Alfresco 权限查看节点内容列表但拒绝下载
Alfresco permissions see list of node content but deny download
是否可以在不允许 GROUP_USERS 下载文件但看到内容列表的露天环境中设置 permissionsDefinition.xml?
我试过在 .xml 文件中设置这样的配置。
这是Read权限组的原始定义:
<permissionGroup name="Read" expose="true" allowFullControl="false">
<includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
<includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
<includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
</permissionGroup>
所以简单的尝试就是删除对 ReadContent 的权限,并将组更改为:
<permissionGroup name="Read" expose="true" allowFullControl="false">
<includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
<includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
</permissionGroup>
据此我创建了一个新的permissionGroup,像这样:
<permissionGroup name="Reader" allowFullControl="false" expose="true" >
<includePermissionGroup permissionGroup="Read" type="sys:base" />
<includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/>
</permissionGroup>
后来这个组被收录了两次,一次在<permissionSet type="cm:content"/>和<permissionSet type="cm:folder"/>。
为了测试这一点,我打破了 space 和父文件夹的继承,并创建了一个新用户,该用户仅是 GROUP_USERS 的成员,并获得 reader.[=22= 的许可]
实际问题
虽然我可以在查询结果中看到文档,但我无法使用 session.getObject(id) 获取对象的实例。我总是得到 CmisRuntimeException 和 Message: Object Info is missing。只要我再次添加 ReadContent 权限,我就可以再次通过 Id 获取对象。
因此,为了获取对象的实例,我需要允许 ReadContent,即使我只想获取对象的实例以用于只读任务。
是的,根据文档here
When modifying access control, do not try to split ReadProperties and ReadContent. This does not make sense for search. A node and all of its properties, including content, are indexed as one entity. Splitting the evaluation of access for content and properties is not possible. Search would have to apply both criteria so as to not leak information. Other services, such as copy, may not behave as expected or may produce nodes in an odd state.
是否可以在不允许 GROUP_USERS 下载文件但看到内容列表的露天环境中设置 permissionsDefinition.xml?
我试过在 .xml 文件中设置这样的配置。
这是Read权限组的原始定义:
<permissionGroup name="Read" expose="true" allowFullControl="false">
<includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
<includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
<includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
</permissionGroup>
所以简单的尝试就是删除对 ReadContent 的权限,并将组更改为:
<permissionGroup name="Read" expose="true" allowFullControl="false">
<includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
<includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
</permissionGroup>
据此我创建了一个新的permissionGroup,像这样:
<permissionGroup name="Reader" allowFullControl="false" expose="true" >
<includePermissionGroup permissionGroup="Read" type="sys:base" />
<includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/>
</permissionGroup>
后来这个组被收录了两次,一次在<permissionSet type="cm:content"/>和<permissionSet type="cm:folder"/>。
为了测试这一点,我打破了 space 和父文件夹的继承,并创建了一个新用户,该用户仅是 GROUP_USERS 的成员,并获得 reader.[=22= 的许可]
实际问题
虽然我可以在查询结果中看到文档,但我无法使用 session.getObject(id) 获取对象的实例。我总是得到 CmisRuntimeException 和 Message: Object Info is missing。只要我再次添加 ReadContent 权限,我就可以再次通过 Id 获取对象。
因此,为了获取对象的实例,我需要允许 ReadContent,即使我只想获取对象的实例以用于只读任务。
是的,根据文档here
When modifying access control, do not try to split ReadProperties and ReadContent. This does not make sense for search. A node and all of its properties, including content, are indexed as one entity. Splitting the evaluation of access for content and properties is not possible. Search would have to apply both criteria so as to not leak information. Other services, such as copy, may not behave as expected or may produce nodes in an odd state.