Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

security and permission versroles on spaces is there a bug ?

federico_tesei
Champ in-the-making
Champ in-the-making

‎12-19-2007 01:05 PM

Hi I'm developing on this stack

Alfresco 2.1 Community on JBoss 4.2 GA.

I' experiencing a strange behaviour I suspect may be a bug and ask help
to clarify if I'm mistaken instead.

Scenario:

I've defined:

a) three spaces   [ Collector ]  [ Draft ]  [ Pending Approval ]  

b) two groups { Providers } { Editors }

c) two simple work-flow action on the space:

load on Collector  that move from 'Collector' to 'Draft'

submit on Draft  that move from 'Draft' to 'Pending approval'

d) two user:

provider belonging to {Providers } group

editor   belonging to { Editors } group

Invited

e) {providers } on [ Collector ] with contributor role

f) { Editors } on
      [ Collector ] with coordinator role  ( to have delete permission )
      [ Draft  ] with coordinator role  ( to have delete permission )
      [ Pending Approv ] contributor role ( to have add but not edit permission


g) log as user provider go to [Collector] Space and add Contents X 
h) logout as provider
i)  login as user editor go to  [Collector] Space  and perform 'load' action on X; X is moved to  [Draft ] Space 
j) go to [Draft] space and perform 'submit' action on X  that fail


Result:

I get the attached error error on web client/application server log:

I succeed if I invite {Editors} on [ Pending approval ] with 'Collaborator role instead. The difference between Contributor an  Collaborator roles is that Collaborator has edit permission added.
To move to [ Pending approval ] I do not need edit permission.
I think this is a bug in Alfresco security policy. Isn't it ?

Thanks for your help and to be with me till here Smiley Happy

federico
   


web client side :

Failed to approve the document due to system error: Unknown Exception in Transaction.


Application Server side:


2007-12-19 18:03:48,137 INFO  [STDOUT] 18:03:48,135 ERROR [ui.common.Utils] Failed to approve the document due to system error: Unknown Exception in Transaction.
org.alfresco.error.AlfrescoRuntimeException: Unknown Exception in Transaction.
        at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:292)
        at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:155)
        at org.alfresco.web.bean.BaseDetailsBean.approve(BaseDetailsBean.java:556)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
        at org.apache.myfaces.el.MethodBindingImpl.invoke(MethodBindingImpl.java:132)
        at javax.faces.component.UICommand.broadcast(UICommand.java:89)
        at javax.faces.component.UIViewRoot._broadcastForPhase(UIViewRoot.java:97)
        at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:171)
        at org.apache.myfaces.lifecycle.InvokeApplicationExecutor.execute(InvokeApplicationExecutor.java:32)
        at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
        at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
        at javax.faces.webapp.FacesServlet.service(FacesServlet.java:139)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.alfresco.web.app.servlet.AuthenticationFilter.doFilter(AuthenticationFilter.java:81)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
        at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
        at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
        at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
        at java.lang.Thread.run(Thread.java:595)
Caused by: javax.transaction.RollbackException: Transaction didn't commit: Access Denied.  You do not have the appropriate permissions to perform this operation.
        at org.alfresco.util.transaction.SpringAwareUserTransaction.commit(SpringAwareUserTransaction.java:430)
        at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:239)


Labels:
0 Kudos
2 REPLIES 2

rivetlogic
Champ on-the-rise
Champ on-the-rise

‎12-31-2007 06:25 PM

Hi,

The problem you're seeing is not a bug. What's happening is that when you execute a simple workflow, you execute it as the currently logged in user. So that user must be able to create files in order for the move to succeed.

There are ways to work around this and you might find this post useful.

Hope this helps,

-Aladdin
0 Kudos

federico_tesei
Champ in-the-making
Champ in-the-making

‎01-07-2008 03:37 AM

Thanks Rivet,
                     I' ll study carefully your suggestion. But from the Alfresco PACKT book on page 80 the 'Create Content within space' permission is granted to Contributor so I do not understand why I 've to use the more powerfull permission of Collaborator role.

Thanks anyway

federico
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC