[NXP-29219] Rework Explorer security model - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: explorer-20.0.0
Component/s: Explorer

Epic Link:
Explorer Improvements
Impact type:

API change, Data Persistence Change
Upgrade notes:
Hide

User change: even when not in site mode, only administrators can now see the live distribution (see also ~~NXP-29050~~)

Data Change:

new "ApidocManagers" should be given Write access to the distributions root

old "DocContributors" group is now useless for API checks (but is still valid if it exists and is assigned permissions)

API change:

org.nuxeo.apidoc.browse.SecurityHelper moved from webengine module to org.nuxeo.apidoc.security package in core module, removed SecurityConstants and moved constants to the new SecurityHelper class

Removed Distribution#canAddDocumentation, deprecated since ~~NXP-28995~~, rely on new SecurityHelper class new methods instead

Renoved SnapshotPersister#Read_Grp and SnapshotPersister#Write_Grp, handled by new SecurityHelper class instead
Show
User change: even when not in site mode, only administrators can now see the live distribution (see also NXP-29050 ) Data Change: new "ApidocManagers" should be given Write access to the distributions root old "DocContributors" group is now useless for API checks (but is still valid if it exists and is assigned permissions) API change: org.nuxeo.apidoc.browse.SecurityHelper moved from webengine module to org.nuxeo.apidoc.security package in core module, removed SecurityConstants and moved constants to the new SecurityHelper class Removed Distribution#canAddDocumentation, deprecated since NXP-28995 , rely on new SecurityHelper class new methods instead Renoved SnapshotPersister#Read_Grp and SnapshotPersister#Write_Grp, handled by new SecurityHelper class instead
Team:
AT
Sprint:
nxAT 11.1.19, nxAT 11.1.20
Story Points:
2

Description

Right now security checks include:

documentation edition with specific "DocContributors" groups (but documentation was removed with ~~NXP-28995~~)
admin page access for admins, documentation editors (prohibited to anonymous users), also covering a lot of "edit-like" permissions
UI checks for upload form presentation on home page

Also, distribution roots (all folders) are created using a system unrestricted session.

It would be better to:

remove mentions of "DocContributors" group and associated API referring to documentation
define a specific group "ApidocManagers", so that non-admin users can also edit/upload distributions
restrict "saving" (snapshotting the current live distribution) to administrators, whether in "site mode" or not
use a system unrestricted session for the distributions root only, and rely on usual Nuxeo security for other documents creation

Attachments

Issue Links

is required by

NXP-28995 Remove documentation management on explorer

Resolved

NXP-29050 Allow proper hiding of runtime distribution from API

Resolved

Is referenced in

PR for master: #4133

Activity

People

Assignee:

Anahide Tchertchian

Reporter:

Anahide Tchertchian

Participants:

Anahide Tchertchian, Jenkins

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

2020-06-05 12:53

Updated:

2020-08-25 08:32

Resolved:

2020-06-22 08:22

Time Tracking

Estimated:

Not Specified

Remaining:

Logged: