Ask Question
« General Questions on Nuxeo

Is it possible to know if a particular permission is grant anywhere in Nuxeo?

In our developpement in Nuxeo, we added some new permissions. We want to know if a particular permission is grant anywhere in Nuxeo for a specific user or group. Is it possible? If we look directly into the database, it's really easy to answer to the question with a simple query on acl table.

In Nxql, we would like to see something like that: Select * From Document WHERE ecm:acl='Our new permission' In this example, if this query returns result, we have at least one document where permission apply.

Thanks

maxr
Member (147)   1   2   2 		10/25/2012 ( History)
0 votes
3 answers
3491 views
ANSWER
adam_bo
what exactly do you want to do with the result or where do you plan to use it?
11/09/2012
maxr
I don't want to enter in details. I will try to summarize our needs.

First, we want to know if a particular permission is granted in Nuxeo for a specific user or group because, we want to grant access to a custom report(Contentview). The criteria to display the report is simple, if a user have the particular permission, the user can access to it. For the moment, we add a special group like the Nuxeo team did to give access to tab "Admin Center". This method works well but it's hard and boring to manage for administrators.

Second, in our custom reports(ContentView), we want to filter documents on a particular permission. With our permissions come some responsibility to the users. The reports display the documents when some conditions occurs. To summarize, in our reports, we to know which documents that they have these permissions and these conditions occurs. We don't want to display documents in our reports that the user can't do actions associated with our permission. Currently, to meet our needs, we do a NXQL query with an adapter to filter on permissions. It works for now, because we don't have a lot of data. It will be better to put the filter directly in the query.

I hope that is clear. As you see, we found solution to our problems, but it's not the best solutions. If you have suggestions, they will be really appreciated. Thanks a lot for your help.

11/09/2012
ANSWERS

Nuxeo doesn't support this at the moment.

Edit: You're describing two different use cases for what you call a permisison.

The first use case is checking if a user has a global setting that enables him to see or not a report. That's the notion of a Role, which you can easily apply to Nuxeo using a user group.

The second use case is doing a query and filtering on a permission other than Browse, and that's not supported, queries are only done on Browse by definition. If you want to filter documents by some kind of attribute, then just add a flag or attribute on the document. Don't use permissions for that.

Florent Guillaume
Member (36K)   6   8   8 		11/09/2012 ( History)
1 votes

The code below works in test context (mvn test) when we use the embeded database.

Does not work with the Postgresql database because the NXQLQueryMaker.buildQuery() internals don't take into account the permissions array when the dialect.supportsReadAcl() is true.

Should we fill a bug for this?

@Test
public void testQuery() throws Exception {

    String permission = "AM_CLASSIFY";
    SecurityService securityService = NXCore.getSecurityService();

    Principal principal = new PrincipalImpl(TEST_USER);

    String[] principalsToCheck = SecurityService
            .getPrincipalsToCheck(principal);
    QueryFilter qfilter = new QueryFilter(principal, principalsToCheck,
            new String[] { permission }, null,
            securityService.getPoliciesQueryTransformers(session
                    .getRepositoryName()), 1, 0); 

    Query query = ((AbstractSession) session).getSession().createQuery(
            "SELECT * FROM Document", Query.Type.NXQL);

    FilterableQuery filterableQuery = (FilterableQuery) query;
    QueryResult results = filterableQuery.execute(qfilter, false);
    assertTrue("No document matches", results.count() > 0); 

    principal = new PrincipalImpl(TEST_USER + "2");
    permission = "AM_DECLARE";
    principalsToCheck = SecurityService.getPrincipalsToCheck(principal);
    qfilter = new QueryFilter(principal, principalsToCheck,
            new String[] { permission }, null,
            securityService.getPoliciesQueryTransformers(session
                    .getRepositoryName()), 1, 0); 

    results = filterableQuery.execute(qfilter, false);
    assertTrue(results.count() > 0); 

}
patrek Turcotte
Member (1.6K)   2   4   5 		11/09/2012 ( History)
0 votes
Florent Guillaume
When the "read acl" optimizations are enabled, it is assumed that all queries are done only on the Browse permission, so it's not really a bug. As these optimizations are necessary for any large volume, let's just say that using the low-level Session APIs directly and doing your own QueryFilter filtering is not supported. Only CoreSession is a supported API.
11/12/2012

For instance you can create your ActionsBean class with proper functions. Then you should choose a xhtml context with your functions.

In your example probably you can use a standard query to execute your SQL, so it is easy to do. It will be a bit more complicated if your query have to be pure (without a permission filtration).

adam_bo
Member (2.8K)   2   4   7 		11/10/2012 ( History)
-2 votes
Follow
Tags
Linked Questions
Related Questions
Get all accesssible document of a user while being authenticated as Administrator PYTHON API
How to filter subview on a particular tab ?
Permission AddChildren needed for create document
Nuxeo silent upgrade possible ?
NXQL query for locked documents
Create a "Local rights" Edition layout
Nuxeo 6 - nx_update_read_acls never ending process and High CPU usage. NX freezes
CMIS query on new schema field created on Studio
How to configure default website theme?