Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Change 'any allow allows' permission schema.

diegop
Champ in-the-making
Champ in-the-making

‎02-26-2009 04:32 AM

Hi,
i have to implement a complex structure of permissions on the repository, based on denying access to a content in any case to all users that belongs to a group.

I don't have to implement a "single deny denis" permission schema, but "THAT deny always denis else any allow allows".

Searching on alfresco configuration files I found this bean:

    <bean id="accessDecisionManager" class="net.sf.acegisecurity.vote.AffirmativeBased">
        <property name="allowIfAllAbstainDecisions"><value>false</value></property>
        <property name="decisionVoters">
            <list>
                <ref local="roleVoter"/>
                <ref local="groupVoter"/>
                <ref local="aclEntryVoter"/>
            </list>
        </property>
    </bean>

This is a Acegi access manager that implements "any allow allows" permission schema.

is it sufficient to develope a custom Acegi access manager that implements my permission schema (replacing net.sf.acegisecurity.vote.AffirmativeBased) to deny access to a content to all users in a group that I define? even if "inherit parent permission" flag is set.

If it's useless my idea, what can I do to develope my permission schema? Which class I have to edit/add?

Thanks
Labels:
0 Kudos
2 REPLIES 2

andy
Champ on-the-rise
Champ on-the-rise

‎02-26-2009 10:45 AM

Hi

It is not that simple - that does it after the alfresco permissoin evaluator has said yes.

In PermissionServiceImpl there is some code that may well be OK ….

Look for

   // any deny denies

            if (false)

This was a first cut at toggling this behaviour. You cna give it a go 🙂


Andy
0 Kudos

diegop
Champ in-the-making
Champ in-the-making

‎06-22-2009 08:38 AM

Hi

It is not that simple - that does it after the alfresco permissoin evaluator has said yes.

In PermissionServiceImpl there is some code that may well be OK ….

Look for

   // any deny denies

            if (false)

This was a first cut at toggling this behaviour. You cna give it a go 🙂


Andy

Thank you Andy,
and sorry if I reply after 3 months  :mrgreen:

But only few days ago I could study the problem above.

I resolved my problem by a "custom" class ACLEntryAfterInvocationProvider.

I added the check for denying access by customizing these methods in ACLEntryAfterInvocationProvider.java

    private ChildAssociationRef decide(Authentication authentication, Object object, ConfigAttributeDefinition config,
            ChildAssociationRef returnedObject) throws AccessDeniedException

    private Collection decide(Authentication authentication, Object object, ConfigAttributeDefinition config,
            Collection returnedObject) throws AccessDeniedException

    private NodeRef decide(
            Authentication authentication,
            Object object,
            ConfigAttributeDefinition config,
            NodeRef returnedObject) throws AccessDeniedException

    private Object[] decide(Authentication authentication, Object object, ConfigAttributeDefinition config,
            Object[] returnedObject) throws AccessDeniedException

    private ResultSet decide(Authentication authentication, Object object, ConfigAttributeDefinition config,
            ResultSet returnedObject) throws AccessDeniedException

More specifically I added in that methods the logic to resolve this problem –> http://forums.alfresco.com/en/viewtopic.php?f=5&t=16569&start=0&st=0&sk=t&sd=a&hilit=security+level

Now I have a customized Alfresco where if a document has an "high" security level, a user with "low" security level won't ever see it!
Cheers  Smiley Very Happy
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC