AnsweredAssumed Answered

Permissions, Role incorrectly assigned for user on space?

Question asked by jamen on Nov 14, 2008
Latest reply on Nov 18, 2008 by lpiguet
Hi Guys,

I've been scouring the web/wiki/forums etc and I'm trying to obtain some clear answers on how permissions work in Alfresco.  Hopefully with you assistance you can give me a clear direction on why I am experiencing the issues I'm facing.  I have provided a the custom fragment for the permissionDefinitions.xml file if anyone can assist it would be greatly appreciated.

      <!– A collaborator can do anything that a contributor can do –>
      <permissionGroup name="LMRM_RecOfficer" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject"/>
      <!– records permission –>
      <!– Should be tied to the aspect –>
      <!– onwership should be removed when using this permission –>
      <permissionGroup name="LMRM_RecAdministrator"  allowFullControl="false" expose="true">
        <includePermissionGroup permissionGroup="LMRM_RecOfficer" type="cm:cmobject"/>

There are two permission groups defined for assignment (by role) in the samples permissions file.  These are LMRM_RecOfficer and LMRM_RecAdministrator respectively.  Note that these permissions extend from the Contributor permission group.

1. Create a folder "Test Space" in company home
2. Set the "Test Space" space not to inherit permissions and invite a test user rmadmin to have LMRM_RecAdministrator permissions and another user rmofficer to have LMRM_RecOfficer permissions on the space.
3. Set the "Test Space" to inherit permissions to the children
4. Using the rmofficer user create a space "Test Term" under "Test Space", the permissions should inherit to the child.

This is what I'm observing and believe to be correct (if this isn't what you would expect please comment):-
1. rmofficer should have full access (including delete) on "Test Term" as they are the owner?
2. rmofficer should not have delete access on "Test Space" as they only have the LMRM_RecOfficer role.

The issue I have is this.  When I use the permissionService.hasPermission(<Test_Term NODEREF>, "LMRM_RecAdministrator")  this returned "AccessStatus.ALLOWED".  I would expect this to be "AccessStatus.DENIED" but this is not the case.  I have not explicitly assigned any other permissions to either of the test spaces in question.

The ultimate goal I am trying to achieve is to allow a user to create a space, but if they do not have a particular role they SHOULDN'T have delete access to the node.  Hence I'm trying to revoke delete permissions.  The problem is that I can't ascertain whether I should revoke the permission at this stage.