Hyland Connect

vinhqchu · ‎04-20-2009

is it possible run the search service as someone other then yourself, i.e. admin? currently i have an aspect-based search, but the results are only for the spaces or contents the current user is allowed to view. i want to display all results even if the user does not have permission so atleast they know it exists.

thank you in advance for your inputs.

zomurn · ‎04-20-2009

So this is not a problem of securityContext but of permission.
Have a look at PermissionService and set the right permission on the space or file.
You can do ….permissionService.setPermission(MyDoc,"Consumer",xxx,true) where xxx is the group of member the person belongs to and true means set the permissions inherited for all subspaces.

vinhqchu · ‎04-20-2009

thank you for your response, but i think your solution will allow the user to view the content/space, which is not what i want. i need the user to know it exists, but not to be able to access it. i'm not sure if what i'm asking for is doable. what is happening is, a user does a search and they get no results because they do not have permission on these results, the user then believes no results exist which is not true. i need the results to display so they can then ask for permission for the content/space.

zomurn · ‎04-21-2009

Well, suppose the document (MyDoc.pdf) you are looking for is located to the path A->B->MyDoc.pdf.
If I understood, you want that the user can view MyDoc.pdf but not A neither B.
So remove all permissions set on A and B and disable "inherit permissions" on A and B. As a result, nobody see A and B anymore.
I precise that by default, the GROUP_EVERYONE has "Consumer" permissions on newly created folder….you need to remove it.
Concerning the permission on the document MyDoc.pdf do the same, remove all permissions but let "Consumer" permission for this user (or for the group he belongs to).
Then the user should be able to query the document but as you can see in the search result view, he won't be able to see the location of the document because he has no read access to A and B.

i think your solution will allow the user to view the content/space, which is not what i want

Do you mean the search view result should return the number 1 and *NOT* the document itself ?

derek · ‎04-21-2009

Hi,
If you remove permission checks from the search, you will get the result you need i.e. you will search as admin, get all the result and display them. When attempting to access the results, the user will be denied. This is easy to do by overriding the "searchService" bean being used. However, you will be allowing the user to do a searches for "Fred Fired" or "Fred Final Warning Draft" and so on …
Regards

vinhqchu · ‎04-21-2009

hello derek,

thank you for your reply. your suggestion seems to be what i need. confidentiality shouldn't be a problem because i am running the search on aspects only (i.e. model numbers).

i am still stuck though, because i cannot find out where to turn off the permission check, i've reviewed the org.alfresco.service.cmr.SearchService.java file, but cannot see where to turn off the check.

thank you again for your help.

derek · ‎04-21-2009

Hi,
If the search is done from your code, then the simplest is just to use AuthenticationUtil.runAs using the system user. If you want to modify the configuration of the SearchService as a whole, then you need to look in public-services-security-context.xml at bean SearchService_security and add an override to your custom-repository-context.xml:


    <bean id="SearchService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
        <property name="authenticationManager"><ref bean="authenticationManager"/></property>
        <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
        <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
        <property name="objectDefinitionSource">
            <value>
                org.alfresco.service.cmr.search.SearchService.query=ACL_ALLOW
                org.alfresco.service.cmr.search.SearchService.selectNodes=AFTER_ACL_NODE.sys:base.Read
                org.alfresco.service.cmr.search.SearchService.selectProperties=ACL_NODE.0.sys:base.Read
                org.alfresco.service.cmr.search.SearchService.contains=ACL_NODE.0.sys:base.Read
                org.alfresco.service.cmr.search.SearchService.like=ACL_NODE.0.sys:base.Read
            </value>
        </property>
    </bean>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Alternatively, remove the permission evaluation from the search service. Look inside public-services-context.xml and add the following override of SearchService to your custom-repository-context.xml:


    <bean id="SearchService" class="org.springframework.aop.framework.ProxyFactoryBean">
        <property name="proxyInterfaces">
            <value>org.alfresco.service.cmr.search.SearchService</value>
        </property>
        <property name="target">
            <ref bean="searchService"/>
        </property>
        <property name="interceptorNames">
            <list>
                <idref local="SearchService_transaction"/>
                <idref local="AuditMethodInterceptor"/>
                <idref local="exceptionTranslator"/>
            </list>
        </property>
    </bean>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

… many ways to skin the cat

vinhqchu · ‎04-21-2009

thank you derek, i was able to use the AuthenticationUtil.runAs for my solution

Hyland Connect

running search service as different user