Hyland Connect

castle · ‎09-17-2010

Hi,

I have several sites with share and each with its own Document Library. I can manage the permissions via share with the groups Manager, Contributor, Consumer.
For one folder I disable all the permissions by setting No priveges to all the groups.
Like that only managers of the site can see the folder and its content … right. I copy the url to download a document inside the folder
http://xxxx/share/proxy/alfresco/api/node/content/workspace/xxxx?a=true

Then I log in share with another user, not a member of the site, and pasting the url in the browser I can download the document to which theorically I have no permissions at all. I can download any document of any site knowing the path.

Is that the normal behaviour?

Thanks is advance

mikeh · ‎09-17-2010

I've just tested this and it works as expected.

I created a "managers only" folder and uploaded a file.
Then on the folder -> manage permissions -> set all to "No privileges"
I then grabbed the file's URL into the clipboard.

I checked the permissions via the Repository browser: Inherited off, site_site1_SiteManagers only set.

Then, logged in as a user with a consumer role, checked I couldn't see the "managers only" folder - ok.
Then pasted the URL into a browser window a received an "Access Denied" error.

Could your second attempt have been cached maybe? What happens if you use a different browser, or force-refresh? Also, perform the checks as I did above.

Thanks,
Mike

castle · ‎09-17-2010

Hi,

Thank you for trying MikeH
I'm trying from different browsers and looking the logs, the users log in as expected. How I can see which user is really requesting the file to the webscript?

There is something wrong with my configuration. I thought access control was performed by the java backend of the webscript … isn't it?

I'm using a SSO + LDAP with a home-made authenticator. Maybe the problem is that my endpoint is http://xxx:8080/alfresco/s instead of http://xxx:8080/alfresco/wcs
I tried to change that but I got an error.

Does someone knows how this access control works?

Thank you

castle · ‎09-19-2010

Hi,

I've just enabled the logs and checked everything was going as expected with the users.

Checking at the source files to folow the logs I just found this on

http://svn.alfresco.com/repos/alfresco-open-mirror/alfresco/HEAD/root/projects/remote-api/source/jav...

    protected void streamContent(WebScriptRequest req, WebScriptResponse res, NodeRef nodeRef, QName propertyQName, 
                boolean attach, String attachFileName) throws IOException
    {
        if (logger.isDebugEnabled())
            logger.debug("Retrieving content from node ref " + nodeRef.toString() + " (property: " + propertyQName.toString() + ") (attach: " + attach + ")");

        // TODO 
        // This was commented out to accomadate records management permissions.  We need to review how we cope with this
        // hard coded permission checked.
        
        // check that the user has at least READ_CONTENT access - else redirect to the login page
//        if (permissionService.hasPermission(nodeRef, PermissionService.READ_CONTENT) == AccessStatus.DENIED)
//        {
//            throw new WebScriptException(HttpServletResponse.SC_FORBIDDEN, "Permission denied");
//        }
       
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

The access control part is commented in the streamContent class … is that normal?

Regards

castle · ‎09-20-2010

Hi,

For the record.
I've download the source code (3.3g rev 20557) and commented out the lines for the access control, rebuild the jar file and now I'm getting the expected result "Permission denied"

Regards

Hyland Connect

Share document permissions in sites