ACL + automation chain : Document.SetACL doesn't use MVEL (user) as i would
Hello,
I tested this code on Nuxeo 5.6
http://doc.nuxeo.com/display/Studio/Move+a+Document+with+security+constraints
Document.SetACL :
It's impossible to use MVEL language on attribute “user” even if there is a MVEL selector near this attribute.
Endeed, i tested it and saw that every MVEL code is not interpretade by the server.
This is a big probleme because set.acl became unusefull. It's impossible to use it only with “constantes values”.
Example: @{Context.principal.name} or @{CurrentUser.principal.name} or @{Context[“thisuser”]}
Do you have the same problem ?
Do you know where to find the java code of this operation? thanks
ps - modification: I translated my question in English + completed with the example
ps, le code existant de set.acl: http://hg.nuxeo.org/nuxeo/nuxeo-features/diff/0cc0116fde8a/nuxeo-automation/nuxeo-automation-core/src/main/java/org/nuxeo/ecm/automation/core/operations/document/SetDocumentACE.java
Hello,
I solved this problem with this explanation:
A) used @{CurrentUser.name} (thanks nuxeo team help) for saving current user login
B) acl are visibled on “inheritance right” view in the interface
Context:
- A user lamba has no right on a workspace.
- An automation chain has to add TEMPORARY rights to allowed adding a file in this workspace
- and grant the ReadWrite right on this created file.
1) SOLUTION OF RIGHT TO USE “SET ACL”
User lambda has no permission to use set.acl operation.
==> Need to LoginAs temporary as Administrator.
==> but save the “login” of the currentUser, first.
- Save user login : Execution Context || Set Context Variable || name=loginUser ; value=@{CurrentUser.originatingUser!=null && CurrentUser.originatingUser!=''?CurrentUser.originatingUser:CurrentUser.name}
- Users & Group || Login As || name=Administrator
- Do set.acl operations HERE on @{loginUser}.
- Users & Group || Logout
- Do operations for current user.
2) SOLUTION OF WHICH ACL CHOOSE TO ADD A FILE IN A WORKSPACE WITHOUT ANY RIGHT
Need 2 rights:
- Document || Set ACL || permission=ReadWrite ; user=@{loginUser} ; acl=new ; grant=true ; overwrite=true
- Document || Set ACL || permission=AddChildren ; user=@{loginUser} ; acl=new ; grant=true ; overwrite=true
3) SOLUTION OF DELETE TEMPORARY ACL
- Need to keep an ACL on the created file => set field acl=“local” or acl=“othervalue” has you need.
- remove ACL “new” with the workspace where you had right, as INPUT for “remove ACL”
- Document || Remove ACL || acl=new
Hope it helps
Milonette
exemples : @{Context.principal.name} or @{CurrentUser.principal.name} or @{Context["thisuser"]}