Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AuthorityService, SearchService and document ownership

marco_altieri
Star Contributor
Star Contributor

‎02-18-2011 01:52 AM

Hi,

if a user has the  ownership of a document (inside a Share document library) he can modify it even if he doesn't belong to the site anymore.
This is considered a security issue by a client.
To solve this problem, I'm trying to develop a custom AuthorityService that intercepts the removing of a user from a group to verify if, after this removing, he cannot see a site anymore.
What I want to do is to verify which subfolders of the "Company Home/Sites" folder the user can see before and after the removing: if a subfolder is not visible anymore, I suppose that the user has been removed from the corresponding site. With the list of all sites from which he has been removed, I can easily find the documents that he owns.


   public void removeAuthority(String parentName, String childName)
   {
      List<NodeRef> sitesBefore = null;
      List<NodeRef> sitesAfter;
      
      if (!childName.startsWith("GROUP_")) {
         sitesBefore = getVisibleSites(childName, null);
      }
      
      authorityDAO.removeAuthority(parentName, childName);
      
      if (sitesBefore != null) {
         sitesAfter = getVisibleSites(childName, sitesBefore);
      }
      
   }

   private List<NodeRef> getVisibleSites(String childName, final List<NodeRef> excludes) {
      return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<List<NodeRef>>() {
         public List<NodeRef> doWork() throws Exception
         {
            String luceneSearch = "PATH:\"/app:company_home/st:sites/*\"";
                 StoreRef storeRef = new StoreRef(StoreRef.PROTOCOL_WORKSPACE, "SpacesStore");
                 ResultSet rs = searchService.query(storeRef, SearchService.LANGUAGE_LUCENE, luceneSearch);
            List<NodeRef> sites = rs.getNodeRefs();
            if (excludes != null) {
               sites.removeAll(excludes);
            }
            
            QName name = QName.createQName(NamespaceService.CONTENT_MODEL_1_0_URI, "name");
                 for (NodeRef site: sites) {
                    Serializable siteName = nodeService.getProperty(site, name);
                    System.out.println("siteName = " + siteName);
                 }
            
            return sites;
         }

      }, childName);
   }

Unfortunately when I call the getVisibleSites the second time the user can still see the same list of sites. It seems that the SearchService doesn't see the removing that has been already executed.

To set the searchService of the custom AuthorityService I have used the bean SearchService.

Can you help me please?

Thanks,
Marco
Labels:
0 Kudos
1 REPLY 1

marco_altieri
Star Contributor
Star Contributor

‎02-23-2011 01:49 PM

I found the solution: it's necessary to verify the permission of each node that lucene returns.


if (permissionService.hasPermission(nodeRef, PermissionService.READ) == AccessStatus.ALLOWED) {
   /* This is a valid nodeRef */
}
else {
   /* the user cannot access this node */
}
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC