Ask Question
« General Questions on Nuxeo

ACL + automation chain : Document.SetACL doesn't use MVEL (user) as i would

Hello,

I tested this code on Nuxeo 5.6

http://doc.nuxeo.com/display/Studio/Move+a+Document+with+security+constraints

Document.SetACL :

It's impossible to use MVEL language on attribute “user” even if there is a MVEL selector near this attribute.

Endeed, i tested it and saw that every MVEL code is not interpretade by the server.

This is a big probleme because set.acl became unusefull. It's impossible to use it only with “constantes values”.

Example: @{Context.principal.name} or @{CurrentUser.principal.name} or @{Context[“thisuser”]}

Do you have the same problem ?

Do you know where to find the java code of this operation? thanks

ps - modification: I translated my question in English + completed with the example

ps, le code existant de set.acl: http://hg.nuxeo.org/nuxeo/nuxeo-features/diff/0cc0116fde8a/nuxeo-automation/nuxeo-automation-core/src/main/java/org/nuxeo/ecm/automation/core/operations/document/SetDocumentACE.java

milonette
Member (2.7K)   3   4   7 		01/16/2013 ( History)
0 votes
1 answers
3663 views
ANSWER
Florent Guillaume
What exact parameters are you using in your operation? MVEL usage is generic in operations, it should work everywhere.
01/18/2013
milonette
thank you for your answer.

exemples : @{Context.principal.name} or @{CurrentUser.principal.name} or @{Context["thisuser"]}

01/18/2013
ANSWERS

Hello,

I solved this problem with this explanation:
A) used @{CurrentUser.name} (thanks nuxeo team help) for saving current user login
B) acl are visibled on “inheritance right” view in the interface

Context:

  • A user lamba has no right on a workspace.
  • An automation chain has to add TEMPORARY rights to allowed adding a file in this workspace
  • and grant the ReadWrite right on this created file.

1) SOLUTION OF RIGHT TO USE “SET ACL”

User lambda has no permission to use set.acl operation.
==> Need to LoginAs temporary as Administrator.
==> but save the “login” of the currentUser, first.

  1. Save user login : Execution Context || Set Context Variable || name=loginUser ; value=@{CurrentUser.originatingUser!=null && CurrentUser.originatingUser!=''?CurrentUser.originatingUser:CurrentUser.name}
  2. Users & Group || Login As || name=Administrator
  3. Do set.acl operations HERE on @{loginUser}.
  4. Users & Group || Logout
  5. Do operations for current user.

2) SOLUTION OF WHICH ACL CHOOSE TO ADD A FILE IN A WORKSPACE WITHOUT ANY RIGHT

Need 2 rights:

  • Document || Set ACL || permission=ReadWrite ; user=@{loginUser} ; acl=new ; grant=true ; overwrite=true
  • Document || Set ACL || permission=AddChildren ; user=@{loginUser} ; acl=new ; grant=true ; overwrite=true

3) SOLUTION OF DELETE TEMPORARY ACL

  • Need to keep an ACL on the created file => set field acl=“local” or acl=“othervalue” has you need.
  • remove ACL “new” with the workspace where you had right, as INPUT for “remove ACL”
    • Document || Remove ACL || acl=new

Hope it helps

Milonette

milonette
Member (2.7K)   3   4   7 		02/13/2013 ( History)
0 votes
Follow
Tags
Linked Questions
Related Questions
Nuxeo 5.8 Regression on Login As - Logout and set temporary ACL
Event Handlers/Action Chains triggered on new document contained in folder vs workspace!?
Should I get a string in the context variable when I use: Context["RECIPETYPE"] = "@{Document.type}"; in a script?
Unable to Set Context variables..
Running into Cannot find any valid path in operation chain error with Document.GetPrincipalEmails and Notification.SendMail
Error Executing Custom Operation
Caching session in nuxeo while using automation client
An error's generated by formatW3CDateTime in chains
"Read" Permission error