Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-28758

Allow ACLs on versions

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.10
    • Fix Version/s: 10.10-HF32, 11.3, 2021.0
    • Component/s: Core
    • Release Notes Summary:
      A configuration property allows to set permissions on versions.
    • Release Notes Description:
      Hide

      The new configuration property org.nuxeo.version.acl.disabled controls whether ACLs on versions are disabled. The default value in 11.x is false. Setting it to true disables all use of ACLs on versions for permission checks. The value legacy is also possible, to disable for direct access but enable for queries.

        <require>org.nuxeo.ecm.core.versioning.config</require>
        <extension target="org.nuxeo.runtime.ConfigurationService" point="configuration">
          <property name="org.nuxeo.version.acl.disabled">false</property>
        </extension>
      

      In 10.10-HF the behavior is unchanged from before for compatibility: legacy is used.

      Show
      The new configuration property org.nuxeo.version.acl.disabled controls whether ACLs on versions are disabled. The default value in 11.x is false . Setting it to true disables all use of ACLs on versions for permission checks. The value legacy is also possible, to disable for direct access but enable for queries. <require> org.nuxeo.ecm.core.versioning.config </require> <extension target= "org.nuxeo.runtime.ConfigurationService" point= "configuration" > <property name= "org.nuxeo.version.acl.disabled" > false </property> </extension> In 10.10-HF the behavior is unchanged from before for compatibility: legacy is used.
    • Impact type:
      Configuration Change
    • Team:
      FG
    • Sprint:
      nxFG 11.1.13

      Description

      Currently the permissions for a version corresponds to the permissions of its source document, and although it's possible to set ACLs directly on a version, these ACLs aren't used (except when doing a search — which is an inconsistency).

      It's useful for the version ACLs to have an actual role in permission evaluation, so this should be allowed.

      There is room for improvement/change here where:

      • we use a flag to decide that versions's own ACLs are evaluated.
      • we leverage the inheritance mechanism where a version is considered as a child of its live document. Blocking the inheritance lets a version have its own permissions independently of the live document.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 week, 2 hours
                  1w 2h

                    PagerDuty

                    Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.