Hi, I am developing server side CMIS implementation. Have problem with AllowableAction specification. My repository provides i.e. this permission mapping:
<ns2:permissions> <ns2:permission>test_permission</ns2:permission> <ns2:description>this is test permission</ns2:description></ns2:permissions><ns2:mapping> <ns2:key>canCreateDocument.Folder</ns2:key> <ns2:permission>test_permission</ns2:permission></ns2:mapping>
AllowableAction i.e. contains property 'canCreateFolder'. This property is maps to key 'canCreateDocument.Folder'.
Test user have list of permissions and have permission 'test_permission'. For requested object (in this example folder) client receive from server list of AllowableActions. Can I say, property 'canCreateFolder' is true for object and current user, because curent user does have permission 'test_permission'. Is this enough? Or I should check object ACE and compare record by principal, permission for this object? Do I need to check ACE of object for every property of AllowableActions list?
I understand principe of allowableActions like something, what I can do over current object by current user permissions. Something like pre-check and the runtime check is performed directly over the action (in this case it is createFolder).
I'am not sure whether I understand what you mean. If you have the allowable action (for example CAN_CREATE_FOLDER) ,you already have the permission to do that operation (createFolder). You don't need to check acl any more.
