https://connect.hyland.com/t5/alfresco-archive/add-controls-on-cifs-webdav-access/m-p/226604#M179734 <HTML><HEAD></HEAD><BODY><SPAN>What you should probably be doing is changing the document's permissions based upon the value of the status rather than relying on the UI layers to enforce security for you.&nbsp;&nbsp; Then everything will work regardless of how you access content.</SPAN></BODY></HTML> Thu, 15 Jul 2010 16:44:46 GMT mrogers 2010-07-15T16:44:46Z https://connect.hyland.com/t5/alfresco-archive/add-controls-on-cifs-webdav-access/m-p/226603#M179733 Hi,I'm delopping on Alfresco 3.2r Community. I've changed the model so that a document has a property "status" that can take differents values (Draft, Approuved, Obsolete, …).I've added evaluators on differents actions and now a document can't be modified when its status is Approuved or Obsolete wit Thu, 15 Jul 2010 16:28:44 GMT https://connect.hyland.com/t5/alfresco-archive/add-controls-on-cifs-webdav-access/m-p/226603#M179733 mlagneaux 2010-07-15T16:28:44Z https://connect.hyland.com/t5/alfresco-archive/add-controls-on-cifs-webdav-access/m-p/226604#M179734 <HTML><HEAD></HEAD><BODY><SPAN>What you should probably be doing is changing the document's permissions based upon the value of the status rather than relying on the UI layers to enforce security for you.&nbsp;&nbsp; Then everything will work regardless of how you access content.</SPAN></BODY></HTML> Thu, 15 Jul 2010 16:44:46 GMT https://connect.hyland.com/t5/alfresco-archive/add-controls-on-cifs-webdav-access/m-p/226604#M179734 mrogers 2010-07-15T16:44:46Z https://connect.hyland.com/t5/alfresco-archive/add-controls-on-cifs-webdav-access/m-p/226605#M179735 <HTML><HEAD></HEAD><BODY><SPAN>Thank you for your answer. However, it raises other questions.</SPAN><BR /><BR /><SPAN>Is it possible to restrict the permissions granted to the owner of a document and to admin users ? For example, a document with Approuved or Obsolete status should not be modified by its owner or an admin.</SPAN><BR /><BR /><SPAN>When you're talking about "changing the document's permissions", do you think about the roles affected to users and groups for this document or is it possible to work at a lower level ?</SPAN></BODY></HTML> Fri, 16 Jul 2010 09:19:19 GMT https://connect.hyland.com/t5/alfresco-archive/add-controls-on-cifs-webdav-access/m-p/226605#M179735 mlagneaux 2010-07-16T09:19:19Z https://connect.hyland.com/t5/alfresco-archive/add-controls-on-cifs-webdav-access/m-p/226606#M179736 <HTML><HEAD></HEAD><BODY><SPAN>To solve my problem, I'm looking on DynamicAuthority.</SPAN><BR /><BR /><SPAN>First, I've made the following test</SPAN><BR /><SPAN>- I commented out permissionGroup WriteContent in permissionGroup Write. As a matter of fact, collaborators can't modify the content of a node by default ;</SPAN><BR /><PRE class="language-none line-numbers"><CODE><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;permissionGroup name="Write" expose="true" allowFullControl="false"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;includePermissionGroup type="sys:base" permissionGroup="WriteProperties"/&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!– <BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;includePermissionGroup type="sys:base" permissionGroup="WriteContent"/&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; –&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/permissionGroup&gt;&nbsp; <BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><SPAN>- I've created a new dynamicAuthority which gives authority ROLE_WRITER_ACCORDING_STATUS according to the status of the document. This authority granted permissionGroup WriteContent.</SPAN><BR /><PRE class="language-none line-numbers"><CODE>&lt;globalPermission permission="WriteContent" authority="ROLE_WRITER_ACCORDING_STATUS" /&gt;<SPAN class="line-numbers-rows"><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>Here is hasAuthority method of my class :</SPAN><BR /><PRE class="language-none line-numbers"><CODE><BR />&nbsp;&nbsp;&nbsp;public boolean hasAuthority(final NodeRef nodeRef, String userName) {<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;System.out.println("WriterAccordingStatusDynamicAuthority#hasAuthority("+nodeRef+", "+userName+")");<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return AuthenticationUtil.runAs(new RunAsWork&lt;Boolean&gt;(){<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; public Boolean doWork() throws Exception<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; boolean hasAuthority = true;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;// find its type so we can see if it's a node we are interested in<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; QName type = nodeService.getType(nodeRef);<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;// make sure the type is defined in the data dictionary<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;TypeDefinition typeDef = dictionaryService.getType(type);<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if (typeDef != null)<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;// Look for Content node<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if (dictionaryService.isSubClass(type, ContentModel.TYPE_CONTENT)){<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;String name = (String)nodeService.getProperty(nodeRef, ContentModel.PROP_NAME);<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;System.out.println("WriterAccordingStatusDynamicAuthority#hasAuthority =&gt; Type CONTENT : "+name);<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;// Get the status of the node<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;String status = (String)nodeService.getProperty(nodeRef, CeaModel.PROP_STATUS);<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;// If the status is different from draft or approval in progress, the authority is denied<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if(!CeaModel.STATUS_DRAFT.equals(status) &amp;&amp; !CeaModel.STATUS_APPROVAL_IN_PROGRESS.equals(status)){<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;hasAuthority = false;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;System.out.println("WriterAccordingStatusDynamicAuthority#hasAuthority =&gt; "+hasAuthority);<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return hasAuthority;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }}, AuthenticationUtil.getSystemUserName());<BR />&nbsp;&nbsp;&nbsp;}<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>It works as expected. It enables me to give WriteContent permission only if the status of the node makes it possible.</SPAN><BR /><BR /><SPAN>The problem is that this solution gives also WriteContent permission to Consumers.</SPAN><BR /><BR /><SPAN>I've tried to solve this problem like this :</SPAN><BR /><SPAN>- I've put back permissionGroup WriteContent in permissionGroup Write.</SPAN><BR /><SPAN>- I've created a new permission and the related permissionGroup :</SPAN><BR /><PRE class="language-none line-numbers"><CODE><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;permissionGroup name="WriteAccordingStatus" expose="false" allowFullControl="false" /&gt;<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;permission name="_WriteAccordingStatus" expose="false"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;grantedToGroup permissionGroup="WriteAccordingStatus" /&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/permission&gt;<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><SPAN>- I've modified permission _WriteContent. I've added a requiredPermission tag :</SPAN><BR /><PRE class="language-none line-numbers"><CODE><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;permission name="_WriteContent" expose="false"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;grantedToGroup permissionGroup="WriteContent" /&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!– Commented out parent permission check …<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;requiredPermission on="parent" name="_ReadChildren" implies="false"/&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; –&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;requiredPermission on="node" name="_WriteAccordingStatus" implies="false"/&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/permission&gt;<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><SPAN>- I've commented out my globalPermission on authority ROLE_WRITER_ACCORDING_STATUS.</SPAN><BR /><BR /><SPAN>With this config, my permission _WriteAccordingStatus is never granted, so I thought that my users will not have WriteContent permission (thanks to requiredPermission tag). But, that's not the case.</SPAN><BR /><SPAN>I think I've missed something about permissions configuration.</SPAN><BR /><BR /><SPAN>How can I give WriteContent permission only to collaborators having a permissionGroup granted thanks to my dynamicAuthority ?</SPAN><BR /><BR /><BR /><SPAN>Moreover, I'm asking a question about admin users, coordinators and owner of a node. All of them have permission FullControl. In my final solution, I want to delete WriteContent permission for this user. My first solution is to define a new permissionGroup FullControlWithoutWriteContent which includes Collaborator permissionGroup (modified to solve my first problem) and to add remaining permissions.</SPAN><BR /><SPAN>Do you think about an easiest way ?</SPAN><BR /><BR /><SPAN>Thanks for your help.</SPAN></BODY></HTML> Fri, 23 Jul 2010 10:16:48 GMT https://connect.hyland.com/t5/alfresco-archive/add-controls-on-cifs-webdav-access/m-p/226606#M179736 mlagneaux 2010-07-23T10:16:48Z https://connect.hyland.com/t5/alfresco-archive/add-controls-on-cifs-webdav-access/m-p/226607#M179737 <HTML><HEAD></HEAD><BODY><SPAN>First, when using CIFS, a user open a document in write mode if he has Write permission (and not only WriteContent).</SPAN><BR /><BR /><SPAN>I've solved my problem doing this:</SPAN><BR /><SPAN>- I've modified my custom dynamicAuthority:</SPAN><BR /><SPAN>In hasAuthority method, I continue to check the status of the document and I also check that the user is Collaborator, Coordinator or Owner of the node.</SPAN><BR /><SPAN>Here is an example that I used :</SPAN><BR /><A href="http://forums.alfresco.com/en/viewtopic.php?f=47&amp;t=17436&amp;p=60903&amp;hilit=dynamicAuthority#p60903" rel="nofollow noopener noreferrer">http://forums.alfresco.com/en/viewtopic.php?f=47&amp;t=17436&amp;p=60903&amp;hilit=dynamicAuthority#p60903</A><BR /><BR /><SPAN>- In permissionsDefinition :</SPAN><BR /><SPAN>My dynamicAuthority grants Write permission.</SPAN><BR /><SPAN>Write permission only include WriteContent permission.</SPAN><BR /><SPAN>Collaborator don't include Write permission but directly WriteProperties permission.</SPAN><BR /><SPAN>I've defined a new permission CustomFullControl which includes Collaborator and all remaining permissions (except Write).</SPAN><BR /><SPAN>Coordinator permission now includes CustomFullControl permission and allowFullControl is set to false.</SPAN><BR /><SPAN>Last, in global permissions, ROLE_OWNER now grants CustomFullControl permission (instead of FullControl).</SPAN><BR /><BR /><SPAN>- In some JSP and some actions definitions, I've replaced permissionEvaluator on Write by permissionEvaluator on WriteProperties.</SPAN><BR /><BR /><SPAN>I've made some tests and it seems to work correctly.</SPAN><BR /><BR /><SPAN>Thank you for your help.</SPAN></BODY></HTML> Thu, 29 Jul 2010 15:01:54 GMT https://connect.hyland.com/t5/alfresco-archive/add-controls-on-cifs-webdav-access/m-p/226607#M179737 mlagneaux 2010-07-29T15:01:54Z