Search code examples
alfrescoopencmis

Alfresco permissions see list of node content but deny download

Is it possible to set up a permissionsDefinition.xml in alfresco that is not allowing GROUP_USERS to download files but see the list of content?

I've tried to set the config like this in the .xml file.

This is the original definition of the Read permission group:

<permissionGroup name="Read"  expose="true" allowFullControl="false">
    <includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
    <includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
    <includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
</permissionGroup>

So the simple try was to just remove the permission to ReadContent, and change the group to this:

<permissionGroup name="Read"  expose="true" allowFullControl="false">
     <includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
     <includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
</permissionGroup>

According to this I created a new permissionGroup, like this:

<permissionGroup name="Reader" allowFullControl="false" expose="true" >
     <includePermissionGroup permissionGroup="Read" type="sys:base" />
     <includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/>      
 </permissionGroup>

And later this group was included twice, once in <permissionSet type="cm:content"/> and <permissionSet type="cm:folder"/>.

To test this I broke inheritence of the space and parent folder and created a new user who is only member of GROUP_USERS with the permission of reader.

The actual problem

While I can see the documents in query results I am not able to get an instance of the object with session.getObject(id). I always get an CmisRuntimeException with Message: Object Info is missing. As soon as I add ReadContent permission again, I am again able to get the object by Id.

So in order to get an instance of the object, I need to permit ReadContent, even I just want to get an instance of the object for read only tasks.

Solution

  • Yes, according to the documentation here

    When modifying access control, do not try to split ReadProperties and ReadContent. This does not make sense for search. A node and all of its properties, including content, are indexed as one entity. Splitting the evaluation of access for content and properties is not possible. Search would have to apply both criteria so as to not leak information. Other services, such as copy, may not behave as expected or may produce nodes in an odd state.