Adding Unlock permission to a specific group doesn't work
Hello,
I use Nuxeo 10.10 with postgresql 11. I try to add an “unlock” permission to a group named “gestionnaire”. User in this group can read write and *unlock * documents
What i have done :
I deployed a contribution following https://doc.nuxeo.com/nxdoc/1010/how-to-grant-the-edit-permission-without-the-remove-permission/
<component name="fr.my.project.permissions">
<require>org.nuxeo.runtime.started</require>
<extension target="org.nuxeo.ecm.core.security.SecurityService" point="permissions">
<permission name="ReadWriteAndUnlock">
<include>ReadWrite</include>
<include>Unlock</include>
</permission>
</extension>
<!-- https://github.com/nuxeo/nuxeo/blob/master/nuxeo-core/nuxeo-core/src/main/resources/OSGI-INF/permissions-contrib.xml -->
<extension target="org.nuxeo.ecm.core.security.SecurityService" point="permissionsVisibility">
<visibility>
<item order="10" show="true">Read</item>
<item order="50" denyPermission="Write" show="true">ReadWrite</item>
<item order="55" denyPermission="Unlock" show="true">ReadWriteAndUnlock</item>
<item order="100" show="true">Everything</item>
</extension>
</component>
On repository, i added permissions on the workspace
What i expect :
A user in default “members” group can lock a document he created. (So he can unlock it too) A user in “manager” group can unlock a document locked by a user of “member"s group (because i had unlock permission)
The problem :
A user in “manager” group can't unlock a document locked by a user of “member"s group. No unlock button is diplayed in webui.
What did I miss?
Thank you.
Okay, I made a little patch and it works. My user in “gestionnaire” group can unlock the doc
_isAvailable(doc) {
return doc && !doc.isVersion && (this.hasPermission(doc, 'Unlock') || this.hasPermission(doc, 'Write') ) && !this.isImmutable(doc)
}
But I think it's not the correct way to do what i want.
I have checked JSON export of the document when it is locked by another user
Here they are :
"permissions": [ "ReadProperties", "ReadSecurity", "ReadVersion", "Read", "ReadChildren", "ReadLifeCycle", "ReviewParticipant", "Unlock", "ReadWrite", "Browse", "ReadWriteAndUnlock" ]
when the document is unlocked i have the following permission
"permissions": [ "Write", "WriteVersion", "ReadProperties", "ReadSecurity", "Remove", "ReadVersion", "Read", "WriteLifeCycle", "ReadChildren", "AddChildren", "ReadLifeCycle", "RemoveChildren", "ReviewParticipant", "Unlock", "ReadWrite", "Browse", "ReadWriteAndUnlock", "WriteProperties", "ManageWorkflows" ]
I think the problem is similar of this old one (for JSF UI : https://jira.nuxeo.com/browse/NXP-15232
What do you think ?
:-) Thank you for your fast answer but my new permission “ReadWriteAndUnlock” include write permission (ReadWrite)
<permission name="ReadWriteAndUnlock">
<include>ReadWrite</include>
<include>Unlock</include>
</permission>
How can i implement this scenario ? I dont want my managers have administrator's privilege only for unlock a document.
Thank you
This is probably due to the fact that the element displaying the lock and unlock action is filtering with the “Write” permission: https://github.com/nuxeo/nuxeo-ui-elements/blob/08fd256fb4e7775375c176892098baec21fe302d/actions/nuxeo-lock-toggle-button.html#L133