Hello,
Following are listed some services without a clearly defined Permission
Mapping filter, based on CMIS 1.0 (
http://docs.oasis-open.org/cmis/CMIS/v1.0/errata-01/os/cmis-spec-v1.0-errata-01-os-complete.doc)
and CMIS 1.1 (
http://docs.oasis-open.org/cmis/CMIS/v1.1/cos01/CMIS-v1.1-cos01.pdf )
1) Navigation Services
1.1) getCheckedOutDocs
Description: Gets the list of documents that are checked out that
the user has access to.
I see two options:
1.1.1) Granted to any authenticated user. (The result will be
already filtered by the user permissions related with the objects)
1.1.2) If a folder is specified then apply the Permission Mapping
canGetDescendants.Folder
My guess is to go for the option 1.1.2.
2) Object Services
2.1) createDocumentFromSource
Description: Creates a document object as a copy of the given
source document in the (optionally) specified location.
My guess is that the Permission Mappings to apply would be:
2.1.1) Always canGetProperties.Object
2.1.2) If the object has a content stream, also apply
canViewContent.Object
2.1.3) If the optional folder is specified, also apply
canCreateDocument.Folder
2.2) createPolicy
Description: Creates a policy object of the specified type
2.2.1) CMIS 1.0
There is no Permission Mapping defined for this operation in
CMIS 1.0.
My guess is to apply the nearest permission mapping:
canCreateDocument.Folder
2.2.2) CMIS 1.1
The permission mapping defined is canCreatePolicy.Folder.
NOTE: In openCMIS 0.9.0-beta-1 this permission mapping is not
included neither in org.apache.chemistry.opencmis.commons.enums.Action or
in org.apache.chemistry.opencmis.commons.data.PermissionMapping
See JIRA: https://issues.apache.org/jira/browse/CMIS-662
2.3) getAllowableActions
Description: Gets the list of allowable actions for an Object
My guess is that this should be granted to any authenticated user.
2.4) getRenditions
Description: Gets the list of associated Renditions for the
specified object. Only rendition attributes are returned, not rendition
stream.
The related Permission Mapping was removed in the errata version of
CMIS 1.0.
My guess is to apply canGetProperties.
NOTE: In openCMIS 0.8.x and 0.9.0-beta-1 this permission mapping is
included in org.apache.chemistry.opencmis.commons.enums.Action but not in
org.apache.chemistry.opencmis.commons.data.PermissionMapping
See same JIRA as in 2.2.2.
3) Discovery Services
3.1) query
Description: Executes a CMIS query statement against the contents
of the Repository.
Based on the definition, all authenticated user is granted to query
all query-able.
In our implementation, we will restrict the output to all
query-able objects whose ACL has at least one ACE for the current user. In
this way, we can be sure the user can use all the returned objects in some
way.
4) Versioning Services
4.1) getObjectOfLatestVersion
Description: Get a the latest Document object in the Version Series.
My guess is to apply canGetProperties.Object
4.2) getPropertiesOfLatestVersion
Description: Get a subset of the properties for the latest Document
Object in the Version Series.
My guess is to apply canGetProperties.Object
Would you mind to clarify if my guessings are correct?
Thank you very much in advance.
Regards,
Jaime Porras.
