Hyland Connect

msvoren · ‎05-27-2008

I have following situation:

Person has permission to read and write in Space A. He can NOT see Space B.
There's a rule which executes script and moves inbound content from Space A to Space B.
It goes like this: person uploads content to A, script moves it to B.

How can this be done? For what I see now, script will not execute, and uploaded file stays in A..

Help please!

msvoren · ‎05-28-2008

Can I e.g. create a custom role, which would enable invited users to WRITE to space, but not to READ?

Can this be done?

mabayona · ‎05-28-2008

I do no think it is possible to have write permission without read one (i.e. before writing the system has to verify that the space exists, that no other document with equal name exists, … -> Read permission.

That is again a reason why the runas functionality is needed for simple workflow: to implement this common pattern that you are looking for.

msvoren · ‎06-10-2008

I can't believe something like this is not already implemented..
Shouldn't executing rules be "run as admin" as default ?

mabayona · ‎06-10-2008

Nope, "run as admin" as default would be a HUGE security hole. It would defeat the permissions concept. However, what is needed is a controlled way to do it. ThatÂ´s why the "runas" would be a good solution.

Alfresco?

msvoren · ‎06-10-2008

Thank you mabayona,

Any other way to implement this?
I'm intrested in hacks, what ever.. ?

mabayona · ‎06-10-2008

There is a way. If you use 2.9, use an advanced workflow. With advanced workflow you got the <runas> option. The process would be something like:

=> Create an advance workflow that gets associated automatically to a entry ( using a rule):

http://wiki.alfresco.com/wiki/WorkflowAdministration#Step_7:_Integration_with_Rules_.28Optional.29

This workflow has an action can move the e.g. document entered in a space e.g."inbox" into another space not writable by the issuer since it can be run with the privileges defined in <runas>xxx</runas>.

Alternatively, you can do something similar (although more complex) in Java.

msvoren · ‎06-12-2008

Thank you very much, will try that!

sacco · ‎06-13-2008

Recall that end users can upload Javascript actions which is one of the way rules (whether related to simple workflow or not) can be implemented. Anything that end users can do script wise must be locked down from a security perspective (ie. the script must not be allowed to "run as" another user, amongst other things).

But this already is an enormous security hole. I simply set up a rule on my space to run
my script on all incoming items. As soon as anybody puts anything in my space the game is over:
my script is running as them!

Given that the Alfresco permissions model makes it impossible to run even a simple workflow
without giving, say, reviewers access to write the properties of the directory, it's absolutely
trivial to make sure that people will drop things in your trap. (I won't spell it out any further).

Frankly, I would avoid using Alfresco for anything where even simple security is relevant,
at least until they've rethought the security model entirely, especially given that almost
all of the parent permission checks are commented out in the normal distribution!

We really need basic functionality which works robustly and predictably rather than new features.

mabayona · ‎06-13-2008

I do not quite understand what you mean. My experience using Alfresco and its security model is VERY GOOD and i find it robust and usable. Could you give an example of your claims?

Do not forget that the security model has a very fine granularity and it is PER SPACE and per item. The fact that someone has acces to a space does no implies that has acces to other spaces.

I would appreciate an elaborated sample of what you perceive as shortcomings of actual implementation to check it against my experience using alfresco.

sacco · ‎06-13-2008

OK, but it'll have to be next week, as I'm already two hours late!

Hyland Connect

Permission to execute script