Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- Re: Change 'read' permission filter on search resu...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Change 'read' permission filter on search results?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2008 02:10 PM
Our publishing department will use Alfresco to manage documents. We would like to make some of these documents available to other employees using a custom web interface and web scripts. We want the employees to have access to only metadata on certain documents (for when publishing wants full control of printing and distribution). This will allow them to see if they have the latest version on file, find out when the document will be mailed, find the document ID etc. without being able to download an electronic copy.
So I made a custom permission group called "Viewer" that has ReadProperties and ReadChildren permission (but not ReadContent). In the web interface it works fine, the user can see the document properties but cannot download the document.
However, the documents do not show up in search results. According to http://wiki.alfresco.com/wiki/Search:
This makes sense as in most cases you wouldn't want a user to determine document contents by searching. Our situation is unique in that we want to allow users to search and find documents that they have access to in physical form but not in the Alfresco repository.
I looked through the code to find where this filtering happens and didn't see anything obvious, but I am quite new to Alfresco and much of the code is beyond me.
How involved would making a change to filter on ReadProperties (as opposed to ReadContent) be? Or am I approaching this problem from the wrong direction? We could for example forget the "Viewer" role and filter result links in our custom web interface. I just worry about users end-running the filter (through CIFS or the Alfresco UI) to get at documents they shouldn't be able to download. Another option would be to upload dummy documents with the metadata we want users to see, but this seems inelegant and adds maintenance overhead in addition to reducing search effectiveness.
Any advice is appreciated!
Josh
So I made a custom permission group called "Viewer" that has ReadProperties and ReadChildren permission (but not ReadContent). In the web interface it works fine, the user can see the document properties but cannot download the document.
However, the documents do not show up in search results. According to http://wiki.alfresco.com/wiki/Search:
The rows returned in the result sets from the SearchService are filtered to contain only the nodes to which the user executing the search has read access.
This makes sense as in most cases you wouldn't want a user to determine document contents by searching. Our situation is unique in that we want to allow users to search and find documents that they have access to in physical form but not in the Alfresco repository.
I looked through the code to find where this filtering happens and didn't see anything obvious, but I am quite new to Alfresco and much of the code is beyond me.
How involved would making a change to filter on ReadProperties (as opposed to ReadContent) be? Or am I approaching this problem from the wrong direction? We could for example forget the "Viewer" role and filter result links in our custom web interface. I just worry about users end-running the filter (through CIFS or the Alfresco UI) to get at documents they shouldn't be able to download. Another option would be to upload dummy documents with the metadata we want users to see, but this seems inelegant and adds maintenance overhead in addition to reducing search effectiveness.
Any advice is appreciated!
Josh
Labels:
- Labels:
-
Archive
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-17-2008 03:38 PM
Hi,
The configuration file you want is tomcat/webapps/alfresco/WEB-INF/classes/alfresco/public-services-security-context.xml. You find brief info on it on the wiki at http://wiki.alfresco.com/wiki/Security_Services.
The big of code that would be of interest to you is following. Try changing it to ReadProperties for query. There are examples within that file. Info on how to add custom configuration is at http://wiki.alfresco.com/wiki/Permissions_and_Roles_Configuration.
Hope that helps. Let us know how you get on.
Ainga
The configuration file you want is tomcat/webapps/alfresco/WEB-INF/classes/alfresco/public-services-security-context.xml. You find brief info on it on the wiki at http://wiki.alfresco.com/wiki/Security_Services.
The big of code that would be of interest to you is following. Try changing it to ReadProperties for query. There are examples within that file. Info on how to add custom configuration is at http://wiki.alfresco.com/wiki/Permissions_and_Roles_Configuration.
<bean id="SearchService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
org.alfresco.service.cmr.search.SearchService.query=AFTER_ACL_NODE.sys:base.Read
org.alfresco.service.cmr.search.SearchService.selectNodes=AFTER_ACL_NODE.sys:base.Read
org.alfresco.service.cmr.search.SearchService.selectProperties=ACL_NODE.0.sys:base.Read
org.alfresco.service.cmr.search.SearchService.contains=ACL_NODE.0.sys:base.Read
org.alfresco.service.cmr.search.SearchService.like=ACL_NODE.0.sys:base.Read
</value>
</property>
</bean>Hope that helps. Let us know how you get on.
Ainga
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-17-2008 06:20 PM
Ainga,
That is exactly what I was looking for! I changed it to ReadProperties for query and results started showing up in searches. Thanks a million!
Josh
That is exactly what I was looking for! I changed it to ReadProperties for query and results started showing up in searches. Thanks a million!
Josh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-09-2008 03:28 PM
Hey,
I have writen a search call (AMP deployment) like described on Wiki. (example see below)
The query run succesfully. Problem is that all result show up … without any permission restriction.
Any idea why all user can see results of the whole repository?
Have I check permissions manually for every retreived node?
grtz,
Koen
SearchParameters sp = new SearchParameters();
sp.addStore(getStoreRef());
sp.setLanguage(SearchService.LANGUAGE_LUCENE);
sp.setQuery("TEXT:\"fox\");
ResultSet results = null;
try
{
results = serviceRegistry.getSearchService().query(sp);
for(ResultSetRow row : results)
{
NodeRef currentNodeRef = row.getNodeRef();
…
}
}
finally
{
if(results != null)
{
results.close();
}
}
I have writen a search call (AMP deployment) like described on Wiki. (example see below)
The query run succesfully. Problem is that all result show up … without any permission restriction.
Any idea why all user can see results of the whole repository?
Have I check permissions manually for every retreived node?
grtz,
Koen
SearchParameters sp = new SearchParameters();
sp.addStore(getStoreRef());
sp.setLanguage(SearchService.LANGUAGE_LUCENE);
sp.setQuery("TEXT:\"fox\");
ResultSet results = null;
try
{
results = serviceRegistry.getSearchService().query(sp);
for(ResultSetRow row : results)
{
NodeRef currentNodeRef = row.getNodeRef();
…
}
}
finally
{
if(results != null)
{
results.close();
}
}
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2009 02:06 AM
Hi,
we've got a very similar problem as Josh.
Assume that we have a hierachical folder structure, like:
/Chairman
***/Department A
******/Sub-Department I
******/Sub-Department II
***/Department B
Chairman usergroup should have ReadProperties and ReadChildren on Chairman and all of its subfolders (as ReadChildren seems a must-have together with ReadProperties, strictly speaking I only wont the group memebers the access the folders metadata). Department A group should have ReadProperties and ReadChildren permissions on their own folder and all of its subfolders.
The solve this task we wrote a new permission group:
As with the predefinied role Consumer, we then defined a role called VibsConsumer and granted this right to Chairman group on their folder, to Department A group on their folder and so on. Permission inheritance switched on on all levels. (But there is no single permission granted above the Chairman folder.)
With this settings only I'm not able to see any folder of the hierachy, when logging in as a Chairman user. The search function doesn't show any folder of the hierachy as well. I then found this thread and changed the public-services-security-context.xml. The file seems to have changed from your version 1,5 years ago and version 3.2r. I tried to change org.alfresco.service.cmr.search.SearchService.query=ACL_ALLOW,AFTER_ACL_NODE.sys:base.Read to org.alfresco.service.cmr.search.SearchService.query=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties but that didn't change anything. For test purposes I then commented all values out except of org.alfresco.service.cmr.search.SearchService.*=ACL_ALLOW. But even this rigid change didn't improve the situation. Chairman group users can't find any folder of the hierarchy using the search function or the usual web-interface.
Does anyone have an idea how to solve this problem?
As mentioned before, the ultimate goal is that all departments can read folder-metadata of their own folder and all the sub-folders, but nothing else (reading content, write, …) by default.
Regards,
Matt
we've got a very similar problem as Josh.
Assume that we have a hierachical folder structure, like:
/Chairman
***/Department A
******/Sub-Department I
******/Sub-Department II
***/Department B
Chairman usergroup should have ReadProperties and ReadChildren on Chairman and all of its subfolders (as ReadChildren seems a must-have together with ReadProperties, strictly speaking I only wont the group memebers the access the folders metadata). Department A group should have ReadProperties and ReadChildren permissions on their own folder and all of its subfolders.
The solve this task we wrote a new permission group:
<permissionGroup name="VibsRead" expose="true" allowFullControl="false">
<includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
<includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
</permissionGroup>As with the predefinied role Consumer, we then defined a role called VibsConsumer and granted this right to Chairman group on their folder, to Department A group on their folder and so on. Permission inheritance switched on on all levels. (But there is no single permission granted above the Chairman folder.)
With this settings only I'm not able to see any folder of the hierachy, when logging in as a Chairman user. The search function doesn't show any folder of the hierachy as well. I then found this thread and changed the public-services-security-context.xml. The file seems to have changed from your version 1,5 years ago and version 3.2r. I tried to change org.alfresco.service.cmr.search.SearchService.query=ACL_ALLOW,AFTER_ACL_NODE.sys:base.Read to org.alfresco.service.cmr.search.SearchService.query=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties but that didn't change anything. For test purposes I then commented all values out except of org.alfresco.service.cmr.search.SearchService.*=ACL_ALLOW. But even this rigid change didn't improve the situation. Chairman group users can't find any folder of the hierarchy using the search function or the usual web-interface.
Does anyone have an idea how to solve this problem?
As mentioned before, the ultimate goal is that all departments can read folder-metadata of their own folder and all the sub-folders, but nothing else (reading content, write, …) by default.
Regards,
Matt
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2009 11:16 AM
Matt,
That is the same permission definition we are using in production, now Alfresco Enterprise 3.1 SP1. The only change we made in public-services-security-context.xml was
org.alfresco.service.cmr.search.SearchService.query=AFTER_ACL_NODE.sys:base.ReadProperties
Even before this change users were able to browse items and view metadata in the web interface, the problem was if they searched for something it would not show in the results.
Have you added the "VibsRead" permission group as a content and folder specific role? See permissionDefinitions.xml under "Permissions specific to content" heading.
Ours is configured like this:
"Viewer" is configured exactly as "VibsRead".
HTH,
Josh
That is the same permission definition we are using in production, now Alfresco Enterprise 3.1 SP1. The only change we made in public-services-security-context.xml was
org.alfresco.service.cmr.search.SearchService.query=AFTER_ACL_NODE.sys:base.ReadProperties
Even before this change users were able to browse items and view metadata in the web interface, the problem was if they searched for something it would not show in the results.
Have you added the "VibsRead" permission group as a content and folder specific role? See permissionDefinitions.xml under "Permissions specific to content" heading.
Ours is configured like this:
<permissionSet type="cm:content" expose="selected">
<!– Content specific roles. –>
<permissionGroup name="Coordinator" extends="true" expose="true"/>
<permissionGroup name="Collaborator" extends="true" expose="true"/>
<permissionGroup name="Contributor" extends="true" expose="true"/>
<permissionGroup name="Editor" extends="true" expose="true"/>
<permissionGroup name="Consumer" extends="true" expose="true"/>
<permissionGroup name="Viewer" extends="true" expose="true"/>
<permissionGroup name="Provider" extends="true" expose="true"/>
<permissionGroup name="RecordAdministrator" extends="true" expose="false"/>
</permissionSet>
<permissionSet type="cm:folder" expose="selected">
<!– Content folder specific roles. –>
<permissionGroup name="Coordinator" extends="true" expose="true"/>
<permissionGroup name="Collaborator" extends="true" expose="true"/>
<permissionGroup name="Contributor" extends="true" expose="true"/>
<permissionGroup name="Editor" extends="true" expose="true"/>
<permissionGroup name="Consumer" extends="true" expose="true"/>
<permissionGroup name="Viewer" extends="true" expose="true"/>
<permissionGroup name="Provider" extends="true" expose="true"/>
<permissionGroup name="RecordAdministrator" extends="true" expose="false"/>
</permissionSet>"Viewer" is configured exactly as "VibsRead".
<!– The Viewer permission allows read to node properties only. –>
<permissionGroup name="Viewer" allowFullControl="false" expose="true" >
<includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
<includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
</permissionGroup>HTH,
Josh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2018 11:56 AM
Related Content
- Solr search results only for admins in Alfresco Forum
- Solr, search API can't find any result without error in Alfresco Forum
- Alfresco Community Edition 23.4 Release Notes in Alfresco Blog
- Adjusting the Search Filter Limit (facet.limit) in Alfresco Forum
- One month until Hyland's Alfresco TechQuest and Hack-a-thon in Lisbon in Alfresco Blog
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
