cancel
Showing results for 
Search instead for 
Did you mean: 

Controlling site creation permissions not work

sergus_dev
Confirmed Champ
Confirmed Champ

Hello. I do everything step by step https://docs.alfresco.com/6.1/tasks/site-creation-permission.html but when I try create site, user who doesn't have specific group he can create site.

2 REPLIES 2

angelborroy
Community Manager Community Manager
Community Manager

You can try this addon:

https://github.com/jpotts/share-site-creators

Hyland Developer Evangelist

abhinavmishra14
World-Class Innovator
World-Class Innovator

Couple of things, Are you trying to create the site as Admin or user is a general user ? Did you verified whether context file is configured properly to get loaded by spring ioc container? Can you cross check all the steps again to see if there is anything missing?

Document here: https://docs.alfresco.com/6.1/tasks/site-creation-permission.html works as expected when configured. As mentioned in document, ACL_METHOD.ROLE_ADMINISTRATOR executes a method that allows access to users who are members of the administrator group. Means, only users part of administrator group can create sites.

Another example apart form document, if you have a custom group e.g. GROUP_SITE_ADMINISTRATORS and you want to allow only users who are part of this group can create/delete site then as per the document steps you can do following:

<beans>
<bean id="SiteService_security"
class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager">
	<ref bean="authenticationManager" />
</property>
<property name="accessDecisionManager">
	<ref bean="accessDecisionManager" />
</property>
<property name="afterInvocationManager">
	<ref bean="afterInvocationManager" />
</property>
<!-- Allow site creation for the users who only part of SITE_ADMINISTRATORS 
	group only and allow site deletion only for GROUP_SITE_ADMINISTRATORS.
	Sites Manager is available to users in the ALFRESCO_ADMINISTRATORS 
	and SITES_ADMINISTRATORS permissions groups. 
	If you are in the ALFRESCO_ADMINISTRATORS group, you can access the Site Manager through the Admin Tools on the Alfresco 
	toolbar. If you are a member of SITE_ADMINISTRATORS group, you'll have an 
	additional Sites Manager option on the Alfresco toolbar. -->
<property name="objectDefinitionSource">
	<value>
		org.alfresco.service.cmr.site.SiteService.cleanSitePermissions=ACL_NODE.0.sys:base.ReadProperties
		org.alfresco.service.cmr.site.SiteService.createContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
		org.alfresco.service.cmr.site.SiteService.createSite=ACL_METHOD.GROUP_SITE_ADMINISTRATORS
		org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_METHOD.GROUP_SITE_ADMINISTRATORS
		org.alfresco.service.cmr.site.SiteService.findSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
		org.alfresco.service.cmr.site.SiteService.getContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
		org.alfresco.service.cmr.site.SiteService.listContainers=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
		org.alfresco.service.cmr.site.SiteService.getMembersRole=ACL_ALLOW
		org.alfresco.service.cmr.site.SiteService.getMembersRoleInfo=ACL_ALLOW
		org.alfresco.service.cmr.site.SiteService.resolveSite=ACL_ALLOW
		org.alfresco.service.cmr.site.SiteService.getSite=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
		org.alfresco.service.cmr.site.SiteService.getSiteShortName=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
		org.alfresco.service.cmr.site.SiteService.getSiteGroup=ACL_ALLOW
		org.alfresco.service.cmr.site.SiteService.getSiteRoleGroup=ACL_ALLOW
		org.alfresco.service.cmr.site.SiteService.getSiteRoles=ACL_ALLOW
		org.alfresco.service.cmr.site.SiteService.getSiteRoot=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
		org.alfresco.service.cmr.site.SiteService.hasContainer=ACL_ALLOW
		org.alfresco.service.cmr.site.SiteService.hasCreateSitePermissions=ACL_ALLOW
		org.alfresco.service.cmr.site.SiteService.hasSite=ACL_ALLOW
		org.alfresco.service.cmr.site.SiteService.isMember=ACL_ALLOW
		org.alfresco.service.cmr.site.SiteService.listMembers=ACL_ALLOW
		org.alfresco.service.cmr.site.SiteService.listMembersInfo=ACL_ALLOW
		org.alfresco.service.cmr.site.SiteService.listMembersPaged=ACL_ALLOW
		org.alfresco.service.cmr.site.SiteService.listSiteMemberships=ACL_ALLOW
		org.alfresco.service.cmr.site.SiteService.listSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
		org.alfresco.service.cmr.site.SiteService.listSitesPaged=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
		org.alfresco.service.cmr.site.SiteService.removeMembership=ACL_ALLOW
		org.alfresco.service.cmr.site.SiteService.canAddMember=ACL_ALLOW
		org.alfresco.service.cmr.site.SiteService.setMembership=ACL_ALLOW
		org.alfresco.service.cmr.site.SiteService.updateSite=ACL_ALLOW
		org.alfresco.service.cmr.site.SiteService.countAuthoritiesWithRole=ACL_ALLOW
		org.alfresco.service.cmr.site.SiteService.isSiteAdmin=ACL_ALLOW
		org.alfresco.service.cmr.site.SiteService.*=ACL_DENY
	</value>
</property>
</bean>
</beans>

Apart from this you can also restrict the create site action in share at various places where create site option is available, by following below given steps.

Create an extension (e.g. site-action-restrictions-extension.xml) under <yourShareModule>/src/main/resources/alfresco/web-extension/site-data/extensions/ folder:

<extension>
<modules>
<module>
	<!-- Disable site creation link for everyone who is not part of SITE_ADMINISTRATORS group -->
	<id>Site Restrictions</id>
	<version>1.0</version>
	<auto-deploy>true</auto-deploy>
	<evaluator type="group.module.evaluator">
		<params>
			<groups>GROUP_SITE_ADMINISTRATORS</groups>
			<groupRelation>AND</groupRelation>
			<negate>true</negate>
		</params>
	</evaluator>
	<customizations>
		<customization>
			<!-- extension for my-sites dashlet -->
			<targetPackageRoot>org.alfresco.components.dashlets</targetPackageRoot>
			<sourcePackageRoot>com.siterestrictions.components.dashlets</sourcePackageRoot>
		</customization>
		<customization>
			<!-- extension for share header -->
			<targetPackageRoot>org.alfresco.share.header</targetPackageRoot>
			<sourcePackageRoot>com.siterestrictions.share.header</sourcePackageRoot>
		</customization>
		<customization>
		  <!-- extension for faceted search page -->
		  <targetPackageRoot>org.alfresco.share.pages.faceted-search</targetPackageRoot>
		  <sourcePackageRoot>com.siterestrictions.share.pages.faceted-search</sourcePackageRoot>
		</customization>
	</customizations>
</module>
</modules>
</extension>

Create "my-sites.get.js" file under <yourShareModule>/src/main/resources/alfresco/web-extension/site-webscripts/com/siterestrictions/components/dashlets/ folder:

Add following line of code:

//Disable site creation link for everyone who is not part of SITE_ADMINISTRATORS group
model.showCreateSite = false;

Create "share-header.get.js" file under <yourShareModule>/src/main/resources/alfresco/web-extension/site-webscripts/com/siterestrictions/share/header/ folder:

Add following line of code:

//Disable site creation link for everyone who is not part of SITE_ADMINISTRATORS group
var sitesMenu = widgetUtils.findObject(model.jsonModel, "id", "HEADER_SITES_MENU");
if (sitesMenu) {
    sitesMenu.config.showCreateSite = false;
}

Create "faceted-search.get.js" file under <yourShareModule>/src/main/resources/alfresco/web-extension/site-webscripts/com/siterestrictions/share/pages/faceted-search/ folder.

Add following line of code:

//Disable site creation link for everyone who is not part of SITE_ADMINISTRATORS group
var sitesMenu = widgetUtils.findObject(model.jsonModel, "id", "HEADER_SITES_MENU");
if (sitesMenu) {
sitesMenu.config.showCreateSite = false;
}

To learn more on extensions, refer following documents:
https://docs.alfresco.com/5.2/concepts/dev-extensions-share-surf-extension-modules.html
https://docs.alfresco.com/5.2/concepts/dev-extensions-share-override-ootb-surf-webscripts.html

~Abhinav
(ACSCE, AWS SAA, Azure Admin)