AnsweredAssumed Answered

Permissions Granted When Aspect Is Apllied

Question asked by alejandrogarciaseco on Feb 4, 2014
Latest reply on Feb 4, 2014 by jpotts
Hi folks,

I know this and issue that has been addressed several times in the forums:

http://forums.alfresco.com/forum/developer-discussions/content-modeling/permissions-controlled-based-content-aspects-10022006
http://forums.alfresco.com/forum/developer-discussions/content-modeling/permission-aspect-05022008-1510

And there is also some documentations that tackles the matter:

http://wiki.alfresco.com/wiki/Security_and_Authentication#How_to_add_your_own_type_or_aspect.2C_assign_permissions_for_it.2C_configure_it_and_secure_a_service_that_uses_it_….

http://wiki.alfresco.com/wiki/PermissionModelDTD

In few words, I'm trying to grant existing permission group 'CreateChildren' to 'Consumer' if a specific aspect is applied. This is what I have added to my custom 'permissionDefinitios.xml' (I have omitted default XML content):

1. Import my custom namespace.


    <namespaces>
        <namespace uri="http://www.alfresco.org/model/system/1.0" prefix="sys"/>
        <namespace uri="http://www.alfresco.org/model/content/1.0" prefix="cm"/>
        <namespace uri="http://www.alfresco.org/model/wcmmodel/1.0" prefix="wcm"/>
        <namespace uri="http://www.alfresco.org/model/wcmappmodel/1.0" prefix="wca"/>
       
        <namespace uri="http://www.alfresco.org/model/mynamespace/1.0" prefix="my"/>
    </namespaces>


2. Define a permission group for 'my:aspect' aspect. I want this permission group to include the existing 'CreateChildren' permission group.


    <permissionSet type="my:aspect" expose="selected">
   
        <permissionGroup name="CreateComments" requiresType="true" expose="false">
            <includePermissionGroup permissionGroup="CreateChildren" type="sys:base" />
        </permissionGroup>
   
    </permissionSet>


3. Grant the previously defined permission group to the 'Consumer' role for type 'my:aspect'.


        <!– The Consumer permission allows read to everything by default.                  –>
        <permissionGroup name="Consumer" allowFullControl="false" expose="true" >
            <includePermissionGroup type="sys:base" permissionGroup="Read"/>
            <includePermissionGroup type="my:aspect" permissionGroup="CreateComment"/>
        </permissionGroup>


The result of this setup is that users with 'Consumer' role can create children in any site by default, regardless the aspect is applied on the node or not. Am I doing anything wrong? Is this the result expected for such configuration?

Since I taken the 'ownable' model or example, I'm wondering whether the problem might be the fact that I'm using the existing permission 'CreateChildren' instead of completely defining custom low level permissions and permission groups. I have also noticed that there is a service for the 'ownable' aspect, might I need to implement my service as well? I don't so, since this service looks to have to with policies implementation, which I think I don't as far as I'm concerned.

Thanks.

Outcomes