Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-29219

Rework Explorer security model

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: explorer-20.0.0
    • Component/s: Explorer
    • Impact type:
      API change, Data Persistence Change
    • Upgrade notes:
      Hide

      User change: even when not in site mode, only administrators can now see the live distribution (see also NXP-29050)

      Data Change:

      • new "ApidocManagers" should be given Write access to the distributions root
      • old "DocContributors" group is now useless for API checks (but is still valid if it exists and is assigned permissions)

      API change:

      • org.nuxeo.apidoc.browse.SecurityHelper moved from webengine module to org.nuxeo.apidoc.security package in core module, removed SecurityConstants and moved constants to the new SecurityHelper class
      • Removed Distribution#canAddDocumentation, deprecated since NXP-28995, rely on new SecurityHelper class new methods instead
      • Renoved SnapshotPersister#Read_Grp and SnapshotPersister#Write_Grp, handled by new SecurityHelper class instead
      Show
      User change: even when not in site mode, only administrators can now see the live distribution (see also NXP-29050 ) Data Change: new "ApidocManagers" should be given Write access to the distributions root old "DocContributors" group is now useless for API checks (but is still valid if it exists and is assigned permissions) API change: org.nuxeo.apidoc.browse.SecurityHelper moved from webengine module to org.nuxeo.apidoc.security package in core module, removed SecurityConstants and moved constants to the new SecurityHelper class Removed Distribution#canAddDocumentation, deprecated since NXP-28995 , rely on new SecurityHelper class new methods instead Renoved SnapshotPersister#Read_Grp and SnapshotPersister#Write_Grp, handled by new SecurityHelper class instead
    • Team:
      AT
    • Sprint:
      nxAT 11.1.19, nxAT 11.1.20
    • Story Points:
      2

      Description

      Right now security checks include:

      • documentation edition with specific "DocContributors" groups (but documentation was removed with NXP-28995)
      • admin page access for admins, documentation editors (prohibited to anonymous users), also covering a lot of "edit-like" permissions
      • UI checks for upload form presentation on home page

      Also, distribution roots (all folders) are created using a system unrestricted session.

      It would be better to:

      • remove mentions of "DocContributors" group and associated API referring to documentation
      • define a specific group "ApidocManagers", so that non-admin users can also edit/upload distributions
      • restrict "saving" (snapshotting the current live distribution) to administrators, whether in "site mode" or not
      • use a system unrestricted session for the distributions root only, and rely on usual Nuxeo security for other documents creation

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 5 hours
                  5h