Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PermissionService.setPermission to deny access to file owner

francesco_lilli
Champ in-the-making
Champ in-the-making

‎02-09-2014 08:33 PM

Hi,

I'm experiencing an issue with the PermissionService.
Say I have a file called "test.txt", being "bob" the username of its owner. Such file is inside the documentLibrary (three/four levels of depth).
Since "bob" is the owner, he has full permissions on the file. At some point I have to deny write access to all users, including its owner (and if possible the super-user "admin", but doesn't matter).

To achieve my goal I'm calling this Java function, which makes use of PermissionService:


public void removeWritePermissionFromFile(NodeRef fileNodeRef) {

   System.out.println("All set permissions: " + permissionService.getAllSetPermissions(fileNodeRef));
   System.out.println("Current file permissions: " + permissionService.getPermissions(fileNodeRef));
   System.out.println("hasWritePermission: " + permissionService.hasPermission(fileNodeRef, permissionService.WRITE));
   System.out.println("hasConsumerPermission: " + permissionService.hasPermission(fileNodeRef, permissionService.CONSUMER));
   System.out.println("hasContributorPermission: " + permissionService.hasPermission(fileNodeRef, permissionService.CONTRIBUTOR));
   System.out.println("hasCoordinatorPermission: " + permissionService.hasPermission(fileNodeRef, permissionService.COORDINATOR));
      
   permissionService.setInheritParentPermissions(fileNodeRef, false);
   System.out.println("INHERITANCE BROKEN.");   
   
   permissionService.setPermission(fileNodeRef, PermissionService.ALL_AUTHORITIES, PermissionService.WRITE, false);
   permissionService.setPermission(fileNodeRef, PermissionService.ALL_AUTHORITIES, PermissionService.CONTRIBUTOR, false);   
   permissionService.setPermission(fileNodeRef, PermissionService.ALL_AUTHORITIES, PermissionService.COORDINATOR, false);   
   permissionService.setPermission(fileNodeRef, PermissionService.ALL_AUTHORITIES, PermissionService.CONSUMER, true);

   System.out.println("NEW All set permissions: " + permissionService.getAllSetPermissions(fileNodeRef));
        System.out.println("NEW file permissions: " + permissionService.getPermissions(fileNodeRef));
   System.out.println("NEW hasWritePermission: " + permissionService.hasPermission(fileNodeRef, permissionService.WRITE));
   System.out.println("NEW hasConsumerPermission: " + permissionService.hasPermission(fileNodeRef, permissionService.CONSUMER));
   System.out.println("NEW hasContributorPermission: " + permissionService.hasPermission(fileNodeRef, permissionService.CONTRIBUTOR));
   System.out.println("NEW hasCoordinatorPermission: " + permissionService.hasPermission(fileNodeRef, permissionService.COORDINATOR));
   
}


Function "removeWritePermissionFromFile" is called passing the noderef of "test.txt" as a parameter, calling user is "bob". The output is:

All set permissions: [ALLOWED Read - GROUP_EVERYONE (EVERYONE), ALLOWED Read - bob (USER)]
Current file permissions: [ALLOWED Contributor - bob (USER), ALLOWED Consumer - bob (USER), ALLOWED Editor - bob (USER), ALLOWED Collaborator - bob (USER), ALLOWED Coordinator - bob (USER), ALLOWED All_Users - bob (USER)]
hasWritePermission: ALLOWED
hasConsumerPermission: ALLOWED
hasContributorPermission: ALLOWED
hasCoordinatorPermission: ALLOWED
INHERITANCE BROKEN.
NEW All set permissions: [ALLOWED Read - GROUP_EVERYONE (EVERYONE), ALLOWED Consumer - GROUP_EVERYONE (EVERYONE), ALLOWED Read - bob (USER), DENIED Contributor - GROUP_EVERYONE (EVERYONE), DENIED Write - GROUP_EVERYONE (EVERYONE), DENIED Coordinator - GROUP_EVERYONE (EVERYONE)]
NEW file permissions: [ALLOWED Contributor - admin (USER), ALLOWED Consumer - admin (USER), ALLOWED Editor - admin (USER), ALLOWED Collaborator - admin (USER), ALLOWED Coordinator - admin (USER), ALLOWED All_Users - admin (USER)]
NEW hasWritePermission: ALLOWED
NEW hasConsumerPermission: ALLOWED
NEW hasContributorPermission: ALLOWED
NEW hasCoordinatorPermission: ALLOWED


As shown in the logs, permissions seem to be correctly set (at least it says DENIED exactly where it's supposed to: Write, Coordinator, Contributor. Note that I've used roles Coordinator and Contributor just for debugging purposes, although I simply need to deny further Writes). But logs also says that file still has write, contributor and coordinator permissions (for user "bob" I guess). Indeed, bob can still modify the file as he wants.

I have also tried to call the "setPermission" function just for the group "site1", which is a group made of all people which have access to Site "site1". Bob only has access to "site1", and the file is under "documentLibrary/Sites/site1".


….
permissionService.setPermission(fileNodeRef, "GROUP_site_site1", PermissionService.WRITE, false);
….

The result doesn't change.
Any advice?
Labels:
0 Kudos
5 REPLIES 5

afaust
Legendary Innovator
Legendary Innovator

‎02-10-2014 02:03 AM

Hello,

you have to keep in mind the dynamic role of OWNER. Any user that is either the owner (cmSmiley Surprisedwner) or - when no cmSmiley Surprisedwner is set - the creator (cm:creator) automatically has the OWNER role on that node, and this role always has full access privileges and can't be denied via the permission service (note: the admin can <b>never</b> be denied anything).
Only if you either a) disable the OWNER role via the permission services Spring bean configuration or b) set the cmSmiley Surprisedwner to an empty String can you disable this behavior and achieve truly ACL-only-based permissions.

Regards
Axel
0 Kudos

francesco_lilli
Champ in-the-making
Champ in-the-making
In response to afaust

‎02-10-2014 03:36 AM

Hi Axel,
thanks for your reply. I have tried to set the cmSmiley Surprisedwner to an empty string, it works fine. However I'd rather not go for this way, since I need to disable writings several times on the same file (i.e., when a certain workflow starts, this file cannot be modified by anyone; when a user refuses a task in that workflow the file needs to be editable again, and when edited it must become non-editable Smiley Frustrated). I should set and unset the owner of the file several times, not just once: setting/unsetting the owner doesn't seem to be a clean solution in this case.
About the other way you suggested (disable the OWNER role via the permission services Spring bean configuration), this is also not the perfect way to go: only in this particular case (i.e. the workflow) permissions need to behave this way, but as I said this is a particular case.
How would you proceed, given such requirements?
0 Kudos

francesco_lilli
Champ in-the-making
Champ in-the-making
In response to francesco_lilli

‎02-10-2014 03:49 AM

Wait, which file do you mean with "the permission services Spring bean configuration"? At first I thought you meant "permissionDefinitions.xml" but is it maybe "public-services-security-context.xml"? What would you change in there?
0 Kudos

kaynezhang
World-Class Innovator
World-Class Innovator

‎02-10-2014 08:51 AM

Permissions and their groupings are defined in permissionDefinitions.xml. permissionDefinitions.xml is referenced by public-services-security-context.xml.
I think you can modify permissionDefinitions.xml.
0 Kudos

francesco_lilli
Champ in-the-making
Champ in-the-making
In response to kaynezhang

‎02-10-2014 09:36 AM

I've been trying to edit permissionDefinitions.xml like this:



<!– <globalPermission permission="FullControl" authority="ROLE_OWNER"/> –>
<globalPermission permission="Read" authority="ROLE_OWNER"/>


and (odd enough) nothing changed.. But probably there's something else I should know about. I'd probably need to go deeper into the matter, but I'm sure you experienced guys know what I'm missing…
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC