Adding Unlock permission to a specific group doesn't work

Hello,

I use Nuxeo 10.10 with postgresql 11. I try to add an “unlock” permission to a group named “gestionnaire”. User in this group can read write and *unlock * documents

What i have done :

I deployed a contribution following https://doc.nuxeo.com/nxdoc/1010/how-to-grant-the-edit-permission-without-the-remove-permission/

<component name="fr.my.project.permissions">
    <require>org.nuxeo.runtime.started</require>
    <extension target="org.nuxeo.ecm.core.security.SecurityService" point="permissions">
        <permission name="ReadWriteAndUnlock">
            <include>ReadWrite</include>
            <include>Unlock</include>
        </permission>
    </extension>

    <!-- https://github.com/nuxeo/nuxeo/blob/master/nuxeo-core/nuxeo-core/src/main/resources/OSGI-INF/permissions-contrib.xml -->
    <extension  target="org.nuxeo.ecm.core.security.SecurityService" point="permissionsVisibility">
        <visibility>
            <item order="10" show="true">Read</item>
            <item order="50" denyPermission="Write" show="true">ReadWrite</item>
            <item order="55" denyPermission="Unlock" show="true">ReadWriteAndUnlock</item>
            <item order="100" show="true">Everything</item>
    </extension>
</component>

On repository, i added permissions on the workspace

type an image title

What i expect :

A user in default “members” group can lock a document he created. (So he can unlock it too) A user in “manager” group can unlock a document locked by a user of “member"s group (because i had unlock permission)

The problem :

A user in “manager” group can't unlock a document locked by a user of “member"s group. No unlock button is diplayed in webui.

What did I miss?

Thank you.

0 votes

4 answers

101 views

ANSWER



Okay, I made a little patch and it works. My user in “gestionnaire” group can unlock the doc

_isAvailable(doc) {
          return doc && !doc.isVersion && (this.hasPermission(doc, 'Unlock') || this.hasPermission(doc, 'Write') ) && !this.isImmutable(doc)
        }

But I think it's not the correct way to do what i want.

1 votes



I have checked JSON export of the document when it is locked by another user

Here they are :

"permissions": [ "ReadProperties", "ReadSecurity", "ReadVersion", "Read", "ReadChildren", "ReadLifeCycle", "ReviewParticipant", "Unlock", "ReadWrite", "Browse", "ReadWriteAndUnlock" ]

when the document is unlocked i have the following permission

"permissions": [ "Write", "WriteVersion", "ReadProperties", "ReadSecurity", "Remove", "ReadVersion", "Read", "WriteLifeCycle", "ReadChildren", "AddChildren", "ReadLifeCycle", "RemoveChildren", "ReviewParticipant", "Unlock", "ReadWrite", "Browse", "ReadWriteAndUnlock", "WriteProperties", "ManageWorkflows" ]

I think the problem is similar of this old one (for JSF UI : https://jira.nuxeo.com/browse/NXP-15232

What do you think ?

0 votes



:-) Thank you for your fast answer but my new permission “ReadWriteAndUnlock” include write permission (ReadWrite)

<permission name="ReadWriteAndUnlock">
            <include>ReadWrite</include>
            <include>Unlock</include>
        </permission>

How can i implement this scenario ? I dont want my managers have administrator's privilege only for unlock a document.

Thank you

0 votes



I suggest you to make a JSON export of the document to be sure about the permissions which are set on, and check with the Browser console what's happening exactly (with breaking points and co)
09/19/2019


This is probably due to the fact that the element displaying the lock and unlock action is filtering with the “Write” permission: https://github.com/nuxeo/nuxeo-ui-elements/blob/08fd256fb4e7775375c176892098baec21fe302d/actions/nuxeo-lock-toggle-button.html#L133

0 votes