[DOCU-365] AccessControlProvider settings Created: 10/Jan/13  Updated: 29/May/18  Resolved: 29/May/18

Status: Closed
Project: Documentation
Component/s: content
Affects Version/s: mid term
Fix Version/s: mid term

Type: Task Priority: Neutral
Reporter: Roman Kovařík Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
documentation
documents MAGNOLIA-4729 ACLs only for sub pages does not work... Closed
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Date of First Response:

 Description   

It is possible now to set the Permission class of MagnoliaAccessProvider.
The default permission class is info.magnolia.cms.core.DefaultACLBasedPermissions. This class is used when any permission class is specified or when user set class which can be used.
Magnolia 4.5.8 introduces new info.magnolia.cms.core.NodeTypeBasedPermissions class. This or any class extended from DefaultACLBasedPermissions can be used.

To set the permission class for website workspace:
Go to apache-tomcat-6.0.32/webapps/magnoliaAuthor/repositories/magnolia/workspaces/website/workspace.xml:

<Workspace name="website">
    ...
    <WorkspaceSecurity>
      	<AccessControlProvider class="info.magnolia.cms.core.MagnoliaAccessProvider">
	      <param name="permissionsClass" value="info.magnolia.cms.core.NodeTypeBasedPermissions"/>
      	      <param name="nodeTypes" value="mgnl:page"/>
	</AccessControlProvider>
    </WorkspaceSecurity>
</Workspace>

1] Set the parameters permissionsClass to your own permission class (here is used NodeTypeBasedPermissions class).
2] Set the nodeType from which you want take permissions. You can use more node types separated by commas (see MgnlNodeTypes for available node types);

How does NodeTypeBasedPermissions class work:

We want to set read/write access to /demo-project and only read access to /demo-project subpages for some users. Users cannot edit also /demo-project page by default (using DefaultACLBasedPermissions). This is because they need to read/write access to content nodes and MetaData of /demo-project also.
By using NodeTypeBasedPermissions class with nodeTypes setted to mgnl:page it works like this:
Access request for /demo-project/MetaData check if /demo-project/MetaData is of type mgnl:page. It isn't so it continues to parent node /demo-project. It has the type mgnl:page and returns access right to this node, so /demo-project/MetaData is accessible.
You can for example avoid the issue http://jira.magnolia-cms.com/browse/MAGNOLIA-4729 this way.

How to create your own permission class:

1] Extend DefaultACLBasedPermissions class.
2] Create its constructor. Constructor must have the exact same arguments like constructor of DefaultACLBasedPermissions:
public DefaultACLBasedPermissions(List<Permission> permissions, SessionImpl systemSession, Map<?, ?> configuration).
You can add any parameters you want for your own implementation of permission class. Similar like nodeTypes parameter mentioned above. Then you can get it from Map<?, ?> configuration.
3] Override the methods 'canRead' and 'access' with your own implementation.



 Comments   
Comment by Magnolia International [ 15/Jan/13 ]

Roman, this sounds like a very useful feature, but it also sounds to me like we should give some good use-cases for this - i.e. to avoid confusing users ("why would I do that?")

Also: is this backwards compatible ?

And lastly - before we make this public, we might want to consider the packages of these new classes.

Comment by Roman Kovařík [ 29/May/18 ]

Closed, no interest since 4.5.8.

Generated at Mon Feb 12 01:08:25 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.