Need help in CMIS query for Site folder permission

[sujay pillai]

Hello All,

I have created a site named 'testsite' and then by navigating to Repository > Sites > testsite > documentLibrary > testspace1 and clicking on Manage Permission added 3 users as Contributor to folder - testspace1

Thus the permissions set for this folder are as below:

EVERYONE                                              ReadPermissions

            site_testsite_SiteCollaborator              Site Collaborator

            site_teststie_SiteManager                     Site Manager

            user1                                                          Contributor

            user2                                                          Contributor

            user3                                                          Contributor

My requirement is to fetch out such permissions set on each site's documentLibrary?

I have written a JAVA code using OpenCMIS as below -

OperationContext oc = session.createOperationContext();
oc.setIncludeAcls(true);
Folder sitesFolder = (Folder) session.getObjectByPath("/Sites/testsite/documentLibrary/testspace1",oc);
System.out.println(">> SiteFolder :"+sitesFolder.getName());
Acl fldrAcl = sitesFolder.getAcl();
System.out.println(">> Entries :: " + fldrAcl);
List<Ace> fldrAce = fldrAcl.getAces();
for(Ace fldr : fldrAce){
System.out.println(">> FolderPermission : "+fldr.getPrincipalId() + ">> ");
for(String perm : fldr.getPermissions()){
System.out.println(">> " + perm);
}
}

It prints the output as below :

            >> SiteFolder :testspace1

>> Entries :: Access Control List [ACEs=[Access Control Entry [principal=Access Control Principal [principalId=GROUP_EVERYONE][extensions=null], permissions=[{http://www.alfresco.org/model/system/1.0}base.ReadPermissions], is direct=true][extensions=null], Access Control Entry [principal=Access Control Principal [principalId=GROUP_site_testsite_SiteCollaborator][extensions=null], permissions=[cmis:write], is direct=false][extensions=null], Access Control Entry [principal=Access Control Principal [principalId=GROUP_site_testsite_SiteCollaborator][extensions=null], permissions=[cmis:read], is direct=false][extensions=null], Access Control Entry [principal=Access Control Principal [principalId=GROUP_site_testsite_SiteCollaborator][extensions=null], permissions=[{http://www.alfresco.org/model/site/1.0}site.SiteCollaborator], is direct=true][extensions=null], Access Control Entry [principal=Access Control Principal [principalId=GROUP_site_bangolufsen_SiteManager][extensions=null], permissions=[cmis:read], is direct=false][extensions=null], Access Control Entry [principal=Access Control Principal [principalId=GROUP_site_bangolufsen_SiteManager][extensions=null], permissions=[cmis:write], is direct=false][extensions=null], Access Control Entry [principal=Access Control Principal [principalId=GROUP_site_bangolufsen_SiteManager][extensions=null], permissions=[cmis:all], is direct=false][extensions=null], Access Control Entry [principal=Access Control Principal [principalId=GROUP_site_bangolufsen_SiteManager][extensions=null], permissions=[{http://www.alfresco.org/model/site/1.0}site.SiteManager], is direct=true][extensions=null], Access Control Entry [principal=Access Control Principal [principalId=user1][extensions=null], permissions=[cmis:read], is direct=false][extensions=null], Access Control Entry [principal=Access Control Principal [principalId=user1][extensions=null], permissions=[{http://www.alfresco.org/model/content/1.0}cmobject.Contributor], is direct=true][extensions=null], Access Control Entry [principal=Access Control Principal [principalId=user2][extensions=null], permissions=[cmis:read], is direct=false][extensions=null], Access Control Entry [principal=Access Control Principal [principalId=user2][extensions=null], permissions=[{http://www.alfresco.org/model/content/1.0}cmobject.Contributor], is direct=true][extensions=null], Access Control Entry [principal=Access Control Principal [principalId=user3][extensions=null], permissions=[cmis:read], is direct=false][extensions=null], Access Control Entry [principal=Access Control Principal [principalId=user3][extensions=null], permissions=[{http://www.alfresco.org/model/content/1.0}cmobject.Contributor], is direct=true][extensions=null]], is exact=false][extensions=null]
>> FolderPermission : GROUP_EVERYONE>> 
>> {http://www.alfresco.org/model/system/1.0}base.ReadPermissions
>> FolderPermission : GROUP_site_testsite_SiteCollaborator>> 
>> cmis:write
>> FolderPermission : GROUP_site_testsite_SiteCollaborator>> 
>> cmis:read
>> FolderPermission : GROUP_site_testsite_SiteCollaborator>> 
>> {http://www.alfresco.org/model/site/1.0}site.SiteCollaborator
>> FolderPermission : GROUP_site_bangolufsen_SiteManager>> 
>> cmis:read
>> FolderPermission : GROUP_site_bangolufsen_SiteManager>> 
>> cmis:write
>> FolderPermission : GROUP_site_bangolufsen_SiteManager>> 
>> cmis:all
>> FolderPermission : GROUP_site_bangolufsen_SiteManager>> 
>> {http://www.alfresco.org/model/site/1.0}site.SiteManager
>> FolderPermission : user1>> 
>> cmis:read
>> FolderPermission : user1>> 
>> {http://www.alfresco.org/model/content/1.0}cmobject.Contributor
>> FolderPermission : user2>> 
>> cmis:read
>> FolderPermission : user2>> 
>> {http://www.alfresco.org/model/content/1.0}cmobject.Contributor
>> FolderPermission : user3>> 
>> cmis:read
>> FolderPermission : user3>> 
>> {http://www.alfresco.org/model/content/1.0}cmobject.Contributor

Can anyone please help me to cut down the output to only to specially assigned permissions [other than default  GROUP_site_testsite_SiteCollaborator, GROUP_site_bangolufsen_SiteManager, GROUP_EVERYONE] ? Any better query for this?

--
Regards,
Sujay Pillai

[Jeff Potts]

In this block...

for(Ace fldr : fldrAce){
System.out.println(">> FolderPermission : "+fldr.getPrincipalId() + ">> ");
for(String perm : fldr.getPermissions()){
System.out.println(">> " + perm);
}
}

You could use the isDirect() method on Ace to determine whether or not the entry was set specifically on the folder (isDirect() returns true) or was inherited (isDirect() returns false).

Is that what you are trying to do?

Jeff

[sujay pillai]

Hello Jeff,

Thanks for your pointer!!!

Below is the code what I changed to make use of isDirect() method -

List<Ace> fldrAce = fldrAcl.getAces();
for(Ace fldr : fldrAce){

if(fldr.isDirect()){
System.out.println(">> FolderPermission : "+fldr.getPrincipalId());

for(String perm : fldr.getPermissions()){
System.out.println("   >> " + perm);
}
}
}

And the output as below -

>> SiteFolder :testspace1

>> FolderPermission : GROUP_EVERYONE
   >> {http://www.alfresco.org/model/system/1.0}base.ReadPermissions
>> FolderPermission : GROUP_site_testsite_SiteCollaborator

   >> {http://www.alfresco.org/model/site/1.0}site.SiteCollaborator
>> FolderPermission : GROUP_site_testsite_SiteManager
   >> {http://www.alfresco.org/model/site/1.0}site.SiteManager
>> FolderPermission : user1

   >> {http://www.alfresco.org/model/content/1.0}cmobject.Contributor
>> FolderPermission : user2

   >> {http://www.alfresco.org/model/content/1.0}cmobject.Contributor
>> FolderPermission : user3

   >> {http://www.alfresco.org/model/content/1.0}cmobject.Contributor 

I just wanted the highlighted permission user1, user2, user3 (which were manually set by going to  Repository > Sites > testsite > documentLibrary > testspace1 and clicking on Manage Permission ).

--
You received this message because you are subscribed to the Google Groups "Alfresco Technical Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to alfresco-technical-d...@googlegroups.com.
To post to this group, send email to alfresco-techn...@googlegroups.com.
Visit this group at http://groups.google.com/group/alfresco-technical-discussion.
For more options, visit https://groups.google.com/groups/opt_out.

--
Regards,
Sujay Pillai

[Jeff Potts]

That should definitely not be happening.

Please confirm that your code is looking at the documentLibrary folder or a folder below that. If it is and you are still seeing this, please give me:

 - the exact Alfresco version you are running

 - the exact version of OpenCMIS you are using

 - the CMIS service URL you are using

I just quickly confirmed that on Alfresco 4.2.e using OpenCMIS 0.10.0. I can successfully tell the difference between direct and indirect ACEs. For a site that has the default groups plus a user, tuser1, set directly on the documentLibrary folder, I can run this code:

public class CmisACLExample extends ExampleBase {

public static void main(String[] args) {

CmisACLExample cae = new CmisACLExample();

cae.doExample();

}

public void doExample() {

OperationContext opCtx = getCmisSession().createOperationContext();

opCtx.setIncludeAcls(true);

Folder folder = (Folder) getCmisSession().getObjectByPath("/Sites/test-site-3/documentLibrary", opCtx);

Acl acl = folder.getAcl();

List<Ace> aces = acl.getAces();

for (Ace ace : aces) {

System.out.println(ace.getPrincipalId() + " Direct? " + ace.isDirect());

}

}

}

And see this output:

GROUP_EVERYONE Direct? false

GROUP_site_test-site-3_SiteManager Direct? false

GROUP_site_test-site-3_SiteContributor Direct? false

tuser1 Direct? true

GROUP_site_test-site-3_SiteConsumer Direct? false

GROUP_site_test-site-3_SiteCollaborator Direct? false

Jeff

[sujay pillai]

Yes the code is looking at a folder (testspace1) below DocumentLibrary 

               OperationContext oc = session.createOperationContext();
oc.setIncludeAcls(true);
Folder sitesFolder = (Folder) session.getObjectByPath("/Sites/testsite/documentLibrary/testspace1",oc);

Alfresco Version : Version : 4.0.1 (.11 46) [Enterprise]

OpenCMIS : 0.8.0 

CMIS service URL :  parameters.put(SessionParameter.ATOMPUB_URL, "http://alfhost:port/alfresco/service/cmis");   [ATOMPUB Binding]

Checking with 0.10.0 and will update you on result....

[Jeff Potts]

It looks like you are using the wrong service URL and that is causing your problem. I can reproduce your problem when I use the deprecated service URL you are using with OpenCMIS 0.8 and Alfresco Enterprise 4.0. When I switch to the correct service URL, it works fine with those versions.

The correct service URL for Alfresco 4.x is http://localhost:8080/alfresco/cmisatom.

Just for comparison, when using the deprecated URL, the sample code I posted returns:

GROUP_EVERYONE Direct? false

GROUP_EVERYONE Direct? false

GROUP_EVERYONE Direct? false

GROUP_site_test-site-3_SiteCollaborator Direct? false

GROUP_site_test-site-3_SiteCollaborator Direct? false

GROUP_site_test-site-3_SiteCollaborator Direct? false

GROUP_site_test-site-3_SiteConsumer Direct? false

GROUP_site_test-site-3_SiteConsumer Direct? false

GROUP_site_test-site-3_SiteContributor Direct? false

GROUP_site_test-site-3_SiteContributor Direct? false

GROUP_site_test-site-3_SiteManager Direct? false

GROUP_site_test-site-3_SiteManager Direct? false

GROUP_site_test-site-3_SiteManager Direct? false

GROUP_site_test-site-3_SiteManager Direct? false

tuser1 Direct? false

tuser1 Direct? false

tuser1 Direct? true

But when using the correct URL, the same code returns:

GROUP_EVERYONE Direct? false

GROUP_site_test-site-3_SiteManager Direct? false

GROUP_site_test-site-3_SiteContributor Direct? false

tuser1 Direct? true

GROUP_site_test-site-3_SiteConsumer Direct? false

GROUP_site_test-site-3_SiteCollaborator Direct? false

Hopefully this solves your problem.

Jeff

[sujay pillai]

Thanks Jeff!!!  I updated the OpenCMIS library and changed the service url and it solved my problem.

Just another doubt what if the user is already a member of the site and special permission are set on particular folder for that user. What happens in that case?

i.e. If the site member is having a role of SiteConsumer and for a particular folder if "Collaborator" role is set for this user.