AnsweredAssumed Answered

People group security

Question asked by idwright on Nov 21, 2013
Latest reply on Jan 3, 2014 by jpotts
I'm trying to implement group based security for people as listed at http://wiki.alfresco.com/wiki/Security_and_Authentication#To_Do

Actually in more detail I want to restrict people search etc so that you can only see people who are members of the same site (or members of a named group can see anybody)

The obvious(!) approach seems to be to add to the PersonService_security bean in public-services-security-context.xml

e.g.
org.alfresco.service.cmr.security.PersonService.getPerson=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties,AFTER_ACL_SHARED_SITE.GROUP_peopleFinders
org.alfresco.service.cmr.security.PersonService.getPeople=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties,AFTER_ACL_SHARED_SITE.GROUP_peopleFinders

however there are some flaws with this

In org.alfresco.repo.jscript.People#List<PersonInfo> getPeopleImpl if getPeopleImplSearch is used then
1) it's not using PersonService.getPeople
2) if it's using FTS and afterwards PersonService.getPerson throws a AccessDeniedException(NoSuchPersonException?) (or returns null) then it will cause an error (which in the case of an exception will fall through thereby giving the desired result but not in a good way)
This, I think, would be a relatively simple change although I'm not sure whether to catch an exception (and which exception would be better to use) or use the getPersonOrNull method and ignore the null
e.g.

                // FTS
                List<NodeRef> personRefs = getPeopleImplSearch(filter, pagingRequest, sortBy, sortAsc);
               
                if (personRefs != null)
                {
                    persons = new ArrayList<PersonInfo>(personRefs.size());
                    for (NodeRef personRef : personRefs)
                    {
                   try
                   {
                       persons.add(personService.getPerson(personRef));
                   } catch (AccessDeniedException ade) {
                       //Ignored
                   }
                    }
                }

Firstly any thoughts on this?

Secondly what should the behaviour of the personService methods be?- getPeople/getAllPeople is relatively straightforward - just remove results with no access from the result set but should getPersonOrNull,personExists throw an exception (which one?) or return null/false?, what should getPerson do (given that it may be expected to create a non-existent person)? etc

I'm sure there are other implications which I haven't considered yet
1) Search - I don't think people are included so should be OK but there may be things I haven't thought of
2) Shared Files - if you have access to see a file but don't have access to the connected people what should happen?
3) More things I haven't thought of/come across yet….

Outcomes