Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-28370

Make version Read permission depend on live doc ReadVersion

    XMLWordPrintable

    Details

    • Tags:
    • Backlog priority:
      800
    • Sprint:
      nxFG 11.1.12

      Description

      Improve the behavior of the ReadVersion permission by defining its semantics more cleanly in terms of inheritance from its live doc:

      • a version "inherits" most of its permissions from its live document (and transitively from the ancestors of the live doc),
      • a version does not inherit the Read permission,
      • but if a live doc has the ReadVersion permission then the version has the Read permission.

      This means that Read on a live doc is not sufficient to access the versions, the ReadVersion permission must be present too.

      This should be activated based on a feature flag to keep the old behavior if needed.

      Note, in all of the above when we say Read it's really Browse that's understood at low-level.

      Implementation details:

      • change DBSTransactionState.getReadACL,
      • change the various SQL stored procedures, for PostgreSQL these are nx_get_read_acl and nx_access_allowed,
      • change the regular merged ACL logic,
      • change the various higher-level permission checks at the AbstractSession level to be consistent with this.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                fguillaume Florent Guillaume
                Reporter:
                fguillaume Florent Guillaume
                Participants:
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.