Edit/remove permissions from out-of-the-box actions

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Active Member

Edit/remove permissions from out-of-the-box actions

Hi all!

I'm trying to add new user roles and one of the roles should be able to move other users' files but not delete them. My new user role includes permission groups "Collaborator" and "AddChildren":

<permissionGroup name='MySiteRole' allowFullControl='false' expose='true'>
<includePermissionGroup permissionGroup='Collaborator' type='cm:cmobject' />
<includePermissionGroup permissionGroup='AddChildren' type='sys:base' />
</permissionGroup>

The code segment above is from "customSitePermissionDefinitions.xml" which I register via beans in "bootstrap-context.xml". All of my new roles are visible in the "share" and they can be assigned to users for sites without any problems.

As far as I know, I need to use share-config-custom.xml in order to make changes to the actions. Per default, the "move" action depends on the "delete" action as you can see here.  I want to edit/remove the "permissions" part from the "move" action. This is the code I added to share-config-custom.xml to change that:

<config evaluator="string-compare" condition="DocLibActions">
    <actions>
      <action id="document-move-to" type="javascript" label="actions.document.move-to">
        <param name="function">onActionMoveTo</param>
        <permissions>
          <permission allow="true">AddChildren</permission>
        </permissions>
        <evaluator>evaluator.doclib.action.editableByCurrentUser</evaluator>
      </action>
    </actions>
  </config>

In this case, I want to make the "move" action dependent on "AddChildren", however, I still can't move the files of other users with my new user role. Am I missing something or do I need another approach to achieve my goal?

Thanks in advance.

Onur

13 Replies
Highlighted
Moderator
Moderator

Re: Edit/remove permissions from out-of-the-box actions

At the core move operation is combination of delete and create operation, hence move needs 'Delete' permission. You can remove it.

Simplest approach would be that, you should develop your custom role e.g. CustomCollaborator by extending the permissions of Collaborator which has at least Write permissions.

Update the share config to use: <permission allow="true">Write</permission>, so that action gets available to the custom role even if the user doesn't have delete permission. 

<action id="document-move-to" type="javascript" label="actions.document.move-to">
	<param name="function">onActionMoveTo</param>
	<permissions>
		<permission allow="true">Write</permission>
	</permissions>
	<evaluator>evaluator.doclib.action.editableByCurrentUser</evaluator>
</action>

Write a custom rootscoped object (basically a service available as root scoped object so that it can be used in move-to.post.json.js webscript) that will have logic to exeucute move operation as system user. 

 

AuthenticationUtil.setRunAsUserSystem();
try {
	FileInfo fileInfo = null;
	if (null == sourceParentNodeRef) {
		fileInfo = fileFolderService.move(sourceNodeRef, targetParentNodeRef, null);

	} else {
		fileInfo = fileFolderService.moveFrom(sourceNodeRef, sourceParentNodeRef, targetParentNodeRef, null);
	}

	....
	.....
	........
} catch (Exception excp) {
	throw new ScriptException("Can't move selected node", excp);
} 

And extend 'org\alfresco\slingshot\documentlibrary\action\move-to.post.json.js' repository webscript where you need to add your custom logic to check the role and if role matches your custom role use custom rootscoped object to call the move.

 

if(null != role && (role == "CustomSiteCollaborator" || role == "CustomCollaborator")) {
	var parentNodeRef = null;
	if (parent != null) {
		parentNodeRef = parent.nodeRef;
	}
	// Move the node via custom move rootscoped object
	result.success = customMove.move(fileNode.nodeRef, parentNodeRef, destNode.nodeRef);
} else {
	// Move the node via OOTB move to service
	result.success = fileNode.move(parent, destNode);
}

 

 

~Abhinav
(ACSCE, AWS SAA-C02, GAIQ)
Highlighted
Active Member

Re: Edit/remove permissions from out-of-the-box actions

Thanks a lot for the explanation! I have two additional questions:

1. The path "org\alfresco\slingshot\documentlibrary\action" does not exist in my project because it is created with the command

mvn archetype:generate -Dfilter=org.alfresco:

by choosing the "alfresco-allinone-archetype". It has a share and a repo tier where I need to find or create the correct path locations for the files you mentioned. I'm assuming the correct location for "move-to.post.json.js" is in the share tier "src/main/resources/alfresco/web-extension/site-webscripts/org/alfresco/slingshot/documentlibrary/action". Is this correct?

2. Second question is about the custom rootscoped object and its location. I'm not sure about where to put the java class in my project. I'm assuming it's going to be in the share tier again. Would "src/main/java" a correct guess? And Is this how it should look like?

import org.alfresco.scripts.ScriptException;
import org.alfresco.service.cmr.model.FileInfo;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.model.FileFolderService;
import org.alfresco.repo.security.authentication.AuthenticationUtil;

public class CustomMoveObject {
    private FileFolderService fileFolderService;
    private AuthenticationUtil authUtil;

    public void move(NodeRef sourceNodeRef, NodeRef sourceParentNodeRef, NodeRef targetParentNodeRef) {
        authUtil.setRunAsUserSystem();
        FileInfo fileInfo = null;
        try {
            if (null == sourceParentNodeRef) {
                fileInfo = fileFolderService.move(sourceNodeRef, targetParentNodeRef, null);

            } else {
                fileInfo = fileFolderService.moveFrom(sourceNodeRef, sourceParentNodeRef, targetParentNodeRef, null);
            }
        } catch (Exception e) {
            throw new ScriptException("Can't move selected node", e);
        }
    }

    public void setFileFolderService(FileFolderService fileFolderService) {
        this.fileFolderService = fileFolderService;
    }

    public void setAuthUtil(AuthenticationUtil authUtil) {
        this.authUtil = authUtil;
    }
}

I used your code-segment and this as a reference. Is my rootscoped object class supposed to inherit another base class? If yes which one?

Thanks in advance.

Onur

 

Highlighted
Active Member

Re: Edit/remove permissions from out-of-the-box actions

Thanks for the explanation. The project I have is generated with 

mvn archetype:generate -Dfilter=org.alfresco:

 by choosing 

org.alfresco.maven.archetype:alfresco-allinone-archetype

so I don't really have the exact paths you mentioned. I have a platform(repo) and a share tier in the project. I put my CustomMoveObject.java class under the platform tier:

src/main/java/my.package.repo/

Then I registered the bean for it in service-context.xml as described here  which is located under the platform tier again:

src/main/resources/alfresco/module/my-platform/context/

And here is the bean:

<bean id="my.package.CustomMoveObject"
class="my.package.repo.CustomMoveObject"
parent="baseJavaScriptExtension">
<property name="customMove" value="custom" />
</bean>

I have the move-to.post.json.js script under share tier:

src/main/resources/alfresco/web-extension/site-webscripts/org/alfresco/slingshot/documentlibrary/action/

However, after building I'm getting the following errors:

my-platform-platform-ass_1       | 2020-10-13 10:01:50.013 ERROR (org.alfresco.solr.AlfrescoCoreAdminHandler@29a5f4e7_Worker-6) [   ] o.a.s.t.AbstractTracker Tracking failed for AclTracker - alfresco
my-platform-platform-ass_1       | org.alfresco.error.AlfrescoRuntimeException: 09130026 api/solr/aclchangesets return status:404
my-platform-platform-ass_1       |         at org.alfresco.solr.client.SOLRAPIClient.getAclChangeSets(SOLRAPIClient.java:169)
my-platform-platform-ass_1       |         at org.alfresco.solr.tracker.AclTracker.checkRepoAndIndexConsistency(AclTracker.java:338)
my-platform-platform-ass_1       |         at org.alfresco.solr.tracker.AclTracker.trackRepository(AclTracker.java:303)
my-platform-platform-ass_1       |         at org.alfresco.solr.tracker.AclTracker.doTrack(AclTracker.java:95)
my-platform-platform-ass_1       |         at org.alfresco.solr.tracker.AbstractTracker.track(AbstractTracker.java:215)
my-platform-platform-ass_1       |         at org.alfresco.solr.tracker.TrackerJob.execute(TrackerJob.java:47)
my-platform-platform-ass_1       |         at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
my-platform-platform-ass_1       |         at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)
my-platform-platform-ass_1       | 2020-10-13 10:01:50.025 ERROR (org.alfresco.solr.AlfrescoCoreAdminHandler@29a5f4e7_Worker-21) [   ] o.a.s.t.AbstractTracker Tracking failed for ModelTracker - alfresco
my-platform-platform-ass_1       | org.alfresco.error.AlfrescoRuntimeException: 09130027 alfresco GetModelsDiff return status is 404
my-platform-platform-ass_1       |         at org.alfresco.solr.client.SOLRAPIClient.getModelsDiff(SOLRAPIClient.java:1181)
my-platform-platform-ass_1       |         at org.alfresco.solr.tracker.ModelTracker.trackModelsImpl(ModelTracker.java:291)
my-platform-platform-ass_1       |         at org.alfresco.solr.tracker.ModelTracker.trackModels(ModelTracker.java:249)
my-platform-platform-ass_1       |         at org.alfresco.solr.tracker.ModelTracker.doTrack(ModelTracker.java:209)
my-platform-platform-ass_1       |         at org.alfresco.solr.tracker.AbstractTracker.track(AbstractTracker.java:215)
my-platform-platform-ass_1       |         at org.alfresco.solr.tracker.TrackerJob.execute(TrackerJob.java:47)
my-platform-platform-ass_1       |         at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
my-platform-platform-ass_1       |         at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)

Am I forgetting something or is there a problem with the paths I put my files in? I'd really appreciate your input.

Onur

Highlighted
Active Member

Re: Edit/remove permissions from out-of-the-box actions

Update:

I realized that my bean registration was wrong. So here is the corrected version:

<bean id="my.package.repo.CustomMoveObject"
      class="my.package.repo.CustomMoveObject"
      parent="baseJavaScriptExtension">
    <property name="extensionName" value="customMove" />
</bean>

Right now I'm not getting errors in console, however, I still can't move the the files of other users.

Here is my role definition in customSitePermissionDefinitions.xml:

<permissionGroup name='CustomSiteCollaborator' allowFullControl='false' expose='true'>
            <includePermissionGroup permissionGroup='Collaborator' type='cm:cmobject' />
            <includePermissionGroup permissionGroup='Write' type='sys:base' />
</permissionGroup>

which I register in bootstrap-context.xml like this:

<bean id="customSitePermissionDefinitions" parent="permissionModelBootstrap">
     <property name="model" value="alfresco/module/my-platform/model/customSitePermissionDefinitions.xml"/>
</bean>

Updating share-config-custom.xml like this:

<action id="document-move-to" type="javascript" label="actions.document.move-to" icon="document-move-to">
<param name="function">onActionMoveTo</param>
<permissions>
<permission allow="true">Write</permission>
</permissions>
<evaluator>evaluator.doclib.action.editableByCurrentUser</evaluator>
</action>

 CustomMoveObject.java:

import org.alfresco.repo.processor.BaseProcessorExtension;
import org.alfresco.scripts.ScriptException;
import org.alfresco.service.cmr.model.FileInfo;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.model.FileFolderService;
import org.alfresco.repo.security.authentication.AuthenticationUtil;

public class CustomMoveObject extends BaseProcessorExtension {
private FileFolderService fileFolderService;
private FileInfo fileInfo;

public void move(NodeRef sourceNodeRef, NodeRef sourceParentNodeRef, NodeRef targetParentNodeRef) {
AuthenticationUtil.setRunAsUserSystem();
fileInfo = null;
try {
if (null == sourceParentNodeRef) {
fileInfo = fileFolderService.move(sourceNodeRef, targetParentNodeRef, null);
} else {
fileInfo = fileFolderService.moveFrom(sourceNodeRef, sourceParentNodeRef, targetParentNodeRef, null);
}
} catch (Exception e) {
throw new ScriptException("Can't move selected node", e);
}
}

public void setFileFolderService(FileFolderService fileFolderService) {
this.fileFolderService = fileFolderService;
}

public void setFileInfo(FileInfo fileInfo) {
this.fileInfo = fileInfo;
}

}

move-to.post.json.js:

if(role != null && role === "CustomSiteCollaborator") {
var parentNodeRef = null;
if (parent != null) {
parentNodeRef = parent.nodeRef;
}
// Move the node via custom move rootscoped object
result.success = CustomMoveObject.move(fileNode.nodeRef, parentNodeRef, destNode.nodeRef);
} else {
// Move the node via OOTB move to service
result.success = fileNode.move(parent, destNode);
}

 

The way I test this:

  1. Login as admin
  2. Create a new site and add a user to this new site with the role CustomSiteCollaborator.
  3. As admin, create a folder and upload a file outside of this folder.
  4. Log out and log in as the user with CustomSiteCollaborator role.
  5. Try to move the uploaded file into the folder.
  6. The attempt fails with "The move could not be completed" message.
Highlighted
Moderator
Moderator

Re: Edit/remove permissions from out-of-the-box actions


I have the move-to.post.json.js script under share tier:

src/main/resources/alfresco/web-extension/site-webscripts/org/alfresco/slingshot/documentlibrary/action/


The 'move-to.post.json.js' is a repository webscript.

you need to place it here:

<yourPlatformModule>\src\main\resources\alfresco\extension\templates\webscripts\org\alfresco\slingshot\documentlibrary\action

The error you are seeing is related to repository, check if alfresco started correctly. Always check the log from begening to end. Actual error may be in the begening.

~Abhinav
(ACSCE, AWS SAA-C02, GAIQ)
Highlighted
Active Member

Re: Edit/remove permissions from out-of-the-box actions

Thanks! After moving 'move-to.post.json.js' script from share tier to platform tier, variables such as role and result became unresolved. Should I import them from somewhere or is there another way I have to follow in order to make them work? Currently I'm getting

ReferenceError: "role" is not defined.

when I check the logs.

 

As far as I understand I don't need to create additional .ftl or .xml files for this script because I'm just extending it, right? I also checked the original 'Web Script: org/alfresco/slingshot/documentlibrary/action/move-to.post' and the webscript is defined as below:

<webscript>
  <shortname>move-to</shortname>
  <description>Document List Action - Move multiple files</description>
  <url>/slingshot/doclib/action/move-to/site/{site}/{container}/{path}</url>
  <url>/slingshot/doclib/action/move-to/site/{site}/{container}</url>
  <url>/slingshot/doclib/action/move-to/node/{store_type}/{store_id}/{id}/{path}</url>
  <url>/slingshot/doclib/action/move-to/node/{store_type}/{store_id}/{id}</url>
  <url>/slingshot/doclib/action/move-to/node/{store_type}/{store_id}</url>
  <format default="json">argument</format>
  <authentication>user</authentication>
  <transaction>required</transaction>
  <lifecycle>internal</lifecycle>
</webscript>

I'm assuming I don't need to make any changes to this? I'd appreciate it if you at least lead me to any documentation about how to handle extending OOTB platform-tier webscripts.

Onur

 

Highlighted
Moderator
Moderator

Re: Edit/remove permissions from out-of-the-box actions


@onurg wrote:

Thanks! After moving 'move-to.post.json.js' script from share tier to platform tier, variables such as role and result became unresolved. Should I import them from somewhere or is there another way I have to follow in order to make them work? Currently I'm getting

ReferenceError: "role" is not defined.

You might be using partial code, the code i shared was a pseudo code for you to take reference. To extend any repository layer webscript, just create the same folder structure in your custom module as given above and copy the ootb js file and add your custom logic in it. No need of desc.xml file, just the js file.

Location:

<yourPlatformModule>\src\main\resources\alfresco\extension\templates\webscripts\org\alfresco\slingshot\documentlibrary\action\move-to.post.json.js

You can see the files by accessing the URLs as given below:

<host:port>/alfresco/s/description/org/alfresco/slingshot/documentlibrary/action/move-to.post

<host:port>/alfresco/s/script/org/alfresco/slingshot/documentlibrary/action/move-to.post

This is the webscript definition:

<webscript>
<shortname>move-to</shortname>
<description>Document List Action - Move multiple files</description>
<url>/slingshot/doclib/action/move-to/site/{site}/{container}/{path}</url>
<url>/slingshot/doclib/action/move-to/site/{site}/{container}</url>
<url>/slingshot/doclib/action/move-to/node/{store_type}/{store_id}/{id}/{path}</url>
<url>/slingshot/doclib/action/move-to/node/{store_type}/{store_id}/{id}</url>
<url>/slingshot/doclib/action/move-to/node/{store_type}/{store_id}</url>
<format default="json">argument</format>
<authentication>user</authentication>
<transaction>required</transaction>
<lifecycle>internal</lifecycle>
</webscript>

move-to.post.json.js

<import resource = "classpath:/alfresco/templates/webscripts/org/alfresco/slingshot/documentlibrary/action/action.lib.js" >

/**
 * Move multiple files action
 * @method POST
 */

/**
 * Entrypoint required by action.lib.js
 *
 * @method runAction
 * @param p_params {object} Object literal containing files array
 * @return {object|null} object representation of action results
 */
function runAction(p_params) {
    var results = [],
    destNode = p_params.destNode,
    files = p_params.files,
    parent = null,
    file,
    fileNode,
    result,
    nodeRef,
    fromSite;

    // Must have array of files
    if (!files || files.length == 0) {
        status.setCode(status.STATUS_BAD_REQUEST, "No files.");
        return;
    }

    for (file in files) {
        nodeRef = files[file];
        result = {
            nodeRef: nodeRef,
            action: "moveFile",
            success: false
        }

        try {
            fileNode = search.findNode(nodeRef);
            if (fileNode == null) {
                result.id = file;
                result.nodeRef = nodeRef;
                result.success = false;
            } else {
                if (p_params.parent && p_params.parent != null) {
                    parent = search.findNode(p_params.parent);
                }
                result.id = fileNode.name;
                result.type = fileNode.isContainer ? "folder" : "document";

                // Retain the name of the site the node is currently in. Null if it's not in a site.
                fromSite = fileNode.siteShortName;
//YOUR LOGIC GOES HERE
// move the node result.success = fileNode.move(parent, destNode); if (result.success) { // If this was an inter-site move, we'll need to clean up the permissions on the node if ((fromSite) && (String(fromSite) !== String(fileNode.siteShortName))) { siteService.cleanSitePermissions(fileNode); } } } } catch (e) { result.id = file; result.nodeRef = nodeRef; result.success = false; //MNT-7514 Uninformational error message on move when file name conflicts result.fileExist = false; error = e.toString(); if (error.indexOf("FileExistsException") != -1) { result.fileExist = true; } } results.push(result); } return results; } /* Bootstrap action script */ main();

Using siteService get the site and then to get the role use site.getMembersRole(person.properties.userName)

Once you have role, you can execute your custom logic.

Something like:

var site = siteService.getSite(fromSite);
var role = site.getMembersRole(person.properties.userName)
if(null != role && (role == "CustomSiteCollaborator" || role == "CustomCollaborator")) { var parentNodeRef = null; if (parent != null) { parentNodeRef = parent.nodeRef; } // Move the node via custom move rootscoped object result.success = customMove.move(fileNode.nodeRef, parentNodeRef, destNode.nodeRef); } else { // Move the node via OOTB move to service result.success = fileNode.move(parent, destNode); }

 Make sure you are doing testing withing site and out of the site as well and correct the checks accordingly. 

~Abhinav
(ACSCE, AWS SAA-C02, GAIQ)
Highlighted
Active Member

Re: Edit/remove permissions from out-of-the-box actions

Thanks for the clarification!

I actually tried copying the whole script file and adding my logic before, however, because I received the syntax error I thought it wasn't possible. Apparently, my import was not precise enough as described here. Right now I'm not getting any errors in the console when I try to move files with a user of the newly defined role. The moving attempt is however still not successful. It gives me "The move could not be completed" in the share UI when I try to move a file.

Any suggestions regarding where I should look for an error? Since the UI error isn't descriptive enough, I tried to change the log levels by editing "dev-log4j.properties" as described in here: 

log4j.logger.org.alfresco.repo.jscript.ScriptLogger=DEBUG
log4j.logger.org.alfresco.repo.jscript=DEBUG
log4j.logger.org.alfresco.repo.web.scripts.AlfrescoRhinoScriptDebugger=on

After rebuilding the project without performing any actions I got the followings error outputs in the console:

my-platform-ass_1       | org.alfresco.error.AlfrescoRuntimeException: 09210001 api/solr/aclchangesets return status:404
my-platform-ass_1       |         at org.alfresco.solr.client.SOLRAPIClient.getAclChangeSets(SOLRAPIClient.java:169)
my-platform-ass_1       |         at org.alfresco.solr.tracker.AclTracker.checkRepoAndIndexConsistency(AclTracker.java:326)
my-platform-ass_1       |         at org.alfresco.solr.tracker.AclTracker.trackRepository(AclTracker.java:303)
my-platform-ass_1       |         at org.alfresco.solr.tracker.AclTracker.doTrack(AclTracker.java:95)
my-platform-ass_1       |         at org.alfresco.solr.tracker.AbstractTracker.track(AbstractTracker.java:215)
my-platform-ass_1       |         at org.alfresco.solr.tracker.TrackerJob.execute(TrackerJob.java:47)
my-platform-ass_1       |         at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
my-platform-ass_1       |         at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)
my-platform-ass_1       | 2020-10-21 09:39:30.045 ERROR (org.alfresco.solr.AlfrescoCoreAdminHandler@29a5f4e7_Worker-2) [   ] o.a.s.t.AbstractTracker Tracking failed for AclTracker - alfresco
my-platform-ass_1       | org.alfresco.error.AlfrescoRuntimeException: 09210002 api/solr/aclchangesets return status:404
my-platform-ass_1       |         at org.alfresco.solr.client.SOLRAPIClient.getAclChangeSets(SOLRAPIClient.java:169)
my-platform-ass_1       |         at org.alfresco.solr.tracker.AclTracker.checkRepoAndIndexConsistency(AclTracker.java:326)
my-platform-ass_1       |         at org.alfresco.solr.tracker.AclTracker.trackRepository(AclTracker.java:303)
my-platform-ass_1       |         at org.alfresco.solr.tracker.AclTracker.doTrack(AclTracker.java:95)
my-platform-ass_1       |         at org.alfresco.solr.tracker.AbstractTracker.track(AbstractTracker.java:215)
my-platform-ass_1       |         at org.alfresco.solr.tracker.TrackerJob.execute(TrackerJob.java:47)
my-platform-ass_1       |         at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
my-platform-ass_1       |         at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)

So, right now I don't know where to look for my error and I'm not sure if these errors have something to do with the move-action problem I'm having. I'd really appreciate your further input.

Onur

Highlighted
Advanced

Re: Edit/remove permissions from out-of-the-box actions

This error has noting to do with your script file,please paste your script here.