Method-level security definition

zhihailiu — Wed, 21 Sep 2016 19:28:40 GMT

Hi,public-services-security-context.xml has the method-level security definition. For example, org.alfresco.service.cmr.repository.NodeService.addAspect=ACL_NODE.0.sys:base.WriteProperties,ACL_ITEM.0.cmwnable.TakeOwnershipQuestion 1 - what does "ACL_ITEM.0.cmwnable.TakeOwnership" mean? Question

Re: Method-level security definition

afaust — Wed, 21 Sep 2016 19:43:41 GMT

The public-services-security-context.xml file is NOT where you grant permissions to anyone. This defines the service level checks that will be performed for ANY invocation on ANY node / item passed as a parameter. The way you have outlined in your 2nd question actually RESTRICTS the operation to only members of the GROUP_MY_COMPANY_ACCOUNT. No one else would be allowed to add an aspect to a node, which would effectively break your Alfresco system (virtually everything has something to do with aspects under the hood).

As to your 1st question. ACL_ITEM is a special variant of ACL_NODE. This operation requires that a method has a very specific signature (composed of NodeRef and Map or QName). Additionally it will only pass judgement if the operation is used to change the owner. If no owner change is attempted the check will abstain (yield neither a positive nor negative permission check result).

As a general rule, you should (almost) NEVER change anything permission related in *-context.xml files. You can define NEW permissions via a permissionDefinitions.xml that is referenced from a *-context.xml, but that is not a very common use case. Granting permission is almost ALWAYS done exclusively via the Share UI, Java or JavaScript APIs (PermissionService or ScriptNode.setPermission).

topic Method-level security definition in Alfresco Archive

Method-level security definition

Re: Method-level security definition