Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-28370

Make version Read permission depend on live doc ReadVersion

    Details

    • Release Notes Summary:
      A property is exposed to make the Read permission on a version depend on the ReadVersion permission on the live document.
    • Release Notes Description:
      Hide

      The new configuration property org.nuxeo.version.readversion.disabled controls whether the ReadVersion permission is disabled. The default value in 11.x is false. Setting it to true disables special behavior for the ReadVersion permission.

        <require>org.nuxeo.ecm.core.versioning.config</require>
        <extension target="org.nuxeo.runtime.ConfigurationService" point="configuration">
          <property name="org.nuxeo.version.readversion.disabled">false</property>
        </extension>
      

      In 10.10-HF the behavior is unchanged from before for compatibility: true is used.

      Show
      The new configuration property org.nuxeo.version.readversion.disabled controls whether the ReadVersion permission is disabled. The default value in 11.x is false . Setting it to true disables special behavior for the ReadVersion permission. <require> org.nuxeo.ecm.core.versioning.config </require> <extension target= "org.nuxeo.runtime.ConfigurationService" point= "configuration" > <property name= "org.nuxeo.version.readversion.disabled" > false </property> </extension> In 10.10-HF the behavior is unchanged from before for compatibility: true is used.
    • Tags:
    • Backlog priority:
      800
    • Impact type:
      Configuration Change
    • Team:
      FG
    • Sprint:
      nxFG 11.1.12, nxFG 11.1.13

      Description

      Improve the behavior of the ReadVersion permission by defining its semantics more cleanly in terms of inheritance from its live doc:

      • a version "inherits" most of its permissions from its live document (and transitively from the ancestors of the live doc),
      • a version does not inherit the Read permission,
      • but if a live doc has the ReadVersion permission then the version has the Read permission.

      This means that Read on a live doc is not sufficient to access the versions, the ReadVersion permission must be present too.

      This should be activated based on a feature flag to keep the old behavior if needed.

      Note, in all of the above when we say Read it's really Browse that's understood at low-level.

      Implementation details:

      • change DBSTransactionState.getReadACL,
      • change the various SQL stored procedures, for PostgreSQL these are nx_get_read_acl and nx_access_allowed,
      • change the regular merged ACL logic,
      • change the various higher-level permission checks at the AbstractSession level to be consistent with this.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 weeks
                  2w

                    PagerDuty

                    Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.