topic Re: Use of Deny Permissions using API's for PermissionService in Alfresco Archive

Use of Deny Permissions using API's for PermissionService

jamen — Fri, 10 Feb 2012 10:22:23 GMT

Hi,I'm trying to get some concrete examples of how to leverage DENY permissions on a particular node. I have a use case where I want to grant a permission role on a folder (e.g. Collaborator), but then on some of the documents below it I won't want to allow for Edit rights. I know that this is pos

Re: Use of Deny Permissions using API's for PermissionService

mrogers — Fri, 10 Feb 2012 10:48:38 GMT

I'm not sure DENY permissions are used anywhere, although as you have seen there's consideration for them in the permissions service.

Re: Use of Deny Permissions using API's for PermissionService

jamen — Fri, 10 Feb 2012 22:25:10 GMT

But do the existing service methods support application of DENY permissions? That's what I'm unsure of. I know Andy hind as mentioned DENY permissions on other forum posts. But I've seen no programmatic evidence of this in terms of examples.

Re: Use of Deny Permissions using API's for PermissionService

andy — Mon, 13 Feb 2012 15:26:56 GMT

Hi

There are some examples in the test.
It is not used much as it is mot exposed in the UI.

Just use the permissions service API as you would to set - but set allow to false (ie deny)

Andy

Re: Use of Deny Permissions using API's for PermissionService

jamen — Mon, 13 Feb 2012 16:29:06 GMT

Hi Andy,

Thanks for drawing my attention to that. I should have picked up that PermissionServiceTest earlier.

One follow up question then on this, how do you clear a permission reference that's on DENY then? Is it correct in observing that the permission service's permission deletion call treats the the assignment of a PermissionReference the same way for ALLOW and DENY? For example you assign a permission and you have the option of setting allow to be true or false, hence you would remove the permission reference on the node if you didn't need it with no reference to whether the permission is allow or delete?

Thanks
Jamen

Re: Use of Deny Permissions using API's for PermissionService

andy — Mon, 20 Feb 2012 11:13:53 GMT

Hi

Yep.

public void deletePermission(NodeRef nodeRef, String authority, String permission);

should remove matching permission that deny or allow.

Andy

Re: Use of Deny Permissions using API's for PermissionService

binduwavell — Mon, 17 Jun 2013 21:59:00 GMT

Andy,

I wrote a Java action that can apply a "DENIED" permission to a node. I ran the action on a folder in order to deny "Read" access to a user named "fisher". After running this I log the output of document.getPermissions() from some javascript, this returns the following:


ALLOWED;GROUP_Super;Coordinator,ALLOWED;GROUP_SysAdmin;Coordinator,DENIED;fisher;Read,ALLOWED;GROUP_Team;Coordinator,ALLOWED;GROUP_SysExec;Consumer
‍‍‍

Note that fisher is in GROUP_Team. So she has Coordinator rights (this is an inherited permission for what it's worth) on the folder from that group but has specifically been denied Read access directly on the folder via her user id.

When I login as fisher and check document.hasPermission("Read") from some javascript, it returns true! I would expect false to be returned?

I validated that ${security.anyDenyDenies} is set to true (I did this in code by injecting that into a java bean and logging the value, so I know the default set in repository.properties is not being overridden.

FWIW, I have had a good look through the test cases, there is a lot there and some of it doesn't really make sense to me. I'm assuming those tests are passing in Enterprise 4.1.3… If they are, then I think that the above call to hasPermission("Read") should return false?

Taking a step back, what I want to do is the following… I have a folder structure like the following


Company Home
    eFiles
        eFile 1
        eFile 2
‍‍‍‍‍‍

In general Team members should have access to everything under the eFiles folder. This is a large group that changes somewhat regularly. For legal reasons certain users are not allowed to interact with certain eFiles so we want to explicitly DENY access to eFile 2 for user fisher, who has a compliance conflict with being allowed to see the stuff in that folder.

We grant Coordinator rights to the Team group on the eFiles folder and by default all subfolders inherit this. However on eFile 2 we want to revoke access for this one user. I have tried denying "Read" or "All" for this user explicitly on the eFile 2 folder. In both cases the user is able to see the folder and when I login as her and check if she has "Read" permission on the folder she does.

Any advice would be greatly appreciated!