AnsweredAssumed Answered

security and permission versroles on spaces is there a bug ?

Question asked by federico.tesei on Dec 19, 2007
Latest reply on Jan 7, 2008 by federico.tesei
Hi I'm developing on this stack

Alfresco 2.1 Community on JBoss 4.2 GA.

I' experiencing a strange behaviour I suspect may be a bug and ask help
to clarify if I'm mistaken instead.

Scenario:

I've defined:

a) three spaces   [ Collector ]  [ Draft ]  [ Pending Approval ]  

b) two groups { Providers } { Editors }

c) two simple work-flow action on the space:

load on Collector  that move from 'Collector' to 'Draft'

submit on Draft  that move from 'Draft' to 'Pending approval'

d) two user:

provider belonging to {Providers } group

editor   belonging to { Editors } group

Invited

e) {providers } on [ Collector ] with contributor role

f) { Editors } on
      [ Collector ] with coordinator role  ( to have delete permission )
      [ Draft  ] with coordinator role  ( to have delete permission )
      [ Pending Approv ] contributor role ( to have add but not edit permission


g) log as user provider go to [Collector] Space and add Contents X 
h) logout as provider
i)  login as user editor go to  [Collector] Space  and perform 'load' action on X; X is moved to  [Draft ] Space 
j) go to [Draft] space and perform 'submit' action on X  that fail


Result:

I get the attached error error on web client/application server log:

I succeed if I invite {Editors} on [ Pending approval ] with 'Collaborator role instead. The difference between Contributor an  Collaborator roles is that Collaborator has edit permission added.
To move to [ Pending approval ] I do not need edit permission.
I think this is a bug in Alfresco security policy. Isn't it ?

Thanks for your help and to be with me till here :)

federico
   


web client side :

Failed to approve the document due to system error: Unknown Exception in Transaction.


Application Server side:


2007-12-19 18:03:48,137 INFO  [STDOUT] 18:03:48,135 ERROR [ui.common.Utils] Failed to approve the document due to system error: Unknown Exception in Transaction.
org.alfresco.error.AlfrescoRuntimeException: Unknown Exception in Transaction.
        at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:292)
        at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:155)
        at org.alfresco.web.bean.BaseDetailsBean.approve(BaseDetailsBean.java:556)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
        at org.apache.myfaces.el.MethodBindingImpl.invoke(MethodBindingImpl.java:132)
        at javax.faces.component.UICommand.broadcast(UICommand.java:89)
        at javax.faces.component.UIViewRoot._broadcastForPhase(UIViewRoot.java:97)
        at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:171)
        at org.apache.myfaces.lifecycle.InvokeApplicationExecutor.execute(InvokeApplicationExecutor.java:32)
        at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
        at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
        at javax.faces.webapp.FacesServlet.service(FacesServlet.java:139)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.alfresco.web.app.servlet.AuthenticationFilter.doFilter(AuthenticationFilter.java:81)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
        at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
        at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
        at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
        at java.lang.Thread.run(Thread.java:595)
Caused by: javax.transaction.RollbackException: Transaction didn't commit: Access Denied.  You do not have the appropriate permissions to perform this operation.
        at org.alfresco.util.transaction.SpringAwareUserTransaction.commit(SpringAwareUserTransaction.java:430)
        at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:239)


Outcomes