Hyland Connect

sebastien_marin · ‎09-12-2006

Hello, i have a parrove/reject workflow on documents. So i create a approve role with a permission group 'Validation". etc.

So my problem is that the "approve"action button is not disable on the menu for the user whitch are not "approver".

I modify the web-client-config-action.xml to display the action when the Validation group permission is true.

So that is not ok, it is always display.

How can i do. What is my problem of configuration?.

<!– 'Approve' workflow step for document –>
         <action id="approve_doc">
            <permissions>
               <permission allow="true">Validation</permission>
            </permissions>
……….
……….
         </action>

gavinc · ‎09-13-2006

Presuming that the user has the "Validation" permission group assigned to it then the configuration you have looks correct to me.

An alternative way to accomplish the same thing is to use an evaluator and perform the permission check manually in there. To add this to the config do the following:

<evaluator>org.alfresco.web.action.evaluator.YourEvaluator</evaluator>‍

limarin · ‎09-18-2006

Gavin,

can you put an example?… I have added my evaluator… how perform the permission check manually? That methods, classes … have I to use?

Thanks

gavinc · ‎09-18-2006

There are several evaluators in the org.alfresco.web.action.evaluator that use manual permission checks, one of them is CancelCheckoutDocEvaluator, an exerpt from this is shown below:

node.hasPermission(PermissionService.CANCEL_CHECK_OUT)‍

You should be able to replace this with your example i.e.

node.hasPermission("Validation")‍

limarin · ‎09-19-2006

It does not work… What do I do badly?

I have three new user roles, one whith my new permission "CreateMySpaceWizard" and two without the permission.

permissionDefinition.xml

<permissions>    
   ……   
   <permissionSet type="sys:base" expose="all" >    
      ……
      <permissionGroup name="CreateContent" expose="true" allowFullControl="false" />
      <permissionGroup name="CreateMySpaceWizard" expose="true" allowFullControl="false" />
      
      ……
      <permission name="CreateChildren" expose="true" >
         <grantedToGroup permissionGroup="AddChildren" /> 
         <grantedToGroup permissionGroup="CreateContent" /> 
      </permission>
      ……       
   </permissionSet>
      
   <permissionSet type="cm:cmobject" expose="selected">
      ……
      <permissionGroup name="Reader" allowFullControl="false" expose="true" > 
         <includePermissionGroup permissionGroup="Read" type="sys:base" />
      </permissionGroup>      
      
      <permissionGroup name="Part" allowFullControl="false" expose="true" > 
         <includePermissionGroup type="sys:base" permissionGroup="CreateContent" /> 
         <includePermissionGroup type="cm:cmobject" permissionGroup="Reader"/>
         <includePermissionGroup type="sys:base" permissionGroup="Write"/>
         <includePermissionGroup type="cm:lockable" permissionGroup="CheckOut"/>
      </permissionGroup> 
      
      <permissionGroup name="Cons" allowFullControl="false" expose="true" > 
         <includePermissionGroup type="sys:base" permissionGroup="CreateContent" />
         <includePermissionGroup type="sys:base" permissionGroup="AddChildren" />
         <includePermissionGroup type="sys:base" permissionGroup="CreateMySpaceWizard" />
         <includePermissionGroup type="cm:cmobject" permissionGroup="Reader"/>
         <includePermissionGroup type="sys:base" permissionGroup="Write"/>
         <includePermissionGroup type="cm:lockable" permissionGroup="CheckOut"/>
      </permissionGroup>         
   </permissionSet>   
  
   <permissionSet type="cm:content" expose="selected">
       ……
      <permissionGroup name="Reader" extends="true" expose="true"/>
      <permissionGroup name="Part" extends="true" expose="true"/>
      <permissionGroup name="Cons" extends="true" expose="true"/>
   </permissionSet>   
</permissions>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

I have created mySpaces.xml:

<cm:folder view:childName="${spaces.company_home.childname}">
        <view:acl view:inherit="false">
            <view:ace view:access="ALLOWED">
                <view:authority>GROUP_EVERYONE</view:authority>
                <view:permission>Consumer</view:permission>
            </view:ace>
        </view:acl>
        <app:uifacets />
        <cm:name>${spaces.company_home.name}</cm:name>
        <app:icon>space-icon-default</app:icon>
        <cm:title>${spaces.company_home.name}</cm:title>
        <cm:description>${spaces.company_home.description}</cm:description>
        <cm:contains>
        
            ……….
            
            <cm:folder view:childName="${spaces.services.childname}">
                <app:uifacets />
                <cm:name>${spaces.services.name}</cm:name>
                <app:icon>space-icon-default</app:icon>
                <cm:title>${spaces.services.name}</cm:title>
                <cm:description>${spaces.services.description}</cm:description>
                <cm:contains>
                    <cm:folder view:childName="${spaces.serviceTypeA.childname}">
                        <view:acl view:inherit="false">
                            <view:ace view:access="ALLOWED">
                                <view:authority>user1</view:authority>
                                <view:permission>Cons</view:permission>
                            </view:ace>
                            <view:ace view:access="ALLOWED">
                                <view:authority>user2</view:authority>
                                <view:permission>Part</view:permission>
                            </view:ace>
                            <view:ace view:access="ALLOWED">
                                <view:authority>user3</view:authority>
                                <view:permission>Reader</view:permission>
                            </view:ace>      
                        </view:acl>
                        <app:uifacets />
                        <cm:name>${spaces.services.serviceTypeA.name}</cm:name>
                        <app:icon>space-icon-default</app:icon>
                        <cm:title>${spaces.services.serviceTypeA.name}</cm:title>
                        <cm:description>${spaces.services.serviceTypeA.description}</cm:description>
                    </cm:folder>
                </cm:contains>
            </cm:folder>               
        </cm:contains>
    </cm:folder>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Configuration in web-client-config-custom.xml

<action id="CreateMySpaceWizard">
            <permissions>
               <permission allow="true">CreateMySpaceWizard</permission>
            </permissions>
            <evaluator>com.alfresco.oval.impl.evaluator.CreateMySpaceWizardEvaluator</evaluator>
            <label-id>CreateMySpaceWizard</label-id>
            <image>/images/icons/create_space.gif</image>
            <action>wizard:CreateMySpaceWizard</action>
         </action>
      
         <action-group id="browse_create_menu">
            ………
            <action idref="CreateMySpaceWizard" />
         </action-group>‍‍‍‍‍‍‍‍‍‍‍‍‍‍

And CreateMySpaceWizardEvaluator:

public boolean evaluate(Node node)
   {  
      FacesContext fc = FacesContext.getCurrentInstance();
      DictionaryService dd = Repository.getServiceRegistry(fc).getDictionaryService();
      boolean result = false;

      
      if ( (dd.isSubClass(node.getType(), ContentModel.TYPE_FOLDER)) && 
          (node.hasPermission("CreateMySpaceWizard"))  )
      {   
         result = true;
      }
      
      
      return result;
      
   }‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

In the space "serviceTypeA" the user "user1" whith role "Cons", he must to him appear the new action "CreateMySpaceWizard".

And not to the users "user2" whit role "Part" and "user3" whit role "Reader"…. But it does not work and appears.

So that is not ok, it is always display.

How can i do. What is my problem of configuration?.

andy · ‎09-20-2006

Hi


<permissionGroup name="CreateMySpaceWizard" expose="true" allowFullControl="false" /> 
‍‍‍

The permissoin group CreateMySpaceWizard does not include any other permission groups nor is it assigned to any permission groups like …


<permission name="CreateChildren" expose="true" >
         <grantedToGroup permissionGroup="AddChildren" />
         <grantedToGroup permissionGroup="CreateContent" />
         <grantedToGroup permissionGroup="CreateMySpaceWizard" />
</permission> 
‍‍‍‍‍‍‍

This means there are no permissions associated with this permission group. In the end it is the low level permissions that make up the permission group that are actually used for the check. As nothing is required then this permission will always be allowed.

Regards

Andy

limarin · ‎09-20-2006

Hi,

I have done the changes, but this continues without working completely.

Now the "user3" whit role "Reader", it is ok… not appears the new action "CreateMySpaceWizard".
But the "user2" whit role "Part"…. it does not work and appears.

I have tried with a new permission:

<permission name="CreateExpedientPermissions" expose="true" >
<grantedToGroup permissionGroup="CreateExpedient" />
</permission>

And now it is ok… but is it correct?

Another question:

View spaces.xml for the creation of my spaces, in the space "serviceTypeA" I add authority and permission for the three users. And it is ok, the permissions are applied correctly in the space "serviceTypeA"

But when any user create a new space "Create space", what permissos are applied to the new space? Is it possible that all the permissions are assigned to the new space?

Example:

The "user1" whith role "Cons" cannot "Manage Space Users"… beacuse he does not have the permission "ChangePermissions"

It's ok in the space "serviceTypeA", but not in the new space… all the options appear…. without permission "ChangePermissions".

Thanks.

Hyland Connect

Disable action button for permission-group.