AnsweredAssumed Answered

PermissionService.setPermission to deny access to file owner

Question asked by francesco.lilli on Feb 10, 2014
Latest reply on Feb 10, 2014 by francesco.lilli
Hi,

I'm experiencing an issue with the PermissionService.
Say I have a file called "test.txt", being "bob" the username of its owner. Such file is inside the documentLibrary (three/four levels of depth).
Since "bob" is the owner, he has full permissions on the file. At some point I have to deny write access to all users, including its owner (and if possible the super-user "admin", but doesn't matter).

To achieve my goal I'm calling this Java function, which makes use of PermissionService:


public void removeWritePermissionFromFile(NodeRef fileNodeRef) {

   System.out.println("All set permissions: " + permissionService.getAllSetPermissions(fileNodeRef));
   System.out.println("Current file permissions: " + permissionService.getPermissions(fileNodeRef));
   System.out.println("hasWritePermission: " + permissionService.hasPermission(fileNodeRef, permissionService.WRITE));
   System.out.println("hasConsumerPermission: " + permissionService.hasPermission(fileNodeRef, permissionService.CONSUMER));
   System.out.println("hasContributorPermission: " + permissionService.hasPermission(fileNodeRef, permissionService.CONTRIBUTOR));
   System.out.println("hasCoordinatorPermission: " + permissionService.hasPermission(fileNodeRef, permissionService.COORDINATOR));
      
   permissionService.setInheritParentPermissions(fileNodeRef, false);
   System.out.println("INHERITANCE BROKEN.");   
   
   permissionService.setPermission(fileNodeRef, PermissionService.ALL_AUTHORITIES, PermissionService.WRITE, false);
   permissionService.setPermission(fileNodeRef, PermissionService.ALL_AUTHORITIES, PermissionService.CONTRIBUTOR, false);   
   permissionService.setPermission(fileNodeRef, PermissionService.ALL_AUTHORITIES, PermissionService.COORDINATOR, false);   
   permissionService.setPermission(fileNodeRef, PermissionService.ALL_AUTHORITIES, PermissionService.CONSUMER, true);

   System.out.println("NEW All set permissions: " + permissionService.getAllSetPermissions(fileNodeRef));
        System.out.println("NEW file permissions: " + permissionService.getPermissions(fileNodeRef));
   System.out.println("NEW hasWritePermission: " + permissionService.hasPermission(fileNodeRef, permissionService.WRITE));
   System.out.println("NEW hasConsumerPermission: " + permissionService.hasPermission(fileNodeRef, permissionService.CONSUMER));
   System.out.println("NEW hasContributorPermission: " + permissionService.hasPermission(fileNodeRef, permissionService.CONTRIBUTOR));
   System.out.println("NEW hasCoordinatorPermission: " + permissionService.hasPermission(fileNodeRef, permissionService.COORDINATOR));
   
}


Function "removeWritePermissionFromFile" is called passing the noderef of "test.txt" as a parameter, calling user is "bob". The output is:

All set permissions: [ALLOWED Read - GROUP_EVERYONE (EVERYONE), ALLOWED Read - bob (USER)]
Current file permissions: [ALLOWED Contributor - bob (USER), ALLOWED Consumer - bob (USER), ALLOWED Editor - bob (USER), ALLOWED Collaborator - bob (USER), ALLOWED Coordinator - bob (USER), ALLOWED All_Users - bob (USER)]
hasWritePermission: ALLOWED
hasConsumerPermission: ALLOWED
hasContributorPermission: ALLOWED
hasCoordinatorPermission: ALLOWED
INHERITANCE BROKEN.
NEW All set permissions: [ALLOWED Read - GROUP_EVERYONE (EVERYONE), ALLOWED Consumer - GROUP_EVERYONE (EVERYONE), ALLOWED Read - bob (USER), DENIED Contributor - GROUP_EVERYONE (EVERYONE), DENIED Write - GROUP_EVERYONE (EVERYONE), DENIED Coordinator - GROUP_EVERYONE (EVERYONE)]
NEW file permissions: [ALLOWED Contributor - admin (USER), ALLOWED Consumer - admin (USER), ALLOWED Editor - admin (USER), ALLOWED Collaborator - admin (USER), ALLOWED Coordinator - admin (USER), ALLOWED All_Users - admin (USER)]
NEW hasWritePermission: ALLOWED
NEW hasConsumerPermission: ALLOWED
NEW hasContributorPermission: ALLOWED
NEW hasCoordinatorPermission: ALLOWED


As shown in the logs, permissions seem to be correctly set (at least it says DENIED exactly where it's supposed to: Write, Coordinator, Contributor. Note that I've used roles Coordinator and Contributor just for debugging purposes, although I simply need to deny further Writes). But logs also says that file still has write, contributor and coordinator permissions (for user "bob" I guess). Indeed, bob can still modify the file as he wants.

I have also tried to call the "setPermission" function just for the group "site1", which is a group made of all people which have access to Site "site1". Bob only has access to "site1", and the file is under "documentLibrary/Sites/site1".


….
permissionService.setPermission(fileNodeRef, "GROUP_site_site1", PermissionService.WRITE, false);
….

The result doesn't change.
Any advice?

Outcomes