AnsweredAssumed Answered

Permissão Personalizada

Question asked by gabriel.silva on Jul 18, 2016
Boa tarde galera, tudo na paz?

Preciso de uma ajudinha. Estou quebrando a cabeça tentando criar uma permissão personalizada no Alfresco Community 5.1 como "ReadOnly" para criar um modelo que permita apenas visualização, sem opção de download e sem opção de copiar. Já editei o arquivo <strong>permissionsDefinition.xml</strong> criando o grupo "ReadOnly" e a permissão "Restricted" que serviria para não deixar o ReadOnly fazer download e cópia. Os trechos do arquivo onde alterei:


========= Arquivo permissionsDefinition.xml ==================================================

      <!– ============================================= –>
      <!– Convenient groupings of low level permissions –>
      <!– ============================================= –>
     
      <permissionGroup name="Read"  expose="true" allowFullControl="false">
           <includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
           <includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
           <includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
      </permissionGroup>
      
      <permissionGroup name="Write" expose="true" allowFullControl="false">
           <includePermissionGroup type="sys:base" permissionGroup="WriteProperties"/>
           <includePermissionGroup type="sys:base" permissionGroup="WriteContent"/>
      </permissionGroup> 
      
      <permissionGroup name="Delete" expose="true" allowFullControl="false">
           <includePermissionGroup type="sys:base" permissionGroup="DeleteNode"/>
           <includePermissionGroup type="sys:base" permissionGroup="DeleteChildren"/>
      </permissionGroup>
      
      <permissionGroup name="AddChildren" expose="true" allowFullControl="false">
           <includePermissionGroup type="sys:base" permissionGroup="CreateChildren"/>
           <includePermissionGroup type="sys:base" permissionGroup="LinkChildren"/>
      </permissionGroup>
      
      <permissionGroup name="Execute" allowFullControl="false" expose="false">
          <includePermissionGroup type="sys:base" permissionGroup="ExecuteContent"/>
      </permissionGroup>

      <!– nova permissão "Read Only" –>
      <permissionGroup name="ReadOnly" allowFullControl="false" expose="false" >
      </permissionGroup>

========================================================================================

     <!– Groups for low level permissions –>
      
      <permissionGroup name="ReadProperties" expose="true" allowFullControl="false" /> 
      <permissionGroup name="ReadChildren" expose="true" allowFullControl="false" /> 
      <permissionGroup name="WriteProperties" expose="true" allowFullControl="false" /> 
      <permissionGroup name="ReadContent" expose="false" allowFullControl="false" /> 
      <permissionGroup name="WriteContent" expose="false" allowFullControl="false" /> 
      <permissionGroup name="ExecuteContent" expose="false" allowFullControl="false" /> 
      <permissionGroup name="DeleteNode" expose="true" allowFullControl="false" /> 
      <permissionGroup name="DeleteChildren" expose="true" allowFullControl="false" /> 
      <permissionGroup name="CreateChildren" expose="true" allowFullControl="false" /> 
      <permissionGroup name="LinkChildren" expose="true" allowFullControl="false" /> 
      <permissionGroup name="DeleteAssociations" expose="true" allowFullControl="false" /> 
      <permissionGroup name="ReadAssociations" expose="true" allowFullControl="false" /> 
      <permissionGroup name="CreateAssociations" expose="true" allowFullControl="false" /> 
      <permissionGroup name="ReadPermissions" expose="true" allowFullControl="false" /> 
      <permissionGroup name="ChangePermissions" expose="true" allowFullControl="false" /> 
      <permissionGroup name="Restricted" expose="true" allowFullControl="false" />

========================================================================================

      <!– =========== –>
      <!– Permissions –>
      <!– =========== –>
   
      <!– The permission to read properties on a node                                    –>
      <!–                                                                                –>
      <!– The properties of a node may ony be read if there is read access to the parent –>
      <!– node. ReadChildren access to the parent node is recursive for all nodes from   –>
      <!– which the node inherits permissions. Access is required down the permission    –>
      <!– tree at all points.                                                           –>
      <!–                                                                                –>

      <permission name="_Restricted" expose="false" >
        <grantedToGroup permissionGroup="Restricted" />
      </permission>

      <permission name="_ReadProperties" expose="false" >
         <grantedToGroup permissionGroup="ReadProperties" />
         <!– Commented out parent permission check …
         <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
         –>
      </permission>
     
      <!– The permission to read the children of a node                                 –>
      <!–                                                                               –>
      <!– This permission is recursive. It requires the same permission is granted to   –>
      <!– all of the parent nodes from which this node inherits permissions             –>
      <!–                                                                               –>
     
      <permission name="_ReadChildren" expose="false" >
         <grantedToGroup permissionGroup="ReadChildren" />
         <!– Commented out parent permission check …
         <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
         –>
      </permission>
     


=================================================================================================

   <permissionSet type="cm:cmobject" expose="selected">
      
       <!– Kept for backward compatibility - the administrator permission has   –>
      <!– been removed to avoid confusion –>
      <permissionGroup name="Administrator" allowFullControl="true" expose="false" >
         <includePermissionGroup permissionGroup="Restricted" type="sys:base" />
      </permissionGroup>
    
      <!– A coordinator can do anything to the object or its children unless the     –>
      <!– permissions are set not to inherit or permission is denied.                 –>
      <permissionGroup name="Coordinator" allowFullControl="true" expose="true" >
         <includePermissionGroup permissionGroup="Restricted" type="sys:base" />
      </permissionGroup>
     
      <!– A collaborator can do anything that an editor and a contributor can do –>
      <permissionGroup name="Collaborator" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Editor" type="cm:cmobject" />
         <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" />
         <includePermissionGroup permissionGroup="Restricted" type="sys:base" />
      </permissionGroup>
     
      <!– A contributor can create content and then they have full permission on what –>
      <!– they have created - via the permissions assigned to the owner.              –>
      <permissionGroup name="Contributor" allowFullControl="false" expose="true" >
          <!– Contributor is a consumer who can add content, and then can modify via the –>
          <!– owner permissions.                                                      –>
          <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject"/>
          <includePermissionGroup permissionGroup="AddChildren" type="sys:base" />
          <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />
         <includePermissionGroup permissionGroup="Restricted" type="sys:base" />
      </permissionGroup>
     
      <!– An editor can read and write to the object; they can not create    –>
      <!– new nodes. They can check out content into a space to which they have       –>
      <!– create permission.                                                          –>
      <permissionGroup name="Editor"  expose="true" allowFullControl="false" >
          <includePermissionGroup type="cm:cmobject" permissionGroup="Consumer"/>
          <includePermissionGroup type="sys:base" permissionGroup="Write"/>
          <includePermissionGroup type="cm:lockable" permissionGroup="CheckOut"/>
          <includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/>
         <includePermissionGroup permissionGroup="Restricted" type="sys:base" />
      </permissionGroup>
     
      <!– The Consumer permission allows read to everything by default.                  –>
      <permissionGroup name="Consumer" allowFullControl="false" expose="true" >
          <includePermissionGroup permissionGroup="Read" type="sys:base" />
         <includePermissionGroup permissionGroup="Restricted" type="sys:base" />
      </permissionGroup>

      <!– Read Only                                                                      –>
      <permissionGroup name="ReadOnly" allowFullControl="false" expose="true" >
           <includePermissionGroup permissionGroup="Read" type="sys:base" />
      </permissionGroup>
     
      <!– records permission –>
      <!– Should be tied to the aspect –>
      <!– ownership should be removed when using this permission –>
      <permissionGroup name="RecordAdministrator" allowFullControl="false" expose="false">
          <includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
          <includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
          <includePermissionGroup type="sys:base" permissionGroup="WriteProperties"/>
          <includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
          <includePermissionGroup type="sys:base" permissionGroup="DeleteChildren"/>
          <includePermissionGroup type="sys:base" permissionGroup="CreateChildren"/>
          <includePermissionGroup type="sys:base" permissionGroup="LinkChildren"/>
          <includePermissionGroup type="sys:base" permissionGroup="DeleteAssociations"/>
          <includePermissionGroup type="sys:base" permissionGroup="CreateAssociations"/>
          <includePermissionGroup type="sys:base" permissionGroup="Restricted"/>
      </permissionGroup>
      
   </permissionSet>

====================================================================================================

   <permissionSet type="cm:content" expose="selected">

      <!– Content specific roles.                                                       –>
     
      <permissionGroup name="Coordinator" extends="true" expose="true"/>
      <permissionGroup name="Collaborator" extends="true" expose="true"/>
      <permissionGroup name="Contributor" extends="true" expose="true"/>
      <permissionGroup name="Editor" extends="true" expose="true"/>
      <permissionGroup name="Consumer" extends="true" expose="true"/>
      <permissionGroup name="RecordAdministrator" extends="true" expose="false"/>
      <permissionGroup name="ReadOnly" extends="true" expose="true"/>
     
   </permissionSet>
   
   
    <permissionSet type="cm:folder" expose="selected">

      <!– Content folder specific roles.                                                       –>
     
      <permissionGroup name="Coordinator" extends="true" expose="true"/>
      <permissionGroup name="Collaborator" extends="true" expose="true"/>
      <permissionGroup name="Contributor" extends="true" expose="true"/>
      <permissionGroup name="Editor" extends="true" expose="true"/>
      <permissionGroup name="Consumer" extends="true" expose="true"/>
      <permissionGroup name="RecordAdministrator" extends="true" expose="false"/>
      <permissionGroup name="ReadOnly" extends="true" expose="true"/>

   </permissionSet>

==============================================================================================




E também o arquivo <strong>sitePermissionsDefinition.xml</strong> coforme abaixo:


======================= arquivo sitePermissionsDefinition.xml ================================

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE permissions >

<permissions>
   
    <!– Namespaces used in type references –>
   
   <namespaces>
      <namespace uri="http://www.alfresco.org/model/system/1.0" prefix="sys"/>
      <namespace uri="http://www.alfresco.org/model/content/1.0" prefix="cm"/>
      <namespace uri="http://www.alfresco.org/model/site/1.0" prefix="st"/>
   </namespaces>
  
   <!– ============================================ –>
   <!– Permissions specific to the wiki integration –>
   <!– ============================================ –>
  
   <permissionSet type="st:site" expose="selected">
  
      <permissionGroup name="SiteManager" allowFullControl="true" expose="true" />
     
      <permissionGroup name="SiteCollaborator" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Collaborator" type="cm:cmobject" />
      </permissionGroup>
     
      <permissionGroup name="SiteContributor" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" />
      </permissionGroup>
     
      <permissionGroup name="SiteConsumer" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject" />
         <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />
      </permissionGroup>

      <!– Expose SiteReadOnly –>
      <permissionGroup name="SiteReadOnly" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="ReadOnly" type="sys:base" />
      </permissionGroup>
     
   </permissionSet>

</permissions>

==================================================================================================


Também adicionei os dois arquivos no <strong> custom-mode-context.xml </strong> :


<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>


 
<beans>


   <!– Permissions Definitions –>

      <!– Bootstrap the permission model –>

      <bean id="extend_PermissionModel" parent="permissionModelBootstrap">

          <property name="model" value="alfresco/extension/permissionsDefinitions.xml"/>

      </bean>



   <!– Z3R0 MOD –>

      <!– Bootstrap the site permission model –>

      <bean id="extend_sitePermissionModel" parent="permissionModelBootstrap">

          <property name="model" value="alfresco/extension/sitePermissionModelExtension.xml"/>

      </bean>



</beans>

=====================================================================================================


Até aí o grupo de permissão ReadOnly aparece e eu consigo aplicá-lo a qualquer usuário. Fiz então a modificação no arquivo <strong> share-documentlibrary-config.xml </strong> para testar se o download seria bloqueado:


      <!–

         Action definitions

      –>

      <actions>

         <!– Download document –>

         <action id="document-downlad" type="link" label="actions.document.download">

            <param name="href">{downloadUrl}</param>

            <param name="target">_blank</param>

       <permissions>

               <permission allow="true">Restricted</permission>

            </permissions>

            <evaluator>evaluator.doclib.action.downloadBrowser</evaluator>

            <evaluator>evaluator.doclib.action.hasContent</evaluator>

         </action>

========================================================================================================


Reiniciei o serviço do Alfresco e no entanto a opção de download some, tanto para o ReadOnly como para os outros grupos. Fiz o teste colocando na opção de "Copy To" e a mesma coisa acontece e não consigo encontrar o erro. Já olhei os logs mas nenhum acusa erro em algum dos arquivos alterados. Alguém já tentou algo semelhante e funcionou?

Abraços.

Outcomes