-
Type: Improvement
-
Status: Resolved
-
Priority: Major
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: explorer-20.0.0
-
Component/s: Explorer
-
Epic Link:
-
Impact type:API change, Data Persistence Change
-
Upgrade notes:
-
Team:AT
-
Sprint:nxAT 11.1.19, nxAT 11.1.20
-
Story Points:2
Right now security checks include:
- documentation edition with specific "DocContributors" groups (but documentation was removed with
NXP-28995) - admin page access for admins, documentation editors (prohibited to anonymous users), also covering a lot of "edit-like" permissions
- UI checks for upload form presentation on home page
Also, distribution roots (all folders) are created using a system unrestricted session.
It would be better to:
- remove mentions of "DocContributors" group and associated API referring to documentation
- define a specific group "ApidocManagers", so that non-admin users can also edit/upload distributions
- restrict "saving" (snapshotting the current live distribution) to administrators, whether in "site mode" or not
- use a system unrestricted session for the distributions root only, and rely on usual Nuxeo security for other documents creation