cancel
Showing results for 
Search instead for 
Did you mean: 

CMIS and Records Management

sammasue
Champ in-the-making
Champ in-the-making
Hello,

I tried CMIS with Records Management however I get a very frequent error when I select records

org.apache.chemistry.opencmis.commons.exceptions.CmisPermissionDeniedException: Permission denied: 08220365 Access Denied


I identified a possible cause :


CMISResultSet rs = getOpenCMISQueryService().query(options);

This piece of code executes the query but does not check the RM permissions

However this other piece of code which is executed after throws the exception (due to permissions):

for (CMISResultSetRow row : rs){
//some code …
Map<String, Serializable> values = row.getValues();


In my opinion it is a bit strange that if I don't have permissions on a record then it shouldn't be in the resultSet.

Does someone have a idea ?

Thanks

Sam




4 REPLIES 4

sammasue
Champ in-the-making
Champ in-the-making
I progressed a bit on this topic. And I found out this bean is responsible:


   <bean id="search.adm.luceneQueryEngineSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
        <property name="authenticationManager"><ref bean="authenticationManager"/></property>
        <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
        <property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property>
        <property name="objectDefinitionSource">
            <value>
               org.alfresco.repo.search.impl.querymodel.QueryEngine.executeQuery=ACL_ALLOW,AFTER_ACL_NODE.sys:base.Read
               org.alfresco.repo.search.impl.querymodel.QueryEngine.getQueryModelFactory=ACL_ALLOW
            </value>
        </property>
    </bean>


Indeed this bean does not check the permissions for RM.

I would like to override this bean config and add RM_ALLOW,AFTER_RM.FilterNode to the list but I tried many things and all failed. Does someone know how to do it?

PS: this bean is defined in cmis-api-context.xml and/or opencmis-context.xml.

Sam.

Have a look for "rm-method-security.properties" in the RM code.

I would try adding the following ..

rm.methodsecurity.org.alfresco.repo.search.impl.querymodel.QueryEngine.executeQuery=RM_ALLOW,AFTER_RM.FilterNode
rm.methodsecurity.org.alfresco.repo.search.impl.querymodel.QueryEngine.getQueryModelFactory=RM_ALLOW

This will ensure that when the node in hand is an RM artifact that these method level security checks are performed, rather than the standard DM ones.

Hope this helps.  We should add an easier way to extend this!

Cheers,
Roy

As a follow up …

The following bean definition …

<java>
<bean id="rm-method-security-properties" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
      <property name="locations">
            <list>
                <value>classpath*:alfresco/module/org_alfresco_module_rm/security/rm-method-security.properties</value>
                <!– Override –>
                <value>classpath*:alfresco/extension/rm-method-security.properties</value>
            </list>
        </property>
   </bean>
</java>
.. implies that you can add your own custom rm-method-security.properties in the extensions directory.  This might be preferable to modifying the core implementation.

Cheers,
Roy

sammasue
Champ in-the-making
Champ in-the-making
Hello Roy,

Thank you a lot for help. It works perfectly.

Sam