AnsweredAssumed Answered

'Access Denied' when trying to deletePermission of a folder node.

Question asked by kooroshv on Dec 17, 2013
Latest reply on Sep 1, 2014 by mahesh33
I have a requirement around changing ownership of a group of contents which live in a folder. The folder holds an html article with a number of associated files, for example, images. Now I have implemented a Web JavaScript which in turn calls following Java code to change ownership from current owner to the new owner. Note, as it is recommended, I am running it as ‘admin’ user, since current owner would not have enough privileges once his ‘FullControl’ access is removed. Note, I am disabling behavior and inheritance, but the source of exception is not the ‘deletePermission’ call, it seems it comes at the very end of the script. Looking at the Alfresco source code, I see a commit happening at the very end.

public void removePermission1(ScriptNode article, ScriptNode articleFolder, String oldUserName, String newUserName) {      
   final NodeRef articleNodeRef = article.getNodeRef();
   final NodeRef articleFolderNodeRef = articleFolder.getNodeRef();
   final ScriptNode folder = articleFolder;
   final String toBeRemovedUserName = oldUserName;
   final String newOwnerUserName = newUserName;
                      
   AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork() {
      @Override
      public String doWork() {
         behaviourFilter.disableBehaviour();
      permissionService.setInheritParentPermissions(articleNodeRef, false);
         try {
            permissionService.deletePermission(articleFolderNodeRef, toBeRemovedUserName, PermissionService.FULL_CONTROL);
//            folder.save();                        
         } finally {
            behaviourFilter.enableBehaviour();
            permissionService.setInheritParentPermissions(articleNodeRef, true);
         }
         return "ok";
   }
   }, "admin");
}

When the program runs, we get the following exception:

2013-12-17 13:23:45,363  ERROR [extensions.webscripts.AbstractRuntime] [http-8080-3] Exception from executeScript - redirecting to status template error: 11171507 Failed to execute transaction-level behaviour public abstract void org.alfresco.repo.node.NodeServicePolicies$OnUpdatePropertiesPolicy.onUpdateProperties(org.alfresco.service.cmr.repository.NodeRef,java.util.Map,java.util.Map) in transaction a305d51d-c58b-4a7b-846d-312321524b00
org.alfresco.error.AlfrescoRuntimeException: 11171507 Failed to execute transaction-level behaviour public abstract void org.alfresco.repo.node.NodeServicePolicies$OnUpdatePropertiesPolicy.onUpdateProperties(org.alfresco.service.cmr.repository.NodeRef,java.util.Map,java.util.Map) in transaction a305d51d-c58b-4a7b-846d-312321524b00
   at org.alfresco.repo.policy.TransactionBehaviourQueue.execute(TransactionBehaviourQueue.java:257)
   at org.alfresco.repo.policy.TransactionBehaviourQueue.beforeCommit(TransactionBehaviourQueue.java:134)
   at org.alfresco.repo.transaction.AlfrescoTransactionSupport$TransactionSynchronizationImpl.doBeforeCommit(AlfrescoTransactionSupport.java:747)
   at org.alfresco.repo.transaction.AlfrescoTransactionSupport$TransactionSynchronizationImpl.doBeforeCommit(AlfrescoTransactionSupport.java:727)
   at org.alfresco.repo.transaction.AlfrescoTransactionSupport$TransactionSynchronizationImpl.beforeCommit(AlfrescoTransactionSupport.java:687)
   at org.springframework.transaction.support.TransactionSynchronizationUtils.triggerBeforeCommit(TransactionSynchronizationUtils.java:95)
   at org.springframework.transaction.support.AbstractPlatformTransactionManager.triggerBeforeCommit(AbstractPlatformTransactionManager.java:927)
   at org.springframework.transaction.support.AbstractPlatformTransactionManager.processCommit(AbstractPlatformTransactionManager.java:737)
   at org.springframework.transaction.support.AbstractPlatformTransactionManager.commit(AbstractPlatformTransactionManager.java:723)
   at org.springframework.transaction.interceptor.TransactionAspectSupport.commitTransactionAfterReturning(TransactionAspectSupport.java:393)
   at org.alfresco.util.transaction.SpringAwareUserTransaction.commit(SpringAwareUserTransaction.java:472)
   at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:423)
   at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecute(RepositoryContainer.java:479)
   at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecuteAs(RepositoryContainer.java:517)
   at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:333)
   at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:377)
   at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:209)
   at org.springframework.extensions.webscripts.servlet.WebScriptServlet.service(WebScriptServlet.java:132)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
   at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:61)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:291)
   at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
   at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
   at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
   at java.lang.Thread.run(Thread.java:662)
Caused by: org.alfresco.repo.security.permissions.AccessDeniedException: 11171506 Access Denied.  You do not have the appropriate permissions to perform this operation.
   at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:50)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:159)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.alfresco.repo.transaction.RetryingTransactionInterceptor$1.execute(RetryingTransactionInterceptor.java:79)
   at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:401)
   at org.alfresco.repo.transaction.RetryingTransactionInterceptor.invoke(RetryingTransactionInterceptor.java:69)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
   at $Proxy15.setProperty(Unknown Source)
   at org.alfresco.repo.version.Version2ServiceImpl.createVersion(Version2ServiceImpl.java:358)
   at org.alfresco.repo.version.Version2ServiceImpl.createVersion(Version2ServiceImpl.java:136)
   at org.alfresco.repo.version.VersionableAspect.createVersionImpl(VersionableAspect.java:534)
   at org.alfresco.repo.version.VersionableAspect.onUpdateProperties(VersionableAspect.java:514)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.alfresco.repo.policy.JavaBehaviour$JavaMethodInvocationHandler.invoke(JavaBehaviour.java:173)
   at $Proxy32.onUpdateProperties(Unknown Source)
   at sun.reflect.GeneratedMethodAccessor317.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.alfresco.repo.policy.TransactionBehaviourQueue.execute(TransactionBehaviourQueue.java:245)
   … 34 more
Caused by: net.sf.acegisecurity.AccessDeniedException: Access is denied.
   at net.sf.acegisecurity.vote.AffirmativeBased.decide(AffirmativeBased.java:86)
   at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:398)
   at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:77)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:46)
   … 57 more

Looking at the exception, it seems, the execution fails when it tries to update the versionableAspect on the article node. To test my hypothesis, I turned off auto-versioning by adding the following line into alfresco-global.properties file:

version.store.enableAutoVersioning=false

Now the code runs successfully and the parent folder has the correct permission for the new owner.

First is my understanding correct? If so how would I disable the behavior for this run? Should I try from the Java code? There is a JavaScript API for disabling rules, utils.disableRule(), but none for behavior.
 
Any help is appreciated here.

Koorosh

Outcomes