AnsweredAssumed Answered

New permission to prevent deletion of custom aspect

Question asked by itzamna on Dec 18, 2014
Latest reply on Feb 18, 2015 by itzamna
Hi,

I have the following goal to archieve:
Once my custom aspect has been applied to any node, it should never be possible to remove it from this node again - except by users of a defined group.

The way to go is:
1) Create a new permissionSet and extend the Alfresco permission model with it
2) Create a behavior for the "onRemoveAspect" and check via PersmissionService class, if the user has permission to remove the aspect (I'm using Java)

What I've done so far:
I've created a new permissionDefinitions.xml for my module and I've extended the existing Alfresco permission model with it in the service-context.xml (as mentioned here: http://docs.alfresco.com/4.0/concepts/secur-permissions.html at the very end):

   <bean id="my.unique.permissionBootstrap" parent="permissionModelBootstrap">
        <property name="model" value="alfresco/module/${artifactId}/models/permissionDefinitions.xml"/>
    </bean>

Then I've created the behavior and bound it to the policy for the "onRemoveAspect". This works, the Java class will be invoked if I remove my aspect from any node.

My problem now is, that I do not know, how to create the content in the permissionDefinition.xml exactly. I've read some documentation but I do not understand how implement it in detail, so that it fits my requirement. This is my current approach:


<permissions>
    <namespaces>
        <namespace uri="http://www.someco.com/model/myModel/1.0" prefix="mxCustomType" />
        <namespace uri="http://www.alfresco.org/model/system/1.0" prefix="sys"/>
    </namespaces>

    <permissionSet type="mxCustomType:connectionSettingsAspect" expose="selected">
        <permissionGroup name="myModelPreventAspectDeletion" requiresType="true" expose="false">
            <includePermissionGroup type="sys:base" permissionGroup="Read"/>
            <includePermissionGroup type="sys:base" permissionGroup="Write"/>
            <includePermissionGroup type="sys:base" permissionGroup="AddChildren"/>
            <includePermissionGroup type="sys:base" permissionGroup="Execute"/>
            <!– All except delete–>
        </permissionGroup>
    </permissionSet>
</permissions>


I've all permission groups included except "Delete". My understanding of this is, that if I now add this new permission group (myModelPreventAspectDeletion) to any user, this user will not be able to delete the aspesct, right!??
But the goal is exactly the other way around! And here I'm struggling… Actually, I have to insert the "Delete" in the above code (because only users with this permission are allowed to remove the aspect), but than I need anything else, where the deletion will be denied by default and regardless of any permission. Do I have to override some core code of the default permissionDefinitions.xml?
And finally the question: How can I add the new permission group to any user in Alfresco?


Regards,
Itzamna


Outcomes