topic Re: Deny Remove permission but Delete button still enabled in Nuxeo Forum

Deny Remove permission but Delete button still enabled

ChristopheL_ — Wed, 15 Feb 2012 21:03:16 GMT

Hello,

I have just dowloaded and installed Nuxeo Document Management 5.5 and I tried what is described at http://doc.nuxeo.com/display/DMDOC/Managing+access+rights about access rights management.

So I did the following steps:

As Administrator

login
create a John Do user
create a workspace
On the Manage tab, add two permissions: John Do - Grant - Write + John Do - Deny - Remove
create a note in the workspace

as John Do user

login
go to the workspace created above as Administrator
check the box in front of the Note created above as Administrator => the Delete button is enabled so the user John Do can remove the document

Question: Is it normal that the Delete button is enabled even if there is a Deny - Remove permission on the workspace for the user ?

I would have expected that the user won't be able to delete any document.

Thanks in advance for your answer

Best regards, Christophe

Re: Deny Remove permission but Delete button still enabled

Solen_Guitter — Thu, 16 Feb 2012 15:03:09 GMT

Hello,

This is due to the access rights priorization, as explained on this page: http://doc.nuxeo.com/x/UYEk.

In this case, the user still has the right to remove documents because at the same level (in the same workspace) he's denied the right to delete documents, but he's also granted the Write permission. Since Write includes the Remove permission and granted rights win over denied rights, in the end the user is granted the right to remove.

Re: Deny Remove permission but Delete button still enabled

ChristopheL_ — Thu, 16 Feb 2012 15:48:30 GMT

Hello,

Re: Deny Remove permission but Delete button still enabled

bruce_Grant — Tue, 21 Feb 2012 16:48:03 GMT

If you want to override the default rights hierarchy then you can create a custom security policy by extending SecurityPolicy. See http://doc.nuxeo.com/display/NXDOC/Security+Policy+Service for more details.

Be careful with this because there can be negative performance side-effects if the custom policy is too complex!

Re: Deny Remove permission but Delete button still enabled

Anahide_Tchertc — Thu, 23 Feb 2012 14:32:46 GMT

I'm wondering why the Write permission needs to include Remove, it could be a good test to check if this is a problem for other features. I think it could be considered a bug, maybe to handle at the same time than https

Re: Deny Remove permission but Delete button still enabled

tomi1123_ — Thu, 27 Sep 2012 02:50:05 GMT

I think the original question is an important one: how to grant permission to create new objects but not remove old ones.

The comments above (directing to the doc) seem to be in conflict with the doc, which states:

The "Remove" permission is intended to be denied, so as to restrict the actions available to users with "Write" permission.

If "Remove" permission is intended to be denied, but granting Write takes precedence, how is it possible to ever deny remove? To me this smells like a defect.

Tom

Re: Deny Remove permission but Delete button still enabled

bruce_Grant — Thu, 27 Sep 2012 03:04:12 GMT

The answer is to redefine the aggregate permission Write to work the way you want it to. Or create a new permission (e.g., Write Only) which maps to a subset of the existing Write permission.

Re: Deny Remove permission but Delete button still enabled

tomi1123_ — Mon, 01 Oct 2012 00:23:36 GMT

Is <require> tag needed for override to take effect and if so what does need to refer to?

Re: Deny Remove permission but Delete button still enabled

tomi1123_ — Mon, 01 Oct 2012 04:49:58 GMT

I got it to work. You will need a standard component wrapper around this but otherwise it works. Nuxeo is wonderful but does not make a good first date...

<require>org.nuxeo.ecm.core.security.SecurityService</require>
<require>org.nuxeo.ecm.core.security.defaultPermissions</require>
 
<extension target="org.nuxeo.ecm.core.security.SecurityService" point="permissions">
<!-- Removed 'Remove' from Write permission -->
    <permission name="Write">
        <remove>Remove</remove>
    </permission>
</extension>

Re: Deny Remove permission but Delete button still enabled

a_c — Mon, 04 Nov 2019 23:12:41 GMT

Is there some way to apply this extension to specific document types?