Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-13724

Restrict Directory read/write access

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.0
    • Component/s: Directory

      Description

      The goal is to handle security on Directory access.

      Global security

      Directory descriptor should allow to specifiy some simple security restrictions:

        <directory name="foo">
    ...
      <permissions>
        <permission name="Read">
          <user>readerUser</user>
        </permission>
        <permission name="Write">
          <user>superUser</user>
        </permission>
        <permission name="Write">
          <group>mygroup2</group>
        </permission>
      </permissions>
    ...
  </directory>

      Having READ is included in WRITE.

      If no restriction is set on the directory descriptor, then default is :

      • READ : EVERYONE
      • WRITE : Administrators, powerusers

      This default setup is consistent with the check we are already doing in the Automation and REST endpoints.

      Entry level checks

      For some specific cases, we may want to have a per-entry check, at least for WRITE access.

      ex : Power Users should not be able to edit admin accounts

      For this of use case, we could introduce a kind of Directory SecurityPolicy DirectoryEntrySecurityManager.

      For Repository backed Directories, the implementation could be ACL based, and we can define other implementation for specific directories.

        Attachments

          Issue Links

          depends on

          Bug - A problem which impairs or prevents the functions of the product. NXP-15731 Directories should throw a security exception on denied access

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. NXP-15732 Fix access to "add new entry" feature on directory suggestion widget

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NXP-15737 Rely on standard filters to perform directory security checks

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. NXP-15665 Remove spurious warn logs about directory permissions

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved
          is required by

          Bug - A problem which impairs or prevents the functions of the product. NXP-15448 Fix nuxeo-signature selenium tests

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. NXP-15702 A non administrator user cannot connect to a Nuxeo instance with Nuxeo Drive

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. NXP-15653 Add security checks at directory entry level

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          New Feature - A new feature of the product, which has yet to be developed. NXS-2308 Allow controlling permissions on vocabularies

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. NXP-15712 Use AutoClosable pattern allowing system login when opening a directory session

          • Major - Major loss of function.
          • Open

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: