Change 'any allow allows' permission schema.

diegop — Thu, 26 Feb 2009 09:32:35 GMT

Hi, i have to implement a complex structure of permissions on the repository, based on denying access to a content in any case to all users that belongs to a group.I don't have to implement a "single deny denis" permission schema, but "THAT deny always denis else any allow allows".Searching on alfre

Re: Change 'any allow allows' permission schema.

andy — Thu, 26 Feb 2009 15:45:29 GMT

Hi

It is not that simple - that does it after the alfresco permissoin evaluator has said yes.

In PermissionServiceImpl there is some code that may well be OK ….

Look for

// any deny denies

if (false)

This was a first cut at toggling this behaviour. You cna give it a go 🙂

Andy

Re: Change 'any allow allows' permission schema.

diegop — Mon, 22 Jun 2009 12:38:11 GMT

Hi

It is not that simple - that does it after the alfresco permissoin evaluator has said yes.

In PermissionServiceImpl there is some code that may well be OK ….

Look for

// any deny denies

if (false)

This was a first cut at toggling this behaviour. You cna give it a go 🙂

Andy

Thank you Andy,
and sorry if I reply after 3 months :mrgreen:

But only few days ago I could study the problem above.

I resolved my problem by a "custom" class ACLEntryAfterInvocationProvider.

I added the check for denying access by customizing these methods in ACLEntryAfterInvocationProvider.java

    private ChildAssociationRef decide(Authentication authentication, Object object, ConfigAttributeDefinition config,
            ChildAssociationRef returnedObject) throws AccessDeniedException

    private Collection decide(Authentication authentication, Object object, ConfigAttributeDefinition config,
            Collection returnedObject) throws AccessDeniedException

    private NodeRef decide(
            Authentication authentication,
            Object object,
            ConfigAttributeDefinition config,
            NodeRef returnedObject) throws AccessDeniedException

    private Object[] decide(Authentication authentication, Object object, ConfigAttributeDefinition config,
            Object[] returnedObject) throws AccessDeniedException

    private ResultSet decide(Authentication authentication, Object object, ConfigAttributeDefinition config,
            ResultSet returnedObject) throws AccessDeniedException‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

More specifically I added in that methods the logic to resolve this problem –> http://forums.alfresco.com/en/viewtopic.php?f=5&t=16569&start=0&st=0&sk=t&sd=a&hilit=security+level

Now I have a customized Alfresco where if a document has an "high" security level, a user with "low" security level won't ever see it!
Cheers

topic Re: Change 'any allow allows' permission schema. in Alfresco Archive

Change 'any allow allows' permission schema.

Re: Change 'any allow allows' permission schema.

Re: Change 'any allow allows' permission schema.