I'm trying to use Sonatype Nexus 3 and content selectors for a Maven 2 repository.
I created a Maven 2 repository called "custom-snapshots" and a content selector with the query
coordinate.groupId =^ "net"
(My original query was more precise, but I'm trying to narrow down the problem. I don't think the problem is the content selector though as when I click preview and run it against custom-snapshots, I do get matches.)
Then I created a privilege called "sea-lion-snapshot-priv" with content selector "
sea-lion-selector", repository "custom-snapshots" and actions "read,edit,browse".
Next I created a role called "sea-lion-role" with "sea-lion-snapshot-priv". Finally, I created a user "sam" with roles "sea-lion-role" and "nx-anonymous". I did not change any of the permissions on nx-anonynmous.
When testing:
If I browse the custom-snapshots repo without being logged in, I see all the artifacts.
If I browse the custom-snapshots repo logged in as Sam, I see all the artifacts.
If I browse the custom-snapshots repo logged in as another user, I see all the artifacts.
I was expecting to see the artifacts as Sam, but not anonymous/the other user.
Any ideas on what I could have set up wrong or techniques to troubleshoot it?
#rseddon's comment was the missing step. In the sprit of documentation, here are the exact settings I used when it was working:
Create a new role "limited-anon" with "nx-repository-view-maven2--*-read" and "nx-search-read"
Under users, go to "Anonymous". Remove the built in role and add "limited-anon"
Create a content selector with search expression "coordinate.groupId =^ "my.package.name"
Create a privilege of type "Repository Content Selector" going against this content selector, the snapshot repository and actions "read,edit,browse"
Create a similar privilege for the releases repo
Create a new role with both of these privileges
Assign both that new role and "limited-anon" to Sam (the user who can see the artifacts)
Assign just "limited-anon" to the other test user
This configuration works for:
anonymous user - can not see this artifact
Sam - can see this artifact
other user - cannot see this artifact
With this setup, it looks like items in the repository without content selectors cannot be seen unless you are an admin. Which is fine for my use case.
Related
I need to Disable directory listing in .
Any suggestions ?
I tried to search for result in google but didn't find any
I only found a way that you can block the connection to the URL but this isn't what i need
If you are looking to disable the directory-listing for particular users, then you can achieve this by adding providing the repository path exclude-pattern at the permission target end.
In the below example, I have enabled anonymous user access only to specific packages, Please refer below steps for the same:
I have created a PyPI local repository, deployed python packages into it as shown in the below screenshot:
screenshot
After this, created a permissions target to restrict access to a specific folder called st-fraud-infra to the anonymous user. Hence added st-fraud-infra/** as a exclude pattern, kindly refer to the below screenshot for the same:
screenshot
Add anonymous users from the Users tab and provided appropriate permissions based on your requirement.
screenshot
Once you saved the permission target while accessing the Artifactory through the anonymous user, I could not see the excluded folder which is st-fraud-infra.
screenshot
I am using Nexus OSS 2.13.0-01. I want to restrict Artifact Upload for a single user to a single repository (All other users should not be able to upload Artifacts to any of the repositories).
I followed the documentation to create custom repository target, custom privileges and custom roles. However, I see that 'Artifact Upload' is a Privilege of the type 'Application'. If I understand it right, I can not make 'Artifact Upload' applicable to a single Nexus repository but on the entire Nexus Application.
Hence, I am getting 'Artifact Upload' tab for every repository in Nexus and not a single repository.
How do I achieve it?
Cheers,
Anantha
The "artifact upload" privilege controls whether or not the upload UI tab is visible. It does not grant privileges to actually upload anything, for that the user needs create or update privileges in the repository.
It is not practical to make the upload UI appear and disappear based on whether a user has write privileges. Checking to see if user has upload permissions is actually quite complex when you consider how nexus repository permissions work. They consist of...
Repository Targets:
A regular expression describing patterns of artifacts that can be
uploaded (e.g, "/com/foo/somecompany/someproject/.*"
A repository type which is allowed (e.g, "maven2", or "any content".
Repository Target Privileges:
A repository target
A repository where the target applies, or "all repositories"
Further complicating matters is that repository privileges are transitive. Privileges applied to group repositories also apply to the groups member repositories. So a privilege granted for a group repository is also granted for the groups members.
So in the general case we can't tell if a user has permission to upload something until they actually try to upload it.
I'm trying to deploy an "intranet" folder hierarchie with a simple workflow, that:
shut of anonymous users from that hierarchie, even sub-levels
let users of a certain group enter that hierarchie only, even sub-levels
have private objects unvisible by default
upon publishing make them visble to all users of the group
private folders should deny other users (except admins) to enter that folder and access any object below
This scenario is discussed here: http://blog.keul.it/2011/10/plone-security-and-workflows-learn-how.html?m=1
It's more or less the same here: Plone Intranet workflow and group permissions
The answer of the question of above is:
Leave the page or folder in the private workflow state, NOT published internally. (I think this is the step you were missing.) 2.
On the Sharing tab for the page or folder, grant 'Can view' to the
group you want to share with, just like you already tried. You don't
have to change the "inherit permissions from higher levels" checkbox.
However, if I grant 'can view' only, the user may not enter the folder, but if I grant 'can add', too, the user may enter. However, this makes all objects below visible to all users of that group.
Example:
user is member of group1
folder in private state
-> share with group1 'can view'
user may not enter folder;
-> share with group1 'can add'
user may enter and sees all object, even private ones
This is Plone 5.0.6, should this setup work?
Here is a reminder in general, though it might not answer the question per se.
1) Make sure you configure the 'real' target on its Sharing tab. For example, a folder with a default view might mislead the target. 2) Likewise, items with index_html IDs in a folder will become the default view, that might mislead the target. 3) Can View in the Sharing tab means Reader role in the workflow settings. Check permission settings in Workflow State. The following is my example settings hopefully gives hints.
I have the Intranet / Extranet workflow enabled on a Plone 4.2 site, I have removed most of the members permissions (so they can only view).
I created an account and started to add some content but even though I have the "Owner" role permission "Delete portal content" enabled (under mysite.com/manage_access) however my test user is unable to delete anything, which is great... However they cannot delete anything they have created either (I need them to be able to delete content they create).
I have searched on Google but am getting results related more to accomplishing bulk user actions using python scripts.
Basically what I want is that if you created the content, you are able to delete it, if you did not create it you cannot delete it.
Currently I have the second part setup and that's working, but for some reason it seems to be ignoring the "Owner" role, even on content I have created.
I can't find any other permission that I could tick that would indicate ability to delete content you own, can anyone lend any insights? Thanks.
EDIT:
To expand on the problem, it seems if I create a folder and then create content under it, that content is not deleteable, but if I then create a folder, and content within the folder I created, although the folder is not deletable the content within it is.
This was resolved by installing collective.deletepermission and adding the necessary "Delete Objects" permission to the "Owner" role in the ZMI under manage_access
I've enabled 'member folders' in plone administration panel. Then I've created a context menu link in the ZMI (with url: string:${portal/portal_membership/getHomeUrl}) to make these folders easy available.
I've noticed, that .getHomeUrl() always returns None, and link looks like: 127.0.0.1:80/web/None.
Do you have any idea what's wrong?
First of all, you normally enable that option in the Security tab of your Plone control panel:
If you set the option there, it'll also add a 'My Folder' action automatically that uses the .getHomeUrl() method.
.getHomeUrl() only returns a URL if the folder already exists. In your case it appears the folder is not yet created for the current member. The folder is first created when a member logs in but does not have their own folder yet. Logging out then in again should remedy this.
If you accidentally removed the Members folder from your Plone setup, you'll need to recreate it. Per-user folder creation would otherwise fail. If it is missing, simply create a new folder with the id Members in the root of your site.