AnsweredAssumed Answered

Custom permission problem for moving/deleting

Question asked by jneeve on Aug 8, 2008
Latest reply on Jan 1, 2015 by ranjitsinh.reval
We want to setup Collaborators so that they can add/revise documents AND move them between spaces.

From what I can tell, a move requires delteNode access so I added that to the Collaborator group in permissionDefinitions.xml

I've modified the permissions and now collaborators can move, but they can also DELETE documents in Webdav. But NOT in the Aflresco GUI.

      <permissionGroup name="Collaborator" allowFullControl="false" expose="true">
        <includePermissionGroup permissionGroup="Editor" type="cm:cmobject" />
        <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" />
         <includePermissionGroup permissionGroup="DeleteNode" type="sys:base" /><!– Added to allow collaborators to move documents  –>

Everything is done over webscripts using Javascript so the user doesn't use the Alfresco Gui. When a document is added it's ownership is given to 'Admin' so collaborators can't delete documents. (Hence having to try and give them enough rights to move the document)

With this new permission, everything seems to work. They can add/revise documents and in Javascript I can perform a .move() command on a document fine.

When we return XML back to our custom GUI, we use Freemarker to determine if they can delete the document and it says the user can't.

<delete><#if document.hasPermission("Delete")>true<#else>false</#if></delete>

The alfresco GUI also doesnt allow the user to delete the document.  But, when I tried mapping a webdav drive to doublecheck, I was able to delete the document fine. Seems like a big security hole…..