Hyland Connect

frank_miller · ‎01-30-2012

Hi!

I'm having an issue trying to authenticate on CMIS with a non-admin user. Finally, I tried to do a simple get request, and I get this response…

org/springframework/extensions/webscripts/scriptdump.get requires admin authentication; however, a non-admin has attempted access

does this mean only admin users are able to connect Alfresco via CMIS? I think I'm missing something obvious, like an option on Alfresco to give a user "cmis privileges" maybe? Please, any help on this topic would be really appreciated.

Best regards.

frank_miller · ‎02-16-2012

Just tried cmisatom on Alfresco 4.0.d and it works!

Now I can browse subfolders and files for the logged user home space. However, doing some tests, I've created a subfolder giving the user only Consumer role, so I have the path userHome/subfolderWithConsumerRole. My ruby component connects to cmis successfully with my non-admin user, and shows userHome content (only subfolderWithConsumerRole), but when I browse into subfolderWithConsumerRole (all I do here is another getObjectByPath) I get a forbidden exception. Adding Editor role to the folder solves it, so I understand it must have something to do with the filters you mentioned, but I don't understand what exactly is happening. Is there something wrong in reading cmis objects with Consumer-only role?

Best regards.

jpotts · ‎02-16-2012

No there should not be a problem getting a folder that a user has consumer access to. But you will have to filter out parent-related properties if the user doesn't have access to any of the folders in the hierarchy.

For example, I've created a structure with the following:

test (Test User has no access)
|—– subFolder (Test User has Collaborator access)
         |——subSubFolder (Test User has Consumer access)‍‍‍

I can successfully get a handle to subSubFolder only if I use a filter:

>>> folder = repo.getObjectByPath('/test/subFolder/subSubFolder', filter='cmis:objectId,cmis:objectTypeId,cmis:name')
>>> folder.properties
{u'cmis:objectId': 'workspace://SpacesStore/3ac7873d-0400-48ad-84d3-887c7b040377', u'cmis:name': u'subSubFolder', u'cmisra:object': None, u'cmis:objectTypeId': 'cmis:folder', u'cmis:baseTypeId': 'cmis:folder'}
>>> folder.getAllowableActions()
{u'canDeleteContentStream': False, u'canSetContentStream': False, u'canCreateRelationship': False, u'canDeleteTree': False, u'canGetDescendants': True, u'canCheckIn': False, u'canApplyACL': False, u'canGetFolderParent': True, u'canDeleteObject': False, u'canGetAllVersions': False, u'canGetObjectParents': True, u'canGetProperties': True, u'canCreateDocument': False, u'canGetRenditions': False, u'canApplyPolicy': False, u'canUpdateProperties': False, u'canGetAppliedPolicies': True, u'canGetContentStream': False, u'canMoveObject': False, u'canAddObjectToFolder': False, u'canRemoveObjectFromFolder': False, u'canRemovePolicy': False, u'canGetObjectRelationships': True, u'canGetChildren': True, u'canCancelCheckOut': False, u'canGetFolderTree': True, u'canCheckOut': False, u'canCreateFolder': False, u'canGetACL': False}‍‍‍‍‍

If I try to get subSubFolder without the filter, even though my test user has access to the immediate parent, the call will fail:

>>> folder = repo.getObjectByPath('/test/subFolder/subSubFolder')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/opt/src/chemistry/cmislib/src/cmislib/model.py", line 969, in getObjectByPath
    result = self._cmisClient.get(byObjectPathUrl.encode('utf-8'), **addOptions)
  File "/opt/src/chemistry/cmislib/src/cmislib/model.py", line 209, in get
    self._processCommonErrors(result)
  File "/opt/src/chemistry/cmislib/src/cmislib/model.py", line 315, in _processCommonErrors
    raise PermissionDeniedException(error.status, error.url)
cmislib.exceptions.PermissionDeniedException: Error 403 at http://localhost:8080/alfresco/cmisatom/558e5b3c-71a0-42ac-b420-eda16e93e95b/path?path=/test/subFold...‍‍‍‍‍‍‍‍‍‍

Hope this helps,

Jeff

Jeff Potts
https://www.metaversant.com | https://ecmarchitect.com

frank_miller · ‎02-16-2012

Thanks Jeff,

I was already filtering as you suggested, so I've tried removing one by one the rest of request params. Finally, it seems

includeACL=true‍

was preventing my request to work properly (I assume it tries to retrieve ACL info for parent folders). Once changed includeACL to false, it works!

Thank you very much!

frank_miller · ‎02-22-2012

Hi!

I'm facing another issue regarding cmis access with non-admins, this time when creating new folders. I'm already able to read/delete document and folders, even can create documents without problems, but when I send a post request to create a folder (with a user without Company Home access), I get a cmis error I hadn't seen before.

org.apache.chemistry.opencmis.commons.exceptions.CmisRuntimeException: Object Info is missing!‍

This is the post url

http://localhost:8080/alfresco/cmisatom/f05d5224-0f52-484c-a14c-eba64c2f3345/children?id=workspace%3...‍

And here it is the xml I'm sending


{"Content-Type"=>"application/atom+xml;type=entry"}
<?xml version="1.0"?>
<at:entry xmlns:cra="http://docs.oasis-open.org/ns/cmis/restatom/200908/" xmlns:at="http://www.w3.org/2005/Atom" xmlns:c="http://docs.oasis-open.org/ns/cmis/core/200908/" xmlns:cm="http://docs.oasis-open.org/ns/cmis/messaging/200908/" xmlns:app="http://www.w3.org/2007/app">
  <at:author>
    <at:name>admin</at:name>
  </at:author>
  <at:title>heaherhrettr</at:title>
  <at:id>random-garbage</at:id>
  <cra:object>
    <c:properties>
      <c:propertyId propertyDefinitionId="cmis:objectTypeId">
        <c:value>cmis:folder</c:value>
      </c:propertyId>
      <c:propertyString propertyDefinitionId="cmis:name">
        <c:value>NewFolder</c:value>
      </c:propertyString>
    </c:properties>
  </cra:object>
</at:entry>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

I'm sorry. I'm pretty sure this must be solved with something similar to the filter I needed in my previous problem, but have no idea what kind of params may I include to the post request. Any help would be very appreciated.

Best regards!

jpotts · ‎02-24-2012

I think this might be a bug. You should create a Jira and reply to this post with a link to the Jira so that I can add it to my watch list.

Jeff

Jeff Potts
https://www.metaversant.com | https://ecmarchitect.com

frank_miller · ‎02-27-2012

Hi Jeff,

here you got the Jira url

https://issues.alfresco.com/jira/browse/ALF-13077‍

Again, thanks for your patience and help.

Best regards!

maqsood · ‎05-27-2014

Hi Jeff, Frank,

Reviving this thread again, to know, if its possible to retrieve the users and groups available in repository using open cmis lib? If not, how to achieve this?
I am currently using chemistry-opencmis-client-impl-0.10.0, alfresco-opencmis-extension-0.7 and Alfresco 4.2.0 (r56674-b4848).

Appreciate your help!

kaynezhang · ‎05-27-2014

I'm afraid opencmis dose not support user/group operation ,you can use webscript api.

maqsood · ‎05-29-2014

Thanks for the reply, Kaynezhang!

Otherthan webscript, is there any alternative available? How about using webservices binding with CMIS?

kaynezhang · ‎05-29-2014

Yes,you can also operate user/group using webservice api.

Hyland Connect

Authentication on CMIS with non-admin user