AnsweredAssumed Answered

Setting permissions on new person node

Question asked by anwar on Apr 19, 2007
Latest reply on Jun 5, 2007 by andy
We are trying to add the possibility for a group of users (other than administrator(s)) to be able to add users to the system. For now, we put users with this right in a group called "ausers".

When looking into the finish()-method in the NewUserWizard, I can see that creating a new user basically boils down to these three method calls to the service layer (I ignore the setup of a home
space etc):

// create the node to represent the Person
NodeRef newPerson = this.personService.createPerson(props);

// ensure the user can access their own Person object
this.permissionService.setPermission(newPerson, this.userName, permissionService.getAllPermission(), true);

// create the ACEGI Authentication instance for the new user
this.authenticationService.createAuthentication(this.userName, this.password.toCharArray());

By setting the following lines in public-services-security-context.xml, I have been able to give the permission to call the first and third of the above lines to the group "ausers":

org.alfresco.service.cmr.security.AuthorityService.createAuthority=ACL_METHOD.ROLE_ADMINISTRATOR,ACL_METHOD.GROUP_agroup1
org.alfresco.service.cmr.security.PersonService.createPerson=ACL_METHOD.ROLE_ADMINISTRATOR,ACL_METHOD.GROUP_agroup1

However, the second line (setPermission…) of Java code still results in an AccessDeniedException. Apparently, the creating user has no permissions whatsoever on the node he created with createPerson().

Exploring further, I see that the PersonServiceImpl.createPerson()-method basically creates a new node of type Person, which is a child of the "peoplecontainer":

nodeService.createNode(getPeopleContainer(), ContentModel.ASSOC_CHILDREN, ContentModel.TYPE_PERSON, ContentModel.TYPE_PERSON, properties)

From what I have understood from the documentation, a node inherits permissions from its parent. I therefore added the required permissions to the "peoplecontainer" by running this code as admin:

permissionService.setPermission(getPeopleContainer(), "agroup1", PermissionService.CHANGE_PERMISSIONS, true);

The method permissionService.getInheritParentPermissions() returns "true" on both the "peoplecontainer" and the newly created persons/nodes. I then expected the newly created persons/nodes to inherit the change_permissions-permission from "peoplecontainer", but this is apparently not the case, the nodes are still created without any permissions for the creating user. I would assume this could be because the "peoplecontainer" and the new user are nodes of different types.

So, my question is this: how can I make sure that the new persons/nodes  are created with proper permissions set to the creating user? I understand that this might involve changing the logic within one or more system services.

Outcomes