Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-13724

Restrict Directory read/write access

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.0
    • Component/s: Directory

      Description

      The goal is to handle security on Directory access.

      Global security

      Directory descriptor should allow to specifiy some simple security restrictions:

        <directory name="foo">
          ...
            <permissions>
              <permission name="Read">
                <user>readerUser</user>
              </permission>
              <permission name="Write">
                <user>superUser</user>
              </permission>
              <permission name="Write">
                <group>mygroup2</group>
              </permission>
            </permissions>
          ...
        </directory>
      

      Having READ is included in WRITE.

      If no restriction is set on the directory descriptor, then default is :

      • READ : EVERYONE
      • WRITE : Administrators, powerusers

      This default setup is consistent with the check we are already doing in the Automation and REST endpoints.

      Entry level checks

      For some specific cases, we may want to have a per-entry check, at least for WRITE access.

      ex : Power Users should not be able to edit admin accounts

      For this of use case, we could introduce a kind of Directory SecurityPolicy DirectoryEntrySecurityManager.

      For Repository backed Directories, the implementation could be ACL based, and we can define other implementation for specific directories.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: