Hyland Connect

pavankk · ‎03-13-2013

Alfresco is one of the best ECM tool which is built on top of stack of Java technologies. It amazingly uses the Spring to accommodate customizations through bunch of configuration files.

Out of the Box Alfresco comes with 5 default roles defined for cm:content type. like consumer, editor,

collaborator and stuff, we all know each role is a bunch of permissions. Apart from this Standard role authorities , alfresco also supports dynamic authorities like OWNER, LOCKOWNER,

As we know how alfresco evaluates a permission on a document for a user, it first verifies whether the current logged in user is the Creator or Owner of the document , if yes then irrespective of the role he has on the space ( like he may be invited to the space on a consumer role), he will be allowed to perform action against the document.

To briefly say in one word Dynamic authorities will override the role the user possess on the document.

To understand more about Alfresco Permissions visit the below wiki

Alfresco Permissions Wiki

Business Case

And now here is the one business requirement that If the user has been invited as a read only user ( assigning consumer role) then he should not have the authorization to delete or edit the document even though he is the Owner or creator

Now the question is how can we achieve this customization in Alfresco, no worries we can easily customize your things by customizing the out of the box Alfresco Permission Service.

Alfresco has defined all its public services in the public-services-context.xml. and each of the service bean has been defined with Spring AOP Proxies.

The Design of service API follows the below pattern

1) Service Interface

2) Service Implementation

3) Stack of interceptors

Here is an example

<bean id="PermissionService" class="org.springframework.aop.framework.ProxyFactoryBean">
        <property name="proxyInterfaces">
            <value>org.alfresco.service.cmr.security.PermissionService</value>
        </property>
        <property name="target">
            <ref bean="permissionService"/>
        </property>
        <property name="interceptorNames">
            <list>
                <idref bean="PermissionService_transaction"/>
                <idref bean="AuditMethodInterceptor"/>
                <idref bean="exceptionTranslator"/>
                <idref bean="PermissionService_security"/>
            </list>
        </property>
    </bean>

As we can see the above Permission Service has 4 interceptors like Security , AuditMethodInterceptor

we can define our own Interceptor .

To create an interceptor just create a class which implements org.aopalliance.intercept.MethodInterceptor and provide implementation to the invoke method

and then include this interceptor as the last interceptor in the Permission Service interceptorNames.

Now each method invokation on PermissionService method will be intercepted by your custom interceptor and you are free to provide implementation for it

This below example configuration shows how to include your custom interceptor within PermissionService bean definition

<bean id="PermissionService" class="org.springframework.aop.framework.ProxyFactoryBean">
        <property name="proxyInterfaces">
            <value>org.alfresco.service.cmr.security.PermissionService</value>
        </property>
        <property name="target">
            <ref bean="permissionService"/>
        </property>
        <property name="interceptorNames">
            <list>
                <idref bean="PermissionService_transaction"/>
                <idref bean="AuditMethodInterceptor"/>
                <idref bean="exceptionTranslator"/>
                <idref bean="PermissionService_security"/>
                <idref bean="CustomPermissionService"/>
            </list>
        </property>
   </bean>

I hope this blog will be helpful for Alfresco developers who wants to customize Out of the Box permissions

If you are still looking for clarification you can post your questions.

Cheers!!!!!!!!!!

Pavan

afaust · ‎03-13-2013

Hello,

I would suggest handing the ownership over to another user or even to the "empty" user (any non-null value for cm

wner that doesn't match an existing user) instead of adding your custom interceptors in the core services for this use case. Simply implement an action or script that sets cm

wner, and since the OWNER dynamic authority bases its evaluation on this property, the previous owner / creator will no longer have more permissions on a document than via the assigned privileges.

Regards
Axel

pavankk · ‎03-13-2013

Hello,

Yes you are right we can use cm

wner for handling the ownership , but the business use case for us is , even though the user is a owner or creator, at some point of time if they want to make this user just a read only , and still they want the creator of the document remain same, this use case will not be achieved just using cm

wnable aspect

Thanks
Pavan

afaust · ‎03-18-2013

Hello,

I don't see why not. They will remain the creator, but no longer be owner and no longer have the privileges that come with that.

Regards
Axel

hagak · ‎02-27-2015

If packaging within an amp how do you override the PerssionService Bean?

afaust · ‎02-27-2015

Hello,

an AMP should typically NOT override the permissionServiceImpl bean. It should only provide the DynamicAuthority and the permissionServiceImpl bean should be overriden only in either the final build Project (where all AMPs are merged into the WAR) or in shared/classes/alfresco/Extension.

An alternative to overriding the XML would be the use of a Spring BeanFactoryPostProcessor to simply add a reference to your DynamicAuthority to the list of authorities in the bean Definition after it is read from XML but before the bean is instantiated. But this is rather advanced use of Spring and non-Standard in Alfresco.

Regards
Axel

Hyland Connect

Customizing Alfresco Permissions