Hyland Connect

pnux_ · ‎09-19-2019

Hello,

I use Nuxeo 10.10 with postgresql 11. I try to add an "unlock" permission to a group named "gestionnaire". User in this group can read write and **unlock ** documents

What i have done :

I deployed a contribution following https://doc.nuxeo.com/nxdoc/1010/how-to-grant-the-edit-permission-without-the-remove-permission/

<component name="fr.my.project.permissions">
	<require>org.nuxeo.runtime.started</require>
	<extension target="org.nuxeo.ecm.core.security.SecurityService" point="permissions">
		<permission name="ReadWriteAndUnlock">
			<include>ReadWrite</include>
			<include>Unlock</include>
		</permission>
	</extension>

	<!-- https://github.com/nuxeo/nuxeo/blob/master/nuxeo-core/nuxeo-core/src/main/resources/OSGI-INF/permiss... -->
	<extension  target="org.nuxeo.ecm.core.security.SecurityService" point="permissionsVisibility">
		<visibility>
			<item order="10" show="true">Read</item>
			<item order="50" denyPermission="Write" show="true">ReadWrite</item>
			<item order="55" denyPermission="Unlock" show="true">ReadWriteAndUnlock</item>
			<item order="100" show="true">Everything</item>
	</extension>
</component>

On repository, i added permissions on the workspace

_What i expect _ :

A user in default "members" group can lock a document he created. (So he can unlock it too) A user in "manager" group can unlock a document locked by a user of "member"s group (because i had unlock permission)

The problem :

A user in "manager" group** can't** unlock a document locked by a user of "member"s group. No unlock button is diplayed in webui.

What did I miss?

Thank you.

Gregory_Carlin · ‎09-19-2019

This is probably due to the fact that the element displaying the lock and unlock action is filtering with the "Write" permission: https://github.com/nuxeo/nuxeo-ui-elements/blob/08fd256fb4e7775375c176892098baec21fe302d/actions/nux...

pnux_ · ‎09-19-2019

🙂 Thank you for your fast answer but my new permission "ReadWriteAndUnlock" include write permission (ReadWrite)

<permission name="ReadWriteAndUnlock">
            <include>ReadWrite</include>
            <include>Unlock</include>
        </permission>

How can i implement this scenario ? I dont want my managers have administrator's privilege only for unlock a document.

Thank you

Gregory_Carlin · ‎09-19-2019

I suggest you to make a JSON export of the document to be sure about the permissions which are set on, and check with the Browser console what's happening exactly (with breaking points and co)

pnux_ · ‎09-19-2019

I have checked JSON export of the document when it is **locked **by another user

Here they are :

"permissions": [ "ReadProperties", "ReadSecurity", "ReadVersion", "Read", "ReadChildren", "ReadLifeCycle", "ReviewParticipant", "Unlock", "ReadWrite", "Browse", "ReadWriteAndUnlock" ]

when the document is unlocked i have the following permission

"permissions": [ "Write", "WriteVersion", "ReadProperties", "ReadSecurity", "Remove", "ReadVersion", "Read", "WriteLifeCycle", "ReadChildren", "AddChildren", "ReadLifeCycle", "RemoveChildren", "ReviewParticipant", "Unlock", "ReadWrite", "Browse", "ReadWriteAndUnlock", "WriteProperties", "ManageWorkflows" ]

I think the problem is similar of this old one (for JSF UI : https://jira.nuxeo.com/browse/NXP-15232

What do you think ?

pnux_ · ‎09-19-2019

Okay, I made a little patch and it works. My user in "gestionnaire" group can unlock the doc

_isAvailable(doc) {
          return doc && !doc.isVersion && (this.hasPermission(doc, 'Unlock') || this.hasPermission(doc, 'Write') ) && !this.isImmutable(doc)
        }

But I think it's not the correct way to do what i want.

Hyland Connect

Adding Unlock permission to a specific group doesn't work