepositoryClient(ctx).update(ctx, itemcsid, handler);
diff --git a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionServiceTest.java b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionServiceTest.java
index 11b044f82..3b254001e 100644
--- a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionServiceTest.java
+++ b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionServiceTest.java
@@ -146,7 +146,7 @@ public class PermissionServiceTest extends AbstractServiceTestImpl<PermissionsLi
         try {
 	        assertStatusCode(res, testName);
 	        PermissionsList list = res.getEntity(PermissionsList.class);
-	        int EXPECTED_ITEMS = 4; //seeded permissions
+	        int EXPECTED_ITEMS = 4 + 6; //4 seeded base resource permissions and 6 workflow permissions
 	        int actual = list.getPermission().size();
 	        if (logger.isDebugEnabled()) {
 	            logger.debug(testName + ": received = " + actual
diff --git a/services/client/src/main/java/org/collectionspace/services/client/AuthorityClient.java b/services/client/src/main/java/org/collectionspace/services/client/AuthorityClient.java
index f81c583fb..1dea28bba 100644
--- a/services/client/src/main/java/org/collectionspace/services/client/AuthorityClient.java
+++ b/services/client/src/main/java/org/collectionspace/services/client/AuthorityClient.java
@@ -147,5 +147,5 @@ public interface AuthorityClient<AUTHORITY_ITEM_TYPE, P extends AuthorityProxy>
     
     public ClientResponse<String> readItemWorkflow(String vcsid, String csid);
     
-    public ClientResponse<String> updateItemWorkflow(String vcsid, String csid, PoxPayloadOut workflowPayload);
+    public ClientResponse<String> updateItemWorkflowWithTransition(String vcsid, String csid, String workflowTransition);
 }
diff --git a/services/client/src/main/java/org/collectionspace/services/client/AuthorityClientImpl.java b/services/client/src/main/java/org/collectionspace/services/client/AuthorityClientImpl.java
index fbdda135d..a79d44844 100644
--- a/services/client/src/main/java/org/collectionspace/services/client/AuthorityClientImpl.java
+++ b/services/client/src/main/java/org/collectionspace/services/client/AuthorityClientImpl.java
@@ -198,8 +198,8 @@ public abstract class AuthorityClientImpl<AUTHORITY_ITEM_TYPE, P extends Authori
     }
     
 	@Override
-    public ClientResponse<String> updateItemWorkflow(String vcsid, String csid, PoxPayloadOut xmlPayload) {
-    	return getProxy().updateItemWorkflow(vcsid, csid, xmlPayload.getBytes());
+    public ClientResponse<String> updateItemWorkflowWithTransition(String vcsid, String csid, String workflowTransition) {
+    	return getProxy().updateItemWorkflowWithTransition(vcsid, csid, workflowTransition);
     }
 	
 }
diff --git a/services/client/src/main/java/org/collectionspace/services/client/AuthorityProxy.java b/services/client/src/main/java/org/collectionspace/services/client/AuthorityProxy.java
index 178f1409c..d10344f4e 100644
--- a/services/client/src/main/java/org/collectionspace/services/client/AuthorityProxy.java
+++ b/services/client/src/main/java/org/collectionspace/services/client/AuthorityProxy.java
@@ -148,9 +148,10 @@ public interface AuthorityProxy extends CollectionSpaceCommonListPoxProxy {
             
     //(U)pdate Item workflow
     @PUT
-    @Path("/{vcsid}/items/{csid}" + WorkflowClient.SERVICE_PATH)
-    ClientResponse<String> updateItemWorkflow(@PathParam("vcsid") String vcsid,
+    @Path("/{vcsid}/items/{csid}" + WorkflowClient.SERVICE_PATH + "/{transition}")
+    ClientResponse<String> updateItemWorkflowWithTransition(
+    		@PathParam("vcsid") String vcsid,
     		@PathParam("csid") String csid,
-    		byte[] xmlPayload);
+    		@PathParam("transition") String transition);
     
 }
diff --git a/services/client/src/main/java/org/collectionspace/services/client/test/AbstractServiceTestImpl.java b/services/client/src/main/java/org/collectionspace/services/client/test/AbstractServiceTestImpl.java
index 510ad38f2..7e3c1fb59 100644
--- a/services/client/src/main/java/org/collectionspace/services/client/test/AbstractServiceTestImpl.java
+++ b/services/client/src/main/java/org/collectionspace/services/client/test/AbstractServiceTestImpl.java
@@ -1041,7 +1041,7 @@ public abstract class AbstractServiceTestImpl<CLT, CPT, REQUEST_TYPE, RESPONSE_T
 
                 this.setupUpdate();
 
-                this.updateItemLifeCycleState(testName, parentCsid, csid, WorkflowClient.WORKFLOWSTATE_DELETED);
+                this.updateItemLifeCycleState(testName, parentCsid, csid, WorkflowClient.WORKFLOWTRANSITION_DELETE, WorkflowClient.WORKFLOWSTATE_DELETED);
                 //
                 // Read the list of existing non-deleted records
                 //
@@ -1065,7 +1065,7 @@ public abstract class AbstractServiceTestImpl<CLT, CPT, REQUEST_TYPE, RESPONSE_T
         }
     }
 
-    protected void updateItemLifeCycleState(String testName, String parentCsid, String itemCsid, String lifeCycleState) throws Exception {
+    protected void updateItemLifeCycleState(String testName, String parentCsid, String itemCsid, String workflowTransition, String lifeCycleState) throws Exception {
         //
         // Read the existing object
         //
@@ -1093,7 +1093,7 @@ public abstract class AbstractServiceTestImpl<CLT, CPT, REQUEST_TYPE, RESPONSE_T
         //
         // Perform the state change update
         //
-        res = client.updateItemWorkflow(parentCsid, itemCsid, output);
+        res = client.updateItemWorkflowWithTransition(parentCsid, itemCsid, workflowTransition);
         WorkflowCommon updatedWorkflowCommons = null;
         try {
 	        assertStatusCode(res, testName);
diff --git a/services/client/src/main/java/org/collectionspace/services/client/workflow/WorkflowClient.java b/services/client/src/main/java/org/collectionspace/services/client/workflow/WorkflowClient.java
index c3ea8854e..31ee013a9 100644
--- a/services/client/src/main/java/org/collectionspace/services/client/workflow/WorkflowClient.java
+++ b/services/client/src/main/java/org/collectionspace/services/client/workflow/WorkflowClient.java
@@ -51,6 +51,7 @@ public class WorkflowClient extends AbstractCommonListPoxServiceClientImpl<Workf
 	// DocumentHandler passed properties
 	//
 	public static final String TRANSITION_ID = "transition_id";
+	public static final String TRANSITION_PARAM_JAXRS = "transition";
 	//
 	// Service Query Params
 	//
diff --git a/services/common/src/main/cspace/config/services/tenants/tenant-bindings-proto.xml b/services/common/src/main/cspace/config/services/tenants/tenant-bindings-proto.xml
index 82464e5b0..f85f4e17e 100644
--- a/services/common/src/main/cspace/config/services/tenants/tenant-bindings-proto.xml
+++ b/services/common/src/main/cspace/config/services/tenants/tenant-bindings-proto.xml
@@ -76,7 +76,6 @@
 
     <!-- begin collectionobject service meta-data -->
     <tenant:serviceBindings id="CollectionObjects" name="CollectionObjects" type="object" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/collectionobjects/*/workflow/</service:uriPath>
             <!-- other URI paths through which this service could be accessed -->
             <!--
             <service:uriPath xmlns:service='http://collectionspace.org/services/config/service'>
@@ -628,7 +627,6 @@
     <!-- begin blob service meta-data -->
 		<!-- This should likely be type="object" -->
     <tenant:serviceBindings id="Blobs" name="Blobs" type="utility" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/blobs/*/workflow/</service:uriPath>
       <service:repositoryDomain xmlns:service="http://collectionspace.org/services/config/service">default-domain</service:repositoryDomain>
       <service:documentHandler xmlns:service="http://collectionspace.org/services/config/service">org.collectionspace.services.blob.nuxeo.BlobDocumentModelHandler</service:documentHandler>
       <service:DocHandlerParams xmlns:service="http://collectionspace.org/services/config/service">
@@ -690,7 +688,6 @@
     
     <!-- begin intake service meta-data -->
     <tenant:serviceBindings id="Intakes" name="Intakes" type="procedure" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/intakes/*/workflow/</service:uriPath>
             <!-- other URI paths through which this service could be accessed -->
             <!--
             <service:uriPath xmlns:service='http://collectionspace.org/services/config/service'>
@@ -834,7 +831,6 @@
         
     <!-- begin loanin service meta-data -->
     <tenant:serviceBindings id="Loansin" name="Loansin" type="procedure" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/loansin/*/workflow/</service:uriPath>
             <!-- other URI paths through which this service could be accessed -->
             <!--
             <service:uriPath xmlns:service='http://collectionspace.org/services/config/service'>
@@ -990,7 +986,6 @@
     
     <!-- begin loanout service meta-data -->
     <tenant:serviceBindings id="Loansout" name="Loansout" type="procedure" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/loansout/*/workflow/</service:uriPath>
             <!-- other URI paths through which this service could be accessed -->
             <!--
             <service:uriPath xmlns:service='http://collectionspace.org/services/config/service'>
@@ -1078,7 +1073,6 @@
     
     <!-- begin objectexit service meta-data -->
     <tenant:serviceBindings id="ObjectExit" name="ObjectExit" type="procedure" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/objectexit/*/workflow/</service:uriPath>
       <service:repositoryDomain xmlns:service="http://collectionspace.org/services/config/service">default-domain</service:repositoryDomain>
       <service:documentHandler xmlns:service="http://collectionspace.org/services/config/service">org.collectionspace.services.objectexit.nuxeo.ObjectExitDocumentModelHandler</service:documentHandler>
       <service:DocHandlerParams xmlns:service="http://collectionspace.org/services/config/service">
@@ -1151,7 +1145,6 @@
     
     <!-- begin batch service meta-data -->
     <tenant:serviceBindings id="Batch" name="Batch" type="utility" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/batch/*/workflow/</service:uriPath>
       <service:repositoryDomain xmlns:service="http://collectionspace.org/services/config/service">default-domain</service:repositoryDomain>
       <service:documentHandler xmlns:service="http://collectionspace.org/services/config/service">org.collectionspace.services.batch.nuxeo.BatchDocumentModelHandler</service:documentHandler>
       <service:DocHandlerParams xmlns:service="http://collectionspace.org/services/config/service">
@@ -1188,7 +1181,6 @@
     
     <!-- begin group service meta-data -->
     <tenant:serviceBindings id="Groups" name="Groups" type="procedure" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/groups/*/workflow/</service:uriPath>
       <service:repositoryDomain xmlns:service="http://collectionspace.org/services/config/service">default-domain</service:repositoryDomain>
       <service:documentHandler xmlns:service="http://collectionspace.org/services/config/service">org.collectionspace.services.group.nuxeo.GroupDocumentModelHandler</service:documentHandler>
       <service:DocHandlerParams xmlns:service="http://collectionspace.org/services/config/service">
@@ -1250,7 +1242,6 @@
     
     <!-- begin imports service meta-data -->
     <tenant:serviceBindings id="Imports" name="Imports" type="utility" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/imports/*/workflow/</service:uriPath>
       <service:repositoryDomain xmlns:service="http://collectionspace.org/services/config/service">default-domain</service:repositoryDomain>
       <service:documentHandler xmlns:service="http://collectionspace.org/services/config/service">org.collectionspace.services.imports.nuxeo.ImportsDocumentModelHandler</service:documentHandler>
       <service:DocHandlerParams xmlns:service="http://collectionspace.org/services/config/service">
@@ -1294,7 +1285,6 @@
     <!-- begin media service meta-data -->
 		<!-- This should likely be type="object" -->
      <tenant:serviceBindings id="Media" name="Media" type="procedure" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/media/*/workflow/</service:uriPath>
       <service:repositoryDomain xmlns:service="http://collectionspace.org/services/config/service">default-domain</service:repositoryDomain>
       <service:documentHandler xmlns:service="http://collectionspace.org/services/config/service">org.collectionspace.services.media.nuxeo.MediaDocumentModelHandler</service:documentHandler>
       <service:DocHandlerParams xmlns:service="http://collectionspace.org/services/config/service">
@@ -1411,7 +1401,6 @@
         
     <!-- begin movement service meta-data -->
     <tenant:serviceBindings id="Movements" name="Movements" type="procedure" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/movements/*/workflow/</service:uriPath>
             <!-- other URI paths through which this service could be accessed -->
             <!--
             <service:uriPath xmlns:service='http://collectionspace.org/services/config/service'>
@@ -1547,7 +1536,6 @@
         
     <!-- begin report service meta-data -->
     <tenant:serviceBindings id="Reports" name="Reports" type="utility" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/reports/*/workflow/</service:uriPath>
             <!-- other URI paths through which this service could be accessed -->
             <!--
             <service:uriPath xmlns:service='http://collectionspace.org/services/config/service'>
@@ -1597,8 +1585,6 @@
     
     <!-- begin vocabulary service meta-data -->
     <tenant:serviceBindings id="Vocabularies" name="Vocabularies" type="utility" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/vocabularies/*/workflow/</service:uriPath>
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/vocabularies/*/items/*/workflow/</service:uriPath>
             <!-- other URI paths through which this service could be accessed -->
       <service:repositoryDomain xmlns:service="http://collectionspace.org/services/config/service">default-domain</service:repositoryDomain>
       <service:documentHandler xmlns:service="http://collectionspace.org/services/config/service">org.collectionspace.services.vocabulary.nuxeo.VocabularyDocumentModelHandler</service:documentHandler>
@@ -1663,7 +1649,6 @@
             Repository workspace so we have to configure that.
         -->
     <tenant:serviceBindings id="Vocabularyitems" name="Vocabularyitems" type="authority" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/vocabularyitems/*/workflow/</service:uriPath>
             <!-- other URI paths through which this service could be accessed -->
       <!--
                         <service:uriPath xmlns:service='http://collectionspace.org/services/config/service'>
@@ -1726,8 +1711,6 @@
     
     <!-- begin orgauthority service meta-data -->
     <tenant:serviceBindings id="Orgauthorities" name="Orgauthorities" type="utility" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/orgauthorities/*/workflow/</service:uriPath>
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/orgauthorities/*/items/*/workflow/</service:uriPath>
             <!-- other URI paths through which this service could be accessed -->
             <!--
             <service:uriPath xmlns:service='http://collectionspace.org/services/config/service'>
@@ -1895,8 +1878,6 @@
         
     <!-- begin personauthority service meta-data -->
     <tenant:serviceBindings id="Personauthorities" name="Personauthorities" type="utility" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/personauthorities/*/workflow/</service:uriPath>
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/personauthorities/*/items/*/workflow/</service:uriPath>
             <!-- other URI paths through which this service could be accessed -->
             <!--
             <service:uriPath xmlns:service='http://collectionspace.org/services/config/service'>
@@ -2090,8 +2071,6 @@
         
     <!-- begin locationauthority service meta-data -->
     <tenant:serviceBindings id="Locationauthorities" name="Locationauthorities" type="utility" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/locationauthorities/*/workflow/</service:uriPath>
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/locationauthorities/*/items/*/workflow/</service:uriPath>
             <!-- other URI paths through which this service could be accessed -->
             <!--
             <service:uriPath xmlns:service='http://collectionspace.org/services/config/service'>
@@ -2233,8 +2212,6 @@
     <!-- end location service meta-data -->
         <!-- begin placeauthority service meta-data -->
         <tenant:serviceBindings id="Placeauthorities" name="Placeauthorities" version="0.1">
-            <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/placeauthorities/*/workflow/</service:uriPath>
-            <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/placeauthorities/*/items/*/workflow/</service:uriPath>
             <!-- other URI paths using which this service could be accessed -->
             <!-- 
             <service:uriPath xmlns:service='http://collectionspace.org/services/config/service'>
@@ -2413,8 +2390,6 @@
         <!-- end place service meta-data -->
     <!-- begin taxonomyauthority service meta-data -->
     <tenant:serviceBindings id="Taxonomyauthority" name="Taxonomyauthority" type="utility" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/taxonomyauthority/*/workflow/</service:uriPath>
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/taxonomyauthority/*/items/*/workflow/</service:uriPath>
             <!-- other URI paths through which this service could be accessed -->
             <!--
             <service:uriPath xmlns:service='http://collectionspace.org/services/config/service'>
@@ -2578,8 +2553,6 @@
     
     <!-- begin conceptauthority service meta-data -->
     <tenant:serviceBindings id="Conceptauthorities" name="Conceptauthorities" type="utility" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/conceptauthorities/*/workflow/</service:uriPath>
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/conceptauthorities/*/items/*/workflow/</service:uriPath>
             <!-- other URI paths through which this service could be accessed -->
             <!--
             <service:uriPath xmlns:service='http://collectionspace.org/services/config/service'>
@@ -2722,7 +2695,6 @@
 
     <!-- begin acquisition service meta-data -->
     <tenant:serviceBindings id="Acquisitions" name="Acquisitions" type="procedure" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/acquisitions/*/workflow/</service:uriPath>
             <!-- other URI paths through which this service could be accessed -->
             <!--
             <service:uriPath xmlns:service='http://collectionspace.org/services/config/service'>
@@ -2837,7 +2809,6 @@
     
     <!-- begin relation service meta-data -->
     <tenant:serviceBindings id="Relations" name="Relations" type="utility" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/relations/*/workflow/</service:uriPath>
             <!-- other URI paths through which this service could be accessed -->
       <service:repositoryDomain xmlns:service="http://collectionspace.org/services/config/service">default-domain</service:repositoryDomain>
       <service:documentHandler xmlns:service="http://collectionspace.org/services/config/service">org.collectionspace.services.relation.nuxeo.RelationDocumentModelHandler</service:documentHandler>
@@ -2986,7 +2957,7 @@
     <!-- begin dimension service meta-data -->
     <tenant:serviceBindings id="Dimensions" name="Dimensions" type="utility" version="0.1">
             <!-- other URI paths through which this service could be accessed -->
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/dimensions/*/workflow/</service:uriPath>
+      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/dimensions/workflow/</service:uriPath>
       <service:repositoryDomain xmlns:service="http://collectionspace.org/services/config/service">default-domain</service:repositoryDomain>
       <service:documentHandler xmlns:service="http://collectionspace.org/services/config/service">org.collectionspace.services.dimension.nuxeo.DimensionDocumentModelHandler</service:documentHandler>
       <service:object xmlns:service="http://collectionspace.org/services/config/service" name="Dimension" version="0.1">
@@ -3090,7 +3061,6 @@
     
     <!-- begin note service meta-data -->
     <tenant:serviceBindings id="Notes" name="Notes" type="utility" version="0.1">
-      <service:uriPath xmlns:service="http://collectionspace.org/services/config/service">/notes/*/workflow/</service:uriPath>
       <service:repositoryDomain xmlns:service="http://collectionspace.org/services/config/service">default-domain</service:repositoryDomain>
       <service:documentHandler xmlns:service="http://collectionspace.org/services/config/service">org.collectionspace.services.note.nuxeo.NoteDocumentModelHandler</service:documentHandler>
       <service:object xmlns:service="http://collectionspace.org/services/config/service" name="CSNote" version="0.1">
diff --git a/services/common/src/main/java/org/collectionspace/services/common/AbstractMultiPartCollectionSpaceResourceImpl.java b/services/common/src/main/java/org/collectionspace/services/common/AbstractMultiPartCollectionSpaceResourceImpl.java
index 9728a8dc2..217cf60e8 100644
--- a/services/common/src/main/java/org/collectionspace/services/common/AbstractMultiPartCollectionSpaceResourceImpl.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/AbstractMultiPartCollectionSpaceResourceImpl.java
@@ -193,7 +193,7 @@ public abstract class AbstractMultiPartCollectionSpaceResourceImpl extends Abstr
         return result.getBytes();
     }
     
-    private TransitionDef getTransitionDef(ServiceContext<PoxPayloadIn, PoxPayloadOut> ctx, String transition) {
+    protected TransitionDef getTransitionDef(ServiceContext<PoxPayloadIn, PoxPayloadOut> ctx, String transition) {
     	TransitionDef result = null;
     	
     	try {
diff --git a/services/common/src/main/java/org/collectionspace/services/common/ServiceMain.java b/services/common/src/main/java/org/collectionspace/services/common/ServiceMain.java
index 0c98156ee..4fc06ff32 100644
--- a/services/common/src/main/java/org/collectionspace/services/common/ServiceMain.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/ServiceMain.java
@@ -164,7 +164,7 @@ public class ServiceMain {
         // Create all the default user accounts and permissions
         //
         try {
-        	AuthorizationCommon.createDefaultPermissions(tenantBindingConfigReader);        	
+        	AuthorizationCommon.createDefaultWorkflowPermissions(tenantBindingConfigReader);        	
         	AuthorizationCommon.createDefaultAccounts(tenantBindingConfigReader);     
         } catch(Throwable e) {        	
         	logger.error("Default accounts and permissions setup failed with exception(s): " + e.getLocalizedMessage(), e);
diff --git a/services/common/src/main/java/org/collectionspace/services/common/authorization_mgt/AuthorizationCommon.java b/services/common/src/main/java/org/collectionspace/services/common/authorization_mgt/AuthorizationCommon.java
index 16f3153ab..90d4543e3 100644
--- a/services/common/src/main/java/org/collectionspace/services/common/authorization_mgt/AuthorizationCommon.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/authorization_mgt/AuthorizationCommon.java
@@ -798,7 +798,7 @@ public class AuthorizationCommon {
 		return result;
 	}
 	
-    public static void createDefaultPermissions(TenantBindingConfigReaderImpl tenantBindingConfigReader) throws Exception //FIXME: REM - 4/11/2012 - Rename to createWorkflowPermissions
+    public static void createDefaultWorkflowPermissions(TenantBindingConfigReaderImpl tenantBindingConfigReader) throws Exception //FIXME: REM - 4/11/2012 - Rename to createWorkflowPermissions
     {
     	AuthZ.get().login(); //login to Spring Security manager
     	
@@ -820,17 +820,6 @@ public class AuthorizationCommon {
 		        	if (prop == null ? true : Boolean.parseBoolean(prop)) {
 			        		try {
 			        		em.getTransaction().begin();
-			        		//
-			        		// For the default admin role, create the base workflow (aka, "/workflow" permissions for the service.
-			        		Permission baseAdminPerm = createWorkflowPermission(tenantBinding, serviceBinding, null, ACTIONGROUP_CRUDL);
-			        		persist(em, baseAdminPerm, adminRole, true);
-			        		//
-			        		// For the default read-only role, create the base workflow (aka, "/workflow" permissions for the service.
-			        		Permission baseReadonlyPerm = createWorkflowPermission(tenantBinding, serviceBinding, null, ACTIONGROUP_RL);
-			        		persist(em, baseReadonlyPerm, readonlyRole, true);		        		
-			        		//
-			        		// Next, create a permission for each workflow transition supported by the service's document type.
-			        		//
 				        	TransitionDefList transitionDefList = getTransitionDefList(tenantBinding, serviceBinding);
 				        	for (TransitionDef transitionDef : transitionDefList.getTransitionDef()) {
 				        		//
diff --git a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityInterceptor.java b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityInterceptor.java
index 2bd6a0d59..6cc115505 100644
--- a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityInterceptor.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityInterceptor.java
@@ -137,8 +137,8 @@ public class SecurityInterceptor implements PreProcessInterceptor, PostProcessIn
 				// to perform a workflow state change and make sure they are allowed to to this.
 				//
 				if (uriPath.contains(WorkflowClient.SERVICE_PATH) == true) {
-					String workflowSubResName = SecurityUtils.getResourceName(request.getUri());
-					res = new URIResourceImpl(AuthN.get().getCurrentTenantId(), workflowSubResName, httpMethod);
+					String workflowProxyResource = SecurityUtils.getWorkflowResourceName(request);
+					res = new URIResourceImpl(AuthN.get().getCurrentTenantId(), workflowProxyResource, httpMethod);
 					if (authZ.isAccessAllowed(res) == false) {
 						logger.error("Access to " + resName + ":" + res.getId() + " is NOT allowed to "
 								+ " user=" + AuthN.get().getUserId());
diff --git a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityUtils.java b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityUtils.java
index 9d0df0934..796b1dbce 100644
--- a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityUtils.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityUtils.java
@@ -32,6 +32,7 @@ import java.util.StringTokenizer;
 import org.collectionspace.services.authorization.AuthZ;
 import org.collectionspace.services.authorization.CSpaceResource;
 import org.collectionspace.services.authorization.URIResourceImpl;
+import org.collectionspace.services.client.workflow.WorkflowClient;
 import org.collectionspace.services.config.service.ServiceBindingType;
 
 import javax.ws.rs.core.MultivaluedMap;
@@ -42,6 +43,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import org.jboss.crypto.digest.DigestCallback;
+import org.jboss.resteasy.spi.HttpRequest;
 import org.jboss.security.Base64Encoder;
 import org.jboss.security.Base64Utils;
 
@@ -98,6 +100,25 @@ public class SecurityUtils {
         }
     }
 
+    public static String getWorkflowResourceName(HttpRequest request) {
+    	String result = null;
+    			
+    	UriInfo uriInfo = request.getUri();
+    	String workflowSubResName = SecurityUtils.getResourceName(uriInfo);
+    	String resEntity = SecurityUtils.getResourceEntity(workflowSubResName);
+    	
+		MultivaluedMap<String, String> pathParams = uriInfo.getPathParameters();
+		String workflowTransition = pathParams.getFirst(WorkflowClient.TRANSITION_PARAM_JAXRS);
+		if (workflowTransition != null) {
+	    	result = resEntity + "/*/" + WorkflowClient.SERVICE_NAME + "/" + workflowTransition;
+		} else {
+			// e.g., intakes/workflow or intakes/*/workflow
+			result = resEntity;
+		}
+    	
+    	return result;
+    }
+    
 	/**
 	 * Gets the resource name.
 	 *
-- 
2.47.3