Disable site deletion for all non admin users

bip1989 — Wed, 13 Nov 2019 13:45:14 GMT

Hello there

I want to disable site delete option for all non admin users. Only admin users can delete the site. Even a non admin user who originally created the site should not be allowed to delete the site.
By following some of the similar questions in this forum, i am able to hide delete option from dashlet and header menu. But non admin user is able to delete the site via API call.

Which means it is still allowed to delete site at repo level.
How can i disable the site deletion at repo level as well? Please provide some guidance

Appreciate your kind guidance. Thanks in advance

Re: Disable site deletion for all non admin users

abhinavmishra14 — Wed, 13 Nov 2019 14:46:36 GMT

Follow these steps:

1- Create site-security-model-context.xml (you can choose any meaningful name) under <ALFRESCO_HOME>/tomcat/shared/classes/alfresco/extension or at module level if you are using custom modules and applying it to the alfresco.war.

At module level it could be like;

<YOUR_CUSTOM_REPO_MODULE>/src/main/resources/alfresco/module/YOUR_CUSTOM_REPO_MODULE/context/site-security-model-context.xml

2- Add following bean definition:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
	<bean id="SiteService_security"
		class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
		<property name="authenticationManager">
			<ref bean="authenticationManager" />
		</property>
		<property name="accessDecisionManager">
			<ref bean="accessDecisionManager" />
		</property>
		<property name="afterInvocationManager">
			<ref bean="afterInvocationManager" />
		</property>
		<property name="objectDefinitionSource">
			<value>
				org.alfresco.service.cmr.site.SiteService.cleanSitePermissions=ACL_NODE.0.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.createContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.createSite=ACL_METHOD.GROUP_SITE_CREATORS
				org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_METHOD.ALFRESCO_ADMINISTRATORS
				org.alfresco.service.cmr.site.SiteService.findSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.getContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.listContainers=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.getMembersRole=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getMembersRoleInfo=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.resolveSite=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getSite=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.getSiteShortName=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.getSiteGroup=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getSiteRoleGroup=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getSiteRoles=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.getSiteRoot=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.hasContainer=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.hasCreateSitePermissions=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.hasSite=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.isMember=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listMembers=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listMembersInfo=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listMembersPaged=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listSiteMemberships=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.listSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.listSitesPaged=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
				org.alfresco.service.cmr.site.SiteService.removeMembership=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.canAddMember=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.setMembership=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.updateSite=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.countAuthoritiesWithRole=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.isSiteAdmin=ACL_ALLOW
				org.alfresco.service.cmr.site.SiteService.*=ACL_DENY
			</value>
		</property>
	</bean>

</beans>

Notice the following line, this will allow only admin users to delete the sites.

org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_METHOD.ALFRESCO_ADMINISTRATORS

You can find documentation on topic here:

https://docs.alfresco.com/5.2/tasks/site-creation-permission.html

Re: Disable site deletion for all non admin users

bip1989 — Thu, 14 Nov 2019 14:38:32 GMT

Thanks for this, it works for me.

I have one small question, can i do the same for securing create site option as well on the repository side?

i see the config present for create site as well

Re: Disable site deletion for all non admin users

abhinavmishra14 — Thu, 14 Nov 2019 20:38:55 GMT

Yes, you can do that as well.

Suppose you want sites to be created by only admins then this would be the config:

org.alfresco.service.cmr.site.SiteService.createSite=ACL_METHOD.ALFRESCO_ADMINISTRATORS

topic Re: Disable site deletion for all non admin users in Alfresco Forum

Disable site deletion for all non admin users

Re: Disable site deletion for all non admin users

Re: Disable site deletion for all non admin users

Re: Disable site deletion for all non admin users