Why does Session.checkPermission() bypass the SecurityPolicy for Administrators?
It appears invocation of SecurityPolicy.checkPermission() is normally bypassed for Administrators whereas SecurityPolicy.QueryTransformer.transform() is invoked for Administrators. As a result of this discrepancy, when Administrators invoke a CMIS getChildren() operation on a specific folder for example, they might see different results than when they browse the folder via the Nuxeo DM Web UI. The CMIS operation relies on the Session.getChildren() method which calls Session.checkPermission() which bypasses the SecurityPolicy for Administrators. Folder navigation via the Nuxeo DM Web UI relies upon SecurityPolicy.QueryTransformer.transform() which is applied for Administrators.
I would like to control how my SecurityPolicy applies to Administrators, specifically the behavior of the SecurityPolicy.checkPermission. The implementation of AbstractSession.checkPermission() appears to prevent me from doing so. Thoughts?
Administrators are “root”, they should see everything by design. So your
SecurityPolicy.QueryTransformer.transform should do nothing if the principal is the Administrator. We could indeed completely bypass calling the
transform method in that case. But it's easy to add a check in the method implementation.
If you want to restrict what Administrator sees then I'd say that you're using the wrong user.