02-26-2020 10:13 AM
Hello. I do everything step by step https://docs.alfresco.com/6.1/tasks/site-creation-permission.html but when I try create site, user who doesn't have specific group he can create site.
02-26-2020 10:58 AM
02-26-2020 11:16 AM
Couple of things, Are you trying to create the site as Admin or user is a general user ? Did you verified whether context file is configured properly to get loaded by spring ioc container? Can you cross check all the steps again to see if there is anything missing?
Document here: https://docs.alfresco.com/6.1/tasks/site-creation-permission.html works as expected when configured. As mentioned in document, ACL_METHOD.ROLE_ADMINISTRATOR executes a method that allows access to users who are members of the administrator group. Means, only users part of administrator group can create sites.
Another example apart form document, if you have a custom group e.g. GROUP_SITE_ADMINISTRATORS and you want to allow only users who are part of this group can create/delete site then as per the document steps you can do following:
<beans> <bean id="SiteService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor"> <property name="authenticationManager"> <ref bean="authenticationManager" /> </property> <property name="accessDecisionManager"> <ref bean="accessDecisionManager" /> </property> <property name="afterInvocationManager"> <ref bean="afterInvocationManager" /> </property> <!-- Allow site creation for the users who only part of SITE_ADMINISTRATORS group only and allow site deletion only for GROUP_SITE_ADMINISTRATORS. Sites Manager is available to users in the ALFRESCO_ADMINISTRATORS and SITES_ADMINISTRATORS permissions groups. If you are in the ALFRESCO_ADMINISTRATORS group, you can access the Site Manager through the Admin Tools on the Alfresco toolbar. If you are a member of SITE_ADMINISTRATORS group, you'll have an additional Sites Manager option on the Alfresco toolbar. --> <property name="objectDefinitionSource"> <value> org.alfresco.service.cmr.site.SiteService.cleanSitePermissions=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.createContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.createSite=ACL_METHOD.GROUP_SITE_ADMINISTRATORS org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_METHOD.GROUP_SITE_ADMINISTRATORS org.alfresco.service.cmr.site.SiteService.findSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.getContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.listContainers=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.getMembersRole=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.getMembersRoleInfo=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.resolveSite=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.getSite=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.getSiteShortName=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.getSiteGroup=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.getSiteRoleGroup=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.getSiteRoles=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.getSiteRoot=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.hasContainer=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.hasCreateSitePermissions=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.hasSite=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.isMember=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.listMembers=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.listMembersInfo=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.listMembersPaged=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.listSiteMemberships=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.listSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.listSitesPaged=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.site.SiteService.removeMembership=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.canAddMember=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.setMembership=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.updateSite=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.countAuthoritiesWithRole=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.isSiteAdmin=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.*=ACL_DENY </value> </property> </bean> </beans>
Apart from this you can also restrict the create site action in share at various places where create site option is available, by following below given steps.
Create an extension (e.g. site-action-restrictions-extension.xml) under <yourShareModule>/src/main/resources/alfresco/web-extension/site-data/extensions/ folder:
<extension> <modules> <module> <!-- Disable site creation link for everyone who is not part of SITE_ADMINISTRATORS group --> <id>Site Restrictions</id> <version>1.0</version> <auto-deploy>true</auto-deploy> <evaluator type="group.module.evaluator"> <params> <groups>GROUP_SITE_ADMINISTRATORS</groups> <groupRelation>AND</groupRelation> <negate>true</negate> </params> </evaluator> <customizations> <customization> <!-- extension for my-sites dashlet --> <targetPackageRoot>org.alfresco.components.dashlets</targetPackageRoot> <sourcePackageRoot>com.siterestrictions.components.dashlets</sourcePackageRoot> </customization> <customization> <!-- extension for share header --> <targetPackageRoot>org.alfresco.share.header</targetPackageRoot> <sourcePackageRoot>com.siterestrictions.share.header</sourcePackageRoot> </customization> <customization> <!-- extension for faceted search page --> <targetPackageRoot>org.alfresco.share.pages.faceted-search</targetPackageRoot> <sourcePackageRoot>com.siterestrictions.share.pages.faceted-search</sourcePackageRoot> </customization> </customizations> </module> </modules> </extension>
Create "my-sites.get.js" file under <yourShareModule>/src/main/resources/alfresco/web-extension/site-webscripts/com/siterestrictions/components/dashlets/ folder:
Add following line of code:
//Disable site creation link for everyone who is not part of SITE_ADMINISTRATORS group model.showCreateSite = false;
Create "share-header.get.js" file under <yourShareModule>/src/main/resources/alfresco/web-extension/site-webscripts/com/siterestrictions/share/header/ folder:
Add following line of code:
//Disable site creation link for everyone who is not part of SITE_ADMINISTRATORS group var sitesMenu = widgetUtils.findObject(model.jsonModel, "id", "HEADER_SITES_MENU"); if (sitesMenu) { sitesMenu.config.showCreateSite = false; }
Create "faceted-search.get.js" file under <yourShareModule>/src/main/resources/alfresco/web-extension/site-webscripts/com/siterestrictions/share/pages/faceted-search/ folder.
Add following line of code:
//Disable site creation link for everyone who is not part of SITE_ADMINISTRATORS group var sitesMenu = widgetUtils.findObject(model.jsonModel, "id", "HEADER_SITES_MENU"); if (sitesMenu) { sitesMenu.config.showCreateSite = false; }
To learn more on extensions, refer following documents:
https://docs.alfresco.com/5.2/concepts/dev-extensions-share-surf-extension-modules.html
https://docs.alfresco.com/5.2/concepts/dev-extensions-share-override-ootb-surf-webscripts.html
Explore our Alfresco products with the links below. Use labels to filter content by product module.