Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-28758

Allow ACLs on versions

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.10
    • Fix Version/s: 10.10-HF32, 11.3, 2021.0
    • Component/s: Core
    • Release Notes Summary:
      A configuration property allows to set permissions on versions.
    • Release Notes Description:
      Hide

      The new configuration property org.nuxeo.version.acl.disabled controls whether ACLs on versions are disabled. The default value in 11.x is false. Setting it to true disables all use of ACLs on versions for permission checks. The value legacy is also possible, to disable for direct access but enable for queries.

        <require>org.nuxeo.ecm.core.versioning.config</require>
  <extension target="org.nuxeo.runtime.ConfigurationService" point="configuration">
    <property name="org.nuxeo.version.acl.disabled">false</property>
  </extension>

      In 10.10-HF the behavior is unchanged from before for compatibility: legacy is used.

      Show
      The new configuration property org.nuxeo.version.acl.disabled controls whether ACLs on versions are disabled. The default value in 11.x is false . Setting it to true disables all use of ACLs on versions for permission checks. The value legacy is also possible, to disable for direct access but enable for queries. <require> org.nuxeo.ecm.core.versioning.config </require> <extension target= "org.nuxeo.runtime.ConfigurationService" point= "configuration" > <property name= "org.nuxeo.version.acl.disabled" > false </property> </extension> In 10.10-HF the behavior is unchanged from before for compatibility: legacy is used.
    • Tags:
    • Impact type:
      Configuration Change
    • Team:
      FG
    • Sprint:
      nxFG 11.1.13

      Description

      Currently the permissions for a version corresponds to the permissions of its source document, and although it's possible to set ACLs directly on a version, these ACLs aren't used (except when doing a search — which is an inconsistency).

      It's useful for the version ACLs to have an actual role in permission evaluation, so this should be allowed.

      There is room for improvement/change here where:

      • we use a flag to decide that versions's own ACLs are evaluated.
      • we leverage the inheritance mechanism where a version is considered as a child of its live document. Blocking the inheritance lets a version have its own permissions independently of the live document.

        Attachments

          Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. NXP-30578 Fix READ ACLS computation on versions after a permission change

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved
          is required by

          Bug - A problem which impairs or prevents the functions of the product. WEBUI-53 Can't see versions info and browse to an older version

          • Major - Major loss of function.
          • Resolved
          Is referenced in

          [Captain Hook] PR for 10.10: #4299 PR for 10.10: #4299

          [Captain Hook] PR for master: #4101 PR for master: #4101

          [Captain Hook] PR for master: #4597 PR for master: #4597

          [Captain Hook] PR for master: #4752 PR for master: #4752

          [Captain Hook] PR for master: #4769 PR for master: #4769

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 week, 2 hours
                  1w 2h