Is it possible to know if a particular permission is grant anywhere in Nuxeo?

In our developpement in Nuxeo, we added some new permissions. We want to know if a particular permission is grant anywhere in Nuxeo for a specific user or group. Is it possible? If we look directly into the database, it's really easy to answer to the question with a simple query on acl table.

In Nxql, we would like to see something like that: Select * From Document WHERE ecm:acl='Our new permission' In this example, if this query returns result, we have at least one document where permission apply.


0 votes

3 answers



what exactly do you want to do with the result or where do you plan to use it?

I don't want to enter in details. I will try to summarize our needs.

First, we want to know if a particular permission is granted in Nuxeo for a specific user or group because, we want to grant access to a custom report(Contentview). The criteria to display the report is simple, if a user have the particular permission, the user can access to it. For the moment, we add a special group like the Nuxeo team did to give access to tab "Admin Center". This method works well but it's hard and boring to manage for administrators.

Second, in our custom reports(ContentView), we want to filter documents on a particular permission. With our permissions come some responsibility to the users. The reports display the documents when some conditions occurs. To summarize, in our reports, we to know which documents that they have these permissions and these conditions occurs. We don't want to display documents in our reports that the user can't do actions associated with our permission. Currently, to meet our needs, we do a NXQL query with an adapter to filter on permissions. It works for now, because we don't have a lot of data. It will be better to put the filter directly in the query.

I hope that is clear. As you see, we found solution to our problems, but it's not the best solutions. If you have suggestions, they will be really appreciated. Thanks a lot for your help.


Nuxeo doesn't support this at the moment.

Edit: You're describing two different use cases for what you call a permisison.

The first use case is checking if a user has a global setting that enables him to see or not a report. That's the notion of a Role, which you can easily apply to Nuxeo using a user group.

The second use case is doing a query and filtering on a permission other than Browse, and that's not supported, queries are only done on Browse by definition. If you want to filter documents by some kind of attribute, then just add a flag or attribute on the document. Don't use permissions for that.

1 votes

The code below works in test context (mvn test) when we use the embeded database.

Does not work with the Postgresql database because the NXQLQueryMaker.buildQuery() internals don't take into account the permissions array when the dialect.supportsReadAcl() is true.

Should we fill a bug for this?

public void testQuery() throws Exception {

    String permission = "AM_CLASSIFY";
    SecurityService securityService = NXCore.getSecurityService();

    Principal principal = new PrincipalImpl(TEST_USER);

    String[] principalsToCheck = SecurityService
    QueryFilter qfilter = new QueryFilter(principal, principalsToCheck,
            new String[] { permission }, null,
                    .getRepositoryName()), 1, 0); 

    Query query = ((AbstractSession) session).getSession().createQuery(
            "SELECT * FROM Document", Query.Type.NXQL);

    FilterableQuery filterableQuery = (FilterableQuery) query;
    QueryResult results = filterableQuery.execute(qfilter, false);
    assertTrue("No document matches", results.count() > 0); 

    principal = new PrincipalImpl(TEST_USER + "2");
    permission = "AM_DECLARE";
    principalsToCheck = SecurityService.getPrincipalsToCheck(principal);
    qfilter = new QueryFilter(principal, principalsToCheck,
            new String[] { permission }, null,
                    .getRepositoryName()), 1, 0); 

    results = filterableQuery.execute(qfilter, false);
    assertTrue(results.count() > 0); 

0 votes

When the "read acl" optimizations are enabled, it is assumed that all queries are done only on the Browse permission, so it's not really a bug. As these optimizations are necessary for any large volume, let's just say that using the low-level Session APIs directly and doing your own QueryFilter filtering is not supported. Only CoreSession is a supported API.

For instance you can create your ActionsBean class with proper functions. Then you should choose a xhtml context with your functions.

In your example probably you can use a standard query to execute your SQL, so it is easy to do. It will be a bit more complicated if your query have to be pure (without a permission filtration).

-2 votes