Hyland Connect

marco_sindoni · ‎04-05-2008

Hi to all! I want to implement a security policy for my Alfresco installation (Alfresco Community 2.9B). This is the situation:

- I've defined an Alfresco group called USERS, and an Alfresco user called TESTUSER. TESTUSER belongs to USERS group
- In 'My Company' space I've created a space called 'Test Space'. This in not a cm:folder; the space type is a custom type, defined by testSpaceModel.xml. Here the XML:

<?xml version="1.0" encoding="UTF-8"?>

<!– Test Space Model –>

<model name="testSpace:testSpaceModel" xmlns="http://www.alfresco.org/model/dictionary/1.0">
   <!– Optional meta-data about the model –>
   <description>Test Space Model</description>
   <author></author>
   <version>1.0</version>

   <imports>
      <!– Import Alfresco Dictionary Definitions –>
      <import uri="http://www.alfresco.org/model/dictionary/1.0" prefix="d" />
      <!– Import Alfresco Content Domain Model Definitions –>
      <import uri="http://www.alfresco.org/model/content/1.0"   prefix="cm" />
   </imports>

   <namespaces>
      <namespace uri="testSpace.model" prefix="testSpace" />
   </namespaces>

   <types>
      <type name="testSpace:folder">
         <title>Test Space</title>
         <parent>cm:folder</parent>
         <mandatory-aspects>
            <aspect>testSpace:testSpaceMetadata</aspect>
         </mandatory-aspects>
      </type>
   </types>

   <aspects>
      <aspect name="testSpace:testSpaceMetadata">
         <title>Test Space Metadata</title>
         <properties>
            <property name="testSpace:spaceStringProperty"><type>d:text</type></property>
         </properties>
      </aspect>
   </aspects>
</model>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

- Into 'Test Space' I load my documents. The document type is custom, defined in customDocumentModel.xml:

<?xml version="1.0" encoding="UTF-8"?>
<!– Custom Document Model –>
<model name="customDocument:customDocumentModel" xmlns="http://www.alfresco.org/model/dictionary/1.0">
   <!– Optional meta-data about the model –>
   <description>Custom Document Model</description>
   <author></author>
   <version>1.0</version>

   <imports>
      <!– Import Alfresco Dictionary Definitions –>
      <import uri="http://www.alfresco.org/model/dictionary/1.0" prefix="d" />
      <!– Import Alfresco Content Domain Model Definitions –>
      <import uri="http://www.alfresco.org/model/content/1.0"   prefix="cm" />
   </imports>

   <namespaces>
      <namespace uri="customDocument.model" prefix="customDocument" />
   </namespaces>

   <types>
      <type name="customDocument:file">
         <title>Custom Document File</title>
         <parent>cm:content</parent>
         
         <mandatory-aspects>
            <aspect>cm:titled</aspect>
            <aspect>cm:author</aspect>
            <aspect>customDocument:customDocumentMetadata</aspect>
         </mandatory-aspects>
      </type>
   </types>

   <aspects>
      <aspect name="customDocument:customDocumentMetadata">
         <title>Custom Document Metadata</title>
         <properties>
            <property name="customDocument:docStringProperty"><type>d:text</type></property>
            <property name="customDocument:docLongProperty"><type>d:long</type></property>
            <property name="customDocument:docBooleanProperty"><type>d:boolean</type></property>
         </properties>
      </aspect>
   </aspects>
</model>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

- Actually 'Test Space' security defines USERS with Alfresco role 'Editor'

I want to create a specific role in permissionDefinitions.xml. The required scenario is: USERS group on 'Test Space' can edit documents and metadata (like Editors) AND also make forum posts. Note that I don't want to grant USERS to add documents. I've tried many configurations in permissionDefinitions.xml, following Alfresco wiki and various Alfresco forum posts, but with no luck. Last configuration I've tried is (reporting only my modifications to permissionDefinitions.xml):

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE permissions >
<!–PUBLIC '-//ALFRECSO//DTD PERMISSIONS//EN' 'permissionSchema.dtd' –>
<!– Note: the above is commented out as spring does not seem to find the dtd –>
<!– ============================================ –>
<!– The base permission model for the repository –>
<!– ============================================ –>
<!– The parent permission checks were removed 20/1/2006 –>

<permissions>
    <!– Namespaces used in type references –>
   <namespaces>
      <namespace uri="http://www.alfresco.org/model/system/1.0" prefix="sys"/>
      <namespace uri="http://www.alfresco.org/model/content/1.0" prefix="cm"/>
      <namespace uri="http://www.alfresco.org/model/wcmappmodel/1.0" prefix="wca"/>
      <namespace uri="customDocument.model" prefix="customDocument"/>
   </namespaces>
   
   […]
   
   <permissionSet type="customDocument:file" expose="selected">      
       <permissionGroup name="MyEditory" allowFullControl="false" expose="true">
        <!– Same as Editor –>
        <includePermissionGroup type="cm:cmobject" permissionGroup="Consumer"/>
          <includePermissionGroup type="sys:base" permissionGroup="Write"/>
          <includePermissionGroup type="cm:lockable" permissionGroup="CheckOut"/>
          <includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/>
          <!– My specific permissions –>
          <includePermissionGroup type="customDocument:file" permissionGroup="AddChildren"/>
      </permissionGroup>      
   </permissionSet> 
   
   […]
   
</permissions>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

When I go to space permission management from web client, in order to add MyEditor role, I got this exception:

User:admin ERROR [[localhost].[/alfresco].[jsp]] Servlet.service() for servlet jsp threw exception
org.alfresco.repo.security.permissions.impl.model.PermissionModelException: There is no permission group :{customDocument.model}file AddChildren
   at org.alfresco.repo.security.permissions.impl.model.PermissionModel.getPermissionGroup(PermissionModel.java:661)
   at org.alfresco.repo.security.permissions.impl.model.PermissionModel.grants(PermissionModel.java:534)
   at org.alfresco.repo.security.permissions.impl.model.PermissionModel.getGrantingPermissionsImpl(PermissionModel.java:491)
   at org.alfresco.repo.security.permissions.impl.model.PermissionModel.getGrantingPermissions(PermissionModel.java:475)
   at org.alfresco.repo.security.permissions.impl.PermissionServiceImpl$NodeTest.<init>(PermissionServiceImpl.java:663)
   at org.alfresco.repo.security.permissions.impl.PermissionServiceImpl.hasPermission(PermissionServiceImpl.java:386)
   at org.alfresco.repo.security.permissions.impl.PermissionServiceImpl.hasPermission(PermissionServiceImpl.java:577)
   at sun.reflect.GeneratedMethodAccessor228.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:281)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:187)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:154)
   at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:210)
   at $Proxy14.hasPermission(Unknown Source)
   at sun.reflect.GeneratedMethodAccessor228.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:281)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:187)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:154)
   at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:80)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
   at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:49)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
   at org.alfresco.repo.audit.AuditComponentImpl.audit(AuditComponentImpl.java:241)
   at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:69)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
   at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:210)
   at $Proxy19.hasPermission(Unknown Source)
   at org.alfresco.web.bean.repository.Node.hasPermission(Node.java:371)
   at org.alfresco.web.bean.users.UserMembersBean.getHasChangePermissions(UserMembersBean.java:257)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.apache.myfaces.el.PropertyResolverImpl.getProperty(PropertyResolverImpl.java:457)
   at org.apache.myfaces.el.PropertyResolverImpl.getValue(PropertyResolverImpl.java:85)
   at org.apache.myfaces.el.ELParserHelper$MyPropertySuffix.evaluate(ELParserHelper.java:535)
   at org.apache.commons.el.ComplexValue.evaluate(ComplexValue.java:145)
   at org.apache.commons.el.UnaryOperatorExpression.evaluate(UnaryOperatorExpression.java:156)
   at org.apache.myfaces.el.ValueBindingImpl.getValue(ValueBindingImpl.java:386)
   at javax.faces.component.html.HtmlSelectBooleanCheckbox.isDisabled(HtmlSelectBooleanCheckbox.java:103)
   at org.apache.myfaces.shared_impl.renderkit.html.HtmlCheckboxRendererBase.isDisabled(HtmlCheckboxRendererBase.java:271)
   at org.apache.myfaces.shared_impl.renderkit.html.HtmlCheckboxRendererBase.renderCheckbox(HtmlCheckboxRendererBase.java:252)
   at org.apache.myfaces.shared_impl.renderkit.html.HtmlCheckboxRendererBase.encodeEnd(HtmlCheckboxRendererBase.java:64)
   at javax.faces.component.UIComponentBase.encodeEnd(UIComponentBase.java:539)
   at javax.faces.webapp.UIComponentTag.encodeEnd(UIComponentTag.java:498)
   at javax.faces.webapp.UIComponentTag.doEndTag(UIComponentTag.java:366)
   at org.apache.jsp.jsp.roles.manage_002dinvited_002dusers_jsp._jspx_meth_h_005fselectBooleanCheckbox_005f0(manage_002dinvited_002dusers_jsp.java:2096)
   at org.apache.jsp.jsp.roles.manage_002dinvited_002dusers_jsp._jspService(manage_002dinvited_002dusers_jsp.java:718)
   at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
   at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:328)
   at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:315)
   at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
   at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:691)
   at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:469)
   at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:403)
   at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
   at org.apache.myfaces.context.servlet.ServletExternalContextImpl.dispatch(ServletExternalContextImpl.java:419)
   at org.apache.myfaces.application.jsp.JspViewHandlerImpl.renderView(JspViewHandlerImpl.java:211)
   at org.apache.myfaces.lifecycle.RenderResponseExecutor.execute(RenderResponseExecutor.java:41)
   at org.apache.myfaces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:132)
   at javax.faces.webapp.FacesServlet.service(FacesServlet.java:140)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
   at org.alfresco.web.app.servlet.AuthenticationFilter.doFilter(AuthenticationFilter.java:81)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
   at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870)
   at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
   at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
   at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
   at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
   at java.lang.Thread.run(Thread.java:619)‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

I feel that I'm missing some concepts on Alfresco security model. Can anyone point me on the right direction?

Thanks!

Bye, Marco

ribz33 · ‎04-09-2008

Hi marco,

I never do that, but i think it's possible.

First, you did some mistake in your last configuration. Try this :
1- replace

<permissionSet type="customDocument:file" expose="selected">‍

by

<permissionSet type="testSpace:folder" expose="selected">‍

–> i think you need to define permission on your custom folder type

2- replace

<includePermissionGroup type="customDocument:file" permissionGroup="AddChildren"/>‍

by

<includePermissionGroup type="sys:base" permissionGroup="AddChildren"/>‍

–> AddChildren is permission group define in type sys:base.

This configuration means that you had created permissiongroup(= role) "MyEditory" on node with type "testSpace:folder". So if a user have this role, he will be be an editor and also to add children to this node.

I expect this works…

Hyland Connect

Define a custom role in permissionDefinitions.xml