cancel
Showing results for 
Search instead for 
Did you mean: 

Does 'cmis:write' contain 'cmis:read'?

pascalvh
Champ in-the-making
Champ in-the-making
Hello,

I am writing a java client that uses Chemistry to talk to an Alfresco 5 Community server.


The client needs to get all principals that have the right to read a given cmis object. To get the ACL I use the following method call:

Acl acl =  session.getAcl(cmisObject, true);


So I only get basic CMIS Permissions and the alfresco specific permissions get mapped to them, what makes things quite easy.

But I am wondering if the "cmis:write" permission contains the "cmis:read" permission in a alfreso repository.

The book "CMIS and Apache Chemistry in action" says on page 348:
<cite>In almost all repositories, the cmis:write permission contains the cmis:read permission.</cite>

What is it like in an alfresco repository?

Thanks,
Pascal
3 REPLIES 3

mrogers
Star Contributor
Star Contributor
The answer is "it depends" since permissions in alfresco are configurable.

cmis:read and cmis:write map simply onto the repository read and write permissions. 

Write permission does not contain read permission.   So it is possible to configure permissions such that you could write but not read.   

However all the out of the box permission groups (Editor, Collaborator etc) that contain write permission all have read permission as a base so you would be deep into customising alfresco before you could get into a situation where write does not contain read.   

Alfresco also has an "owner" role whereby if you create some content then you get full control over your content.   That would need to be suppressed or removed since you would also get read (and write) permissions through your content ownership.

pascalvh
Champ in-the-making
Champ in-the-making
Thanks for your reply. I am not sure if I understand it right. Lets say the ACL I get from the mentioned API call contains an ACE that only has the permission "cms:write", but not "cms:read" and not "cms:all". Can I be sure that in this case the principal has NO right to read the document?

That would mean that for example there is a permission group configured in Alfresco like you mentioned, but because the API call does the mapping to the basic cmis permissions for me (because the second argument is "true"), I dont have to deal with that.

If that is not the case I wonder how I could figure out with CMIS which users or groups have read permissions.

mrogers
Star Contributor
Star Contributor
Its very unlikely that you will get cms:write without cms:read from alfresco.  To do so would require some fairly serious reconfiguration on your part.   

But if you do get cms:write without cmis:read then it means exactly that.
Getting started

Tags


Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.