[ELEMENTS-1451] nuxeo-document-permissions references "Everything" permission group instead of "WriteSecurity" atomic permission - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0.8
Fix Version/s: 3.0.9
Component/s: UI

Epic Link:
NXUI: Atomic permissions for document administration
Tags:
- nxui
- nxui-triaged
Sprint:
UI - 2021-14

Description

The <nuxeo-document-permissions> element checks if the user has "Everything" permission in a number of different places. (The _hasPermission function then ignores the permission passed in as an argument, and explicitly checks for the "Everything" permission group.)

Expected Behaviour: If a user is assigned the "WriteSecurity" permission, they should be able to modify permissions on a document.

Actual Behaviour: A user with "WriteSecurity" permission cannot modify permissions on a document (unless they also have the "Everything" permission).

Use Case: In certain scenarios, there could be a group of delegated administrators that can perform limited operations e.g. to modify the permissions of other users, but without direct permissions themselves to write/delete the document itself. Of course, a user could assign themselves the "Everything" permission, and then do everything, but it would be a deliberate two-step process, logged in the audit history, etc.)

Attachments

Issue Links

is cloned by

ELEMENTS-1455 nuxeo-document-permissions references "Everything" permission group instead of "WriteSecurity" atomic permission (10.10)

Resolved

Is referenced in

PR for maintenance-2.4.x: #548

PR for maintenance-3.0.x: #498

Activity

People

Assignee:

Miguel Nixo

Reporter:

Mark Saye

Participants:

Mark Saye, Miguel Nixo

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

2021-12-14 18:58

Updated:

2022-01-06 14:54

Resolved:

2022-01-06 14:37

Time Tracking

Estimated:

Not Specified

Remaining:

Logged: