Hi Tiry, My challenge is that the 'Delete' button is not enabled in the view because the user does not have the RemoveChildren right in the folder and my policy will not override that right because the author of the folder is not the author of the document to be deleted. If on the call made to check the RemoveChildren I could get access to the selected document then I could check to see if the current user is the author of the selected document and give the user RemoveChildren right (and then presumably I would see the Delete button ;-))
Cheers, Bruce. -------------------- metaLogic ph. +1.905.629.7775 x225 fax +1.905.629.9887 http://metaLogic.ca From: Thierry Delprat <[email protected]> To: Bruce Grant <[email protected]> Cc: [email protected] Date: 02/23/2010 08:57 AM Subject: Re: [Ecm] AbstractSecurityPolicy Hi Bruce, The Core will do a double check : - check for the Remove Permission on the document you want to delete - check for the Remove Children permission on the container => You should be called twice 1 - one call on the container => nothing to do 2 - one call on the document => apply owner policy Tiry On 23 February 2010 14:38, Bruce Grant <[email protected]> wrote: I would like to support the use case where the owner of a document has all rights on the documents irrespective of explicitly defined access controls. So I added the following Security Policy. I know the policy is running because I have run the server in debug mode with a breakpoint set. public class AuthorSecurityPolicy extends AbstractSecurityPolicy { public Access checkPermission(Document doc, ACP mergedAcp, Principal principal, String permission, String] resolvedPermissions, String[ additionalPrincipals) { Access access = Access.UNKNOWN; String creator = null; if (doc != null) { try { creator = (String) doc.getPropertyValue("dc:creator"); } catch (DocumentException e) { } } if (creator != null && creator.equals(principal.getName())) { access = Access.GRANT; } return access; } } This works well for edit and save, but does not work for the delete case. Here's the scenario: - I'm viewing a list of documents in a folder - I select a document that i want to delete - The logged in user is the creator of the document selected - The 'Delete' action button remains grayed out I know the root cause - the issue is that the Document doc in the AuthorSecurityPolicy.checkPermission(Document doc, ...) refers to the folder document itself rather than the selected document (and in my case the selected document is NOT created by the logged in user). And I know the selected document is available in the current seam conversation context. So, what I would like to be able to do is to get the list of selected documents (in my AuthorSecurityPolicy) so that I can check whether the logged in user should be able to delete the selected docs. What isn't obvious to me is how to get the list of selected documents. Any ideas? Thanks, Bruce. _______________________________________________ ECM mailing list [email protected] http://lists.nuxeo.com/mailman/listinfo/ecm To unsubscribe, go to http://lists.nuxeo.com/mailman/options/ecm
_______________________________________________ ECM mailing list [email protected] http://lists.nuxeo.com/mailman/listinfo/ecm To unsubscribe, go to http://lists.nuxeo.com/mailman/options/ecm
