AnsweredAssumed Answered

Change 'any allow allows' permission schema.

Question asked by diegop on Feb 26, 2009
Latest reply on Jun 22, 2009 by diegop
Hi,
i have to implement a complex structure of permissions on the repository, based on denying access to a content in any case to all users that belongs to a group.

I don't have to implement a "single deny denis" permission schema, but "THAT deny always denis else any allow allows".

Searching on alfresco configuration files I found this bean:

    <bean id="accessDecisionManager" class="net.sf.acegisecurity.vote.AffirmativeBased">
        <property name="allowIfAllAbstainDecisions"><value>false</value></property>
        <property name="decisionVoters">
            <list>
                <ref local="roleVoter"/>
                <ref local="groupVoter"/>
                <ref local="aclEntryVoter"/>
            </list>
        </property>
    </bean>

This is a Acegi access manager that implements "any allow allows" permission schema.

is it sufficient to develope a custom Acegi access manager that implements my permission schema (replacing net.sf.acegisecurity.vote.AffirmativeBased) to deny access to a content to all users in a group that I define? even if "inherit parent permission" flag is set.

If it's useless my idea, what can I do to develope my permission schema? Which class I have to edit/add?

Thanks

Outcomes