I wanna build a simple permission system using symphony 4 that has the following properties:
there are several possible roles for users (SUPER_ADMIN, ADMIN, USER,QUEST)
SUPER_ADMIN users can grant view or edit&delete permissions for a given entity to a certain user no mater what his role is
What is the best solution for this?
Thanks
Please, start reading these documentations to figure out some basics :
SF4 Authorization
SF4 Security
SF4 Voters
Related
Hello Everyone thank's in advance for your help.
I am trying to configure access permission in alfresco and now stuck in a scenario
It would be great help if someone defines proper way to achieve this functionality
now my problem is
I want to create a site (which will be accessible by all user)
then will create folder and sub folder in that site (i am ready to customize content type of those folder if required)
now i want to configure alfresco in such a way that specific set of user can access specific folder and it's content
for example
This is list of user
user1,user2,user3,user4,user5
And this is folder structure
Project
Data
Test
Exam
Design
art
practice
Work
W1
W2
Now how to configure it in such a way that
user1 can access Data->Exam
user2 can access work and all it's child folder
user3 can access Data and all it's child folder
user4 can access Design and all it's child folder and
user5 can access Data->Work, Design->art,Work->W1 folder
Note that i am using CMIS api to generate this folder structure
so is there any way to achieve this by java code only ?
i have read about managing permission but not sure about using it just because when i have tried to provide permission to folder it allow to add only single user
but in my case i want to make group of user and want to make the folder accessible by that particulate group.
Thank you so much for you time :)
If you want to use a group, you'll need to create the group in Alfresco using either the admin console or the Alfresco API. CMIS cannot manage users or groups.
Once your users and groups are in place, you can use CMIS to assign them to ACLs. However, the challenge is that you may need to disable or "break" ACL inheritance to do exactly what you want. You cannot disable ACL inheritance with the CMIS API. You'll have to do it in the UI or through the Alfresco API.
With your users and groups in place and with your folders configured to inherit or not inherit parent permissions as needed, you can now add users and groups to your folders. With CMIS, you can add as many users or groups as you need to a given folder. It is not limited to a single user or group. This page has some examples on using Access Control Entries (ACEs) which make up Access Control Lists (ACLs).
I think that Jeff Potts answer is great i will only add few thing's you can look to this post it will give you an answer how to work with ACL How to get Acls of a document.
You can also use the allowable action in any Folder (or document) it will look like this :
Action a = Action.CAN_DELETE_OBJECT;
object = session.getObjectByPath(idObject); // In case it's a folder
if (object.getAllowableActions().getAllowableActions().contains(a)) {
return Boolean.TRUE;// You can do it
}
Only remember that you can get the allowable action from String (In case you want work with few of them)
String canCreateFolder= Action.CAN_CREATE_FOLDER.value();
the most importante Action that you have to use :
can_create_folder = Action.CAN_CREATE_FOLDER.value();
can_create_document = Action.CAN_CREATE_DOCUMENT.value();
can_update_folder = Action.CAN_UPDATE_PROPERTIES.value();
can_update_document = Action.CAN_UPDATE_PROPERTIES.value();
can_delete_folder = Action.CAN_DELETE_OBJECT.value();
can_delete_document = Action.CAN_DELETE_OBJECT.value();
Hope that helped you.
I created a Dashlet in Alfresco Share with an Overwiew of the Replication Jobs. I changed the permissions in the Replication Definition Webscripts from admin to user. As Admin i can start the Replication Job from the Dashlet.
Is it possible to adjust the permissions, that a Site Manager or User can start the Replication Job? I still got a "Access Denied Problem".
Where do i have to look at?
Thanks!
No, all the Replication Job WebScripts explicitly require admin privileges so it is not possible to do this out-of-the-box.
If you really want to achieve this then your only option would be to override the relevant WebScripts (essentially copy/paste the defaults) and change the *.desc.xml files to change
<authentication>admin</authentication>
to be
<authentication>user</authentication>
However, that would make them available for any user to run. You would need to further edit the WebScripts to make checks that the user is a member of a specific group.
I changed the authentication to
<authentication runas="admin">user</authentication>
That helped for me.
There's a code like this in my project to read some configuration from /etc/my-config-path:
Resource res = resource.getResourceResolver().getResource("/etc/my-config-path");
On AEM 5.6.1 it works correctly since anonymous user has access to entire /etc. On AEM 6.1 res is null since anonymous user has no access to /etc.
I can see two possible solutions:
Give anonymous user read permission to /etc/my-config-path explicitly
Use repository.loginAdministrative(null); to access the resource with admin permissions (but I see some people not recommending this approach on AEM 6.1).
What is your thoughts on this?
In AEM 6.1 access to /etc by default to admin was removed. I posted a solution here, describes how to create a service user.
I`m looking for some solution which will make my directory with pictures secured.
In my page only Administrator have permission to upload the pictures. User have opportunity only to view a picture for products. I want to make directory more secured. I want to make it difficult to download all pictures from some kind of scripts.
For now I tried with .htpaccess and .htpasswd it work fine but when User trying to see the product page(where are available pictures form secured folder) htpaccess is requiring a username and password.
Is it possible to enter username and password to this directory from server side when user is watching the product page. And in case that he open a link of the picture in new window then user name and password is required?
Do you know some other solutions?
Cheers
Don't store the images in your web folder where everyone can access them. Instead, store them outside of the web path (for example in app/data or so) and use a symfony controller to deliver them. This way you can use the symfony security component.
In addition to good answer by #Pierre, you can use a filesystem abstraction layer. I'd recommend using Gaufrette. To integrate it with Symfony, you could use KnpGaufretteBundle.
It will give you way more flexibility as
using external filesystems (ex. Amazon S3, FTP, sFTP)
use Symfony Security component or ACL.
Everything depends on your need and your approach in the project. However, if you need some flexibility, I'd recommend try it out.
I've been asked to setup KnowledgeTree (http://www.knowledgetree.com/) for a client of mine. KnowledgeTree seems to do user-authenticated DMS very well, but they want the option of having a folder that has world public-read access so they can share links to this folder with the rest of the world.
The only problem is that for the life of me I simply cannot figure out how to make KT do this. I have read in the docs about anonymous access and setting access for an "everyone" role but KT won't let me create a role of everyone.
I'm using the Community Edition of KT v3.6.3
Thanks,
Seth
I came across your post while looking for an answer to the very question you're asking. I figured out the answer last night and feel the right thing is to share it with you and others who may be struggling with this as we did.
Log in as an Administrator
Navigate to the "DMS Administration" area
Go to System Configuration
Go to General Settings
Scroll to Session Management
Allow Anonymous log in
Create the public directory
Edit the directory's permissions to include the role named "Everyone"
If you follow these steps, all documents in the public directory will be accessible without requiring a username and password.
Hope this helps
Best,
Carlos
If public access doesn't need to be via KT, consider enabling the WebDAV feature in KT.
If you have a Linux-based web server, you can then use davfs2 to mount the specific KT folders as local folders on the web server. I use davfs2 to provide document access via my wiki. This can probably be done on Windows using similar tools/techniques.