[
http://jira.nuxeo.org/browse/NXP-365?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_31118
]
Olivier Grisel commented on NXP-365:
------------------------------------
The permission extension point should make it possible to define new (possibly
compound) permissions, remove existing permissions, add or remove permissions
from the list of sub-permissions of a compound permission.
The permission manager should also provide a method to define which permissions
are to be available on as options in the UI (web or RCP) screens to edit
documents ACP.
Hence the current UIPermissionService in webapp is to be deprecated in favor of
the new version of the security service.
Expected syntax of a contribution to the permission service extension point.
<?xml version="1.0"?>
<component name="org.nuxeo.ecm.core.security.defaultPermissions">
<extension target="org.nuxeo.ecm.core.security.SecurityService"
point="permissions">
<permission name="Browse" />
<permission name="Version" />
<permission name="ReadProperties" />
<permission name="ReadChildren" />
<permission name="ReadLifeCycle" />
<permission name="ReviewParticipant" />
<permission name="Read" availableForUserSetting="true" order="30">
<include name="Browse" />
<include name="Version" />
<include name="ReadProperties" />
<include name="ReadChildren" />
<include name="ReadLifeCycle" />
<include name="ReviewParticipant" />
</permission>
<permission name = "ReadRemove">
<include name="Read" />
<include name="Remove" />
</permission>
<permission name="AddChildren" />
<permission name="RemoveChildren" />
<permission name="WriteProperties" />
<permission name="Remove" />
<permission name="ManageWorkflows" />
<permission name="WriteLifeCycle" />
<permission name="Write">
<include name="AddChildren" />
<include name="RemoveChildren" />
<include name="WriteProperties" />
<include name="Remove" />
<include name="ManageWorkflows" />
<include name="WriteLifeCycle" />
</permission>
<permission name = "ReadWrite" availableForUserSetting="true" order="50" >
<include name="Read" />
<include name="Write" />
</permission>
<permission name="WriteSecurity" />
<!-- special permission given to administrators: god-level access -->
<permission name = "Everything" availableForUserSetting="true" order="100"
/>
</extension>
</component>
Now suppose we have a additional components to extend / override the default
setup, we can add new permission that combine existing permissions:
<?xml version="1.0"?>
<component name="com.nuxeo.mycustomproject1.security.permissions">
<extension target="org.nuxeo.ecm.core.security.SecurityService"
point="permissions">
<permission name="CustomAtomicPerm" />
<permission name="CustomCoumpoundPerm" availableForUserSetting="true"
order="40">
<include name="ReadWrite" />
<include name="CustomAtomicPerm" />
</permission>
</extension>
</component>
We can also change existing compound permissions be removing sub permissions or
change their visibility and display order:
<?xml version="1.0"?>
<component name="com.nuxeo.mycustomproject1.security.permissions">
<extension target="org.nuxeo.ecm.core.security.SecurityService"
point="permissions">
<permission name="Write" availableForUserSetting="true" order="50">
<remove name="WriteLifecycle" />
<include name="AnotherNewPerm" />
</permission>
<permission name="ReadWrite" availableForUserSetting="false" />
</extension>
</component>
> Implement an extensible core permission service and related facade API
> ----------------------------------------------------------------------
>
> Key: NXP-365
> URL: http://jira.nuxeo.org/browse/NXP-365
> Project: Nuxeo Enterprise Platform 5
> Issue Type: Improvement
> Components: Core, Security, Web Foundations
> Reporter: Olivier Grisel
> Assignee: Olivier Grisel
> Priority: Major
> Fix For: 5.2 M1
>
> Original Estimate: 2 days
> Remaining Estimate: 2 days
>
> Current permission map is defined in an single permissions.xml file. We need
> a dedicated OSGi component to register and update permissions and groups of
> permissions at runtime. This permission service should be "queriable" from
> client code through a facade API in NXCoreFacade.
> Another extension point should specify the list of permissions that are
> assignable through the document_rights.xhtml tab. Currently this is hardcoded
> in the "settablePermissions" field of the SecurityActions listener. In the
> long term the list of permissions assignable by a given user to a given space
> should be computed by an extensible set of rules. The API of the permission
> service should be designed with that constrain in mind.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.nuxeo.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
ECM-tickets mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets
