Functional permissions in nuxeo

I have been trying to understand the permission management in nuxeo. As far as my understanding, ACLs are attached to a document, and they contain the information whether a user can read/write/remove the document. I wanted to know if these ACLs are used to display/hide the buttons such as “Edit”/“Delete” on the UI (when we view a particular document) or is there a different mechanism for that.

I also went through this link, which gives the mapping of permissions to allowed functions. In my understanding ACLs control the rendering of different buttons based on different types of access rights. I want to know if my understanding is correct?

0 votes

1 answers

271 views

ANSWER



ACLs are set on documents. There are the default Read, Write, Everything permssions but they can be customized:

  <extension target="org.nuxeo.ecm.core.security.SecurityService" point="permissions">

        <!--
            customized Write permission
        -->
        <permission name="Write">
            <remove>Remove</remove>
        </permission>

        <!--
            customized ReadWriteAndRemove permission
            does the same as the default nuxeo ReadWrite permission
        -->
        <permission name="ReadWriteAndRemove">
            <include>Read</include>
            <include>Write</include>
            <include>Remove</include>
        </permission>

        <!-- custom Permission -->
        <permission name="GetPersistentId">
            <include>ReadWrite</include>
        </permission>
    </extension>


    <extension target="org.nuxeo.ecm.core.security.SecurityService" point="permissionsVisibility">
        <visibility>
            <item show="true" order="10">Read</item>
            <item show="true" order="20">ReadWrite</item>
            <item show="true" order="30">ReadWriteAndRemove</item>
            <item show="true" order="40">Everything</item>
            <item show="true" order="50">GetPersistentId</item>
        </visibility>
    </extension>

In the WebUI there are slots that have their own permissions (buttons, drawer items, …). All permissions defined above can be used on the slots:

<nuxeo-slot-content name="addFacetAction" slot="DOCUMENT_ACTIONS" order="2>
  <template>
    <nuxeo-filter document="[[document]]" permission="Write" state="project" type="File">
      <template>
        <addfacets-action document="[[document]]"></addfacets-action>
      </template>
    </nuxeo-filter>
</nuxeo-slot-content>

Even though it's a rather late response, I hope it helps.

Best

Stefan

0 votes