Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-28370

Make version Read permission depend on live doc ReadVersion

    XMLWordPrintable

    Details

    • Release Notes Summary:
      A property is exposed to make the Read permission on a version depend on the ReadVersion permission on the live document.
    • Release Notes Description:
      Hide

      The new configuration property org.nuxeo.version.readversion.disabled controls whether the ReadVersion permission is disabled. The default value in 11.x is false. Setting it to true disables special behavior for the ReadVersion permission.

        <require>org.nuxeo.ecm.core.versioning.config</require>
  <extension target="org.nuxeo.runtime.ConfigurationService" point="configuration">
    <property name="org.nuxeo.version.readversion.disabled">false</property>
  </extension>

      In 10.10-HF the behavior is unchanged from before for compatibility: true is used.

      Show
      The new configuration property org.nuxeo.version.readversion.disabled controls whether the ReadVersion permission is disabled. The default value in 11.x is false . Setting it to true disables special behavior for the ReadVersion permission. <require> org.nuxeo.ecm.core.versioning.config </require> <extension target= "org.nuxeo.runtime.ConfigurationService" point= "configuration" > <property name= "org.nuxeo.version.readversion.disabled" > false </property> </extension> In 10.10-HF the behavior is unchanged from before for compatibility: true is used.
    • Tags:
    • Backlog priority:
      800
    • Impact type:
      Configuration Change
    • Team:
      FG
    • Sprint:
      nxFG 11.1.12, nxFG 11.1.13

      Description

      Improve the behavior of the ReadVersion permission by defining its semantics more cleanly in terms of inheritance from its live doc:

      • a version "inherits" most of its permissions from its live document (and transitively from the ancestors of the live doc),
      • a version does not inherit the Read permission,
      • but if a live doc has the ReadVersion permission then the version has the Read permission.

      This means that Read on a live doc is not sufficient to access the versions, the ReadVersion permission must be present too.

      This should be activated based on a feature flag to keep the old behavior if needed.

      Note, in all of the above when we say Read it's really Browse that's understood at low-level.

      Implementation details:

      • change DBSTransactionState.getReadACL,
      • change the various SQL stored procedures, for PostgreSQL these are nx_get_read_acl and nx_access_allowed,
      • change the regular merged ACL logic,
      • change the various higher-level permission checks at the AbstractSession level to be consistent with this.

        Attachments

          Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. NXP-30801 Fix NPE in ReadVersion permission replacement

          • Major - Major loss of function.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. NXP-27720 NXQL queries should not return versions to a user that does not have ReadVersion permission

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          is required by

          Bug - A problem which impairs or prevents the functions of the product. WEBUI-53 Can't see versions info and browse to an older version

          • Major - Major loss of function.
          • Resolved
          Is referenced in

          [Captain Hook] PR for 10.10: #4299 PR for 10.10: #4299

          [Captain Hook] PR for master: #4597 PR for master: #4597

          [Captain Hook] PR for master: #4752 PR for master: #4752

          [Captain Hook] PR for master: #4769 PR for master: #4769

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 weeks
                  2w