Hyland Connect

may · ‎05-05-2014

Hello,

I was reading through the posts in this forum but I couldn't find a similar problem. I have the following issue:

User A should be able to perform a simple workflow in space 1. This user should not have the rights to do any further like editing the document. The document should then be moved to another space. In this space 2 the user A can edit the document. I gave user A contributor rights on space 1 and coordinator rights on space 2 but always get an error because of “Access Denied. You do not have the appropriate permissions to perform this operation”. What am I doing wrong?

Birgit

kaynezhang · ‎05-05-2014

You mean you want User A to move document to another space from spaceh 1 in workflow and you gave user A contributor rights on space 1 ?
If your answer is yes.
Then you definitely will get "Access Denied" error.
That is because:
1.You want to move doucument from space1 to space 2 by user A ,and in alfresco moveNode operation requires that user has the permission to delete the node in the source folder(in your case space1 and create it in the destination folder(in your case space2).
2.And you give User A contributor rights on space 1 which don't have "DeleteNode" permission

may · ‎05-07-2014

Thank you for the reply - this was very helpful…

You were right, my answer would have been yes

Now I configured the rule so that the document won't be moved but copied to another space. Therefore no deleting is needed but it still doesn't work or was my conclusion wrong that copying needs less rights then moving? In fact the user should have reduced rights in space 1 and all rights in space 2 once he initialized the simple workflow… do you think there is another solution for this scenario?

kaynezhang · ‎05-07-2014

Copying should needs less rights then moving,can you paste your code and excetpion here ?
I'm not very clear about your requirment,I have some tentative suggestions,not much of scenario:
1. you can consider defining custom permission,and give User custom permission on space1,plese visit http://docs.alfresco.com/4.2/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Fconcepts%2Fsecur-permi...
2.you also can try to create a link in space2 to node in space1.

Although I offered 2 tentative suggestions ,You'd better considering your copying scenario first to see why it dose not work and solve it.

may · ‎05-08-2014

ok I try to make my situation clearer - thanks for your patience

space 1:
- user A has contributor rights
- has a rule with a simple workflow to copy a file to space 2 (the rule is actually also named like this)
- user A can see and perform the simple workflow (s. screenshot 1)

[img]https://forums.alfresco.com/sites/forums/files/screenshot1.png[/img]

space 2:
- user A has coordinator rights

When then user A clicks on the simple workflow "Copy File to Space 2" alfresco give me this as error:


2014-05-08 08:35:46,989  ERROR [extensions.webscripts.AbstractRuntime] [http-bio-8080-exec-322] Exception from executeScript - redirecting to status template error: 04080069 Wrapped Exception (with status template): 04081669 Access Denied.  You do not have the appropriate permissions to perform this operation.
 org.springframework.extensions.webscripts.WebScriptException: 04080069 Wrapped Exception (with status template): 04081669 Access Denied.  You do not have the appropriate permissions to perform this operation.
   at org.springframework.extensions.webscripts.AbstractWebScript.createStatusException(AbstractWebScript.java:1067)
   at org.springframework.extensions.webscripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:171)
   at org.alfresco.repo.web.scripts.RepositoryContainer$3.execute(RepositoryContainer.java:429)
   at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:452)
   at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecute(RepositoryContainer.java:491)
   at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecuteAs(RepositoryContainer.java:529)
   at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:341)
   at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:378)
   at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:209)
   at org.springframework.extensions.webscripts.servlet.WebScriptServlet.service(WebScriptServlet.java:132)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:61)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
   at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
   at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
   at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
   at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
   at java.lang.Thread.run(Thread.java:724)
Caused by: org.alfresco.repo.security.permissions.AccessDeniedException: 04081669 Access Denied.  You do not have the appropriate permissions to perform this operation.
   at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:50)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:161)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.alfresco.repo.transaction.RetryingTransactionInterceptor$1.execute(RetryingTransactionInterceptor.java:79)
   at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:452)
   at org.alfresco.repo.transaction.RetryingTransactionInterceptor.invoke(RetryingTransactionInterceptor.java:69)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
   at com.sun.proxy.$Proxy10.removeAspect(Unknown Source)
   at org.alfresco.repo.action.executer.TransitionSimpleWorkflowActionExecuter.executeImpl(TransitionSimpleWorkflowActionExecuter.java:132)
   at org.alfresco.repo.action.executer.ActionExecuterAbstractBase.execute(ActionExecuterAbstractBase.java:258)
   at org.alfresco.repo.action.ActionServiceImpl.directActionExecution(ActionServiceImpl.java:838)
   at org.alfresco.repo.action.ActionServiceImpl.executeActionImpl(ActionServiceImpl.java:738)
   at org.alfresco.repo.action.ActionServiceImpl.executeAction(ActionServiceImpl.java:572)
   at sun.reflect.GeneratedMethodAccessor1082.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:606)
   at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
   at org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor.invoke(AlwaysProceedMethodInterceptor.java:34)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:46)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:161)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:110)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
   at com.sun.proxy.$Proxy43.executeAction(Unknown Source)
   at org.alfresco.repo.web.scripts.rule.ActionQueuePost.executeImpl(ActionQueuePost.java:85)
   at org.springframework.extensions.webscripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:64)
   … 31 more
Caused by: net.sf.acegisecurity.AccessDeniedException: Access is denied.
   at net.sf.acegisecurity.vote.AffirmativeBased.decide(AffirmativeBased.java:86)
   at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:398)
   at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:77)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:46)
   … 63 more

‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

kaynezhang · ‎05-08-2014

Your log file is truncted ,please upload as file attachments

may · ‎05-09-2014

find attached my log file

kaynezhang · ‎05-09-2014

I have tested in my environment as you said:
I created a test user and gave him contributor rights on space 1 and coordinator rights on space 1,then I logged in using test user account and tried to copy a document from space 1 to space 2. I can do it without any error.
So please check if there are any other permissions setted for user A or all groups that user A belonged to on space 1 or space2 or their parent folders

may · ‎05-12-2014

now I'm completely clueless. I installed a new and fresh alfresco without anything configured but the two spaces and a testuser with the rights described above but I'm still getting the same error. I configure only the space itself and I always leave the "Inherent permission" and add - in the last test the one and only testuser on the system with the above described roles… perhaps something is wrong with the way I do that?

Hyland Connect

Simple Workflow and permission denied