You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@chemistry.apache.org by Jaime Porras López <aq...@gmail.com> on 2013/05/30 10:38:38 UTC
Services without a clearly defined Permission Mapping filter
Hello,
Following are listed some services without a clearly defined Permission
Mapping filter, based on CMIS 1.0 (
http://docs.oasis-open.org/cmis/CMIS/v1.0/errata-01/os/cmis-spec-v1.0-errata-01-os-complete.doc)
and CMIS 1.1 (
http://docs.oasis-open.org/cmis/CMIS/v1.1/cos01/CMIS-v1.1-cos01.pdf )
1) Navigation Services
1.1) getCheckedOutDocs
Description: Gets the list of documents that are checked out that
the user has access to.
I see two options:
1.1.1) Granted to any authenticated user. (The result will be
already filtered by the user permissions related with the objects)
1.1.2) If a folder is specified then apply the Permission Mapping
canGetDescendants.Folder
My guess is to go for the option 1.1.2.
2) Object Services
2.1) createDocumentFromSource
Description: Creates a document object as a copy of the given
source document in the (optionally) specified location.
My guess is that the Permission Mappings to apply would be:
2.1.1) Always canGetProperties.Object
2.1.2) If the object has a content stream, also apply
canViewContent.Object
2.1.3) If the optional folder is specified, also apply
canCreateDocument.Folder
2.2) createPolicy
Description: Creates a policy object of the specified type
2.2.1) CMIS 1.0
There is no Permission Mapping defined for this operation in
CMIS 1.0.
My guess is to apply the nearest permission mapping:
canCreateDocument.Folder
2.2.2) CMIS 1.1
The permission mapping defined is canCreatePolicy.Folder.
NOTE: In openCMIS 0.9.0-beta-1 this permission mapping is not
included neither in org.apache.chemistry.opencmis.commons.enums.Action or
in org.apache.chemistry.opencmis.commons.data.PermissionMapping
See JIRA: https://issues.apache.org/jira/browse/CMIS-662
2.3) getAllowableActions
Description: Gets the list of allowable actions for an Object
My guess is that this should be granted to any authenticated user.
2.4) getRenditions
Description: Gets the list of associated Renditions for the
specified object. Only rendition attributes are returned, not rendition
stream.
The related Permission Mapping was removed in the errata version of
CMIS 1.0.
My guess is to apply canGetProperties.
NOTE: In openCMIS 0.8.x and 0.9.0-beta-1 this permission mapping is
included in org.apache.chemistry.opencmis.commons.enums.Action but not in
org.apache.chemistry.opencmis.commons.data.PermissionMapping
See same JIRA as in 2.2.2.
3) Discovery Services
3.1) query
Description: Executes a CMIS query statement against the contents
of the Repository.
Based on the definition, all authenticated user is granted to query
all query-able.
In our implementation, we will restrict the output to all
query-able objects whose ACL has at least one ACE for the current user. In
this way, we can be sure the user can use all the returned objects in some
way.
4) Versioning Services
4.1) getObjectOfLatestVersion
Description: Get a the latest Document object in the Version Series.
My guess is to apply canGetProperties.Object
4.2) getPropertiesOfLatestVersion
Description: Get a subset of the properties for the latest Document
Object in the Version Series.
My guess is to apply canGetProperties.Object
Would you mind to clarify if my guessings are correct?
Thank you very much in advance.
Regards,
Jaime Porras.
Re: Services without a clearly defined Permission Mapping filter
Posted by Florian Müller <fm...@apache.org>.
Hi Jaime Porras,
The Permission Mapping is a hint for sophisticated clients and not
necessarily the whole truth. A repository can have individual rules for
each object that overrule the Permission Mapping.
A best practice for clients is to check the Allowable Actions of an
object and if they allow the action, just try it and catch a potential
exception.
Sophisticated clients that want, for example, disable buttons in a user
interface could combine the Allowable Actions and the Permission
Mapping.
Since the specification does not cover the cases you have mentioned, I
can only provide my personal view.
Re 1.1)
If the Allowable Action "canGetChildren" is set, the user can call
getCheckedOutDocs for this folder.
Re 2.1)
createDocument and createDocumentFromSource follow the same rules. To
create a document from another document the user must additionally have
read permissions (Allowable Actions "canGetProperties" and
"canGetContentStream") on the source document.
Re 2.2)
The spec doesn't provide any help for clients. They have to try it and
catch a potential exception.
Re 2.3)
If an object is visible to a user (Allowable Actions
"canGetProperties"), the user can also get the Allowable Actions.
Re 2.4)
If and which renditions are visible to a user is repository specific.
There could be complex permission and rule sets, that are invisible
through CMIS.
If the repository doesn't want to expose renditions to a specific user,
it should return an empty list.
Re 3)
A query should return all objects that a user could also retrieve via
getObject().
In short:
If getObject("id123") returns a document object, then "SELECT * FROM
cmis:document WHERE cmis:objectId='id123'" should return the same
document object.
Re 4.1 an 4.2)
The latest object of a version series is just another object and
covered by "canGetProperties".
- Florian
> Hello,
>
> Following are listed some services without a clearly defined
> Permission
> Mapping filter, based on CMIS 1.0 (
>
> http://docs.oasis-open.org/cmis/CMIS/v1.0/errata-01/os/cmis-spec-v1.0-errata-01-os-complete.doc)
> and CMIS 1.1 (
> http://docs.oasis-open.org/cmis/CMIS/v1.1/cos01/CMIS-v1.1-cos01.pdf )
>
> 1) Navigation Services
>
> 1.1) getCheckedOutDocs
> Description: Gets the list of documents that are checked out
> that
> the user has access to.
>
> I see two options:
> 1.1.1) Granted to any authenticated user. (The result will be
> already filtered by the user permissions related with the objects)
> 1.1.2) If a folder is specified then apply the Permission
> Mapping
> canGetDescendants.Folder
> My guess is to go for the option 1.1.2.
>
> 2) Object Services
>
> 2.1) createDocumentFromSource
> Description: Creates a document object as a copy of the given
> source document in the (optionally) specified location.
> My guess is that the Permission Mappings to apply would be:
> 2.1.1) Always canGetProperties.Object
> 2.1.2) If the object has a content stream, also apply
> canViewContent.Object
> 2.1.3) If the optional folder is specified, also apply
> canCreateDocument.Folder
>
> 2.2) createPolicy
> Description: Creates a policy object of the specified type
> 2.2.1) CMIS 1.0
> There is no Permission Mapping defined for this operation
> in
> CMIS 1.0.
> My guess is to apply the nearest permission mapping:
> canCreateDocument.Folder
> 2.2.2) CMIS 1.1
> The permission mapping defined is canCreatePolicy.Folder.
> NOTE: In openCMIS 0.9.0-beta-1 this permission mapping is
> not
> included neither in
> org.apache.chemistry.opencmis.commons.enums.Action or
> in org.apache.chemistry.opencmis.commons.data.PermissionMapping
> See JIRA: https://issues.apache.org/jira/browse/CMIS-662
>
> 2.3) getAllowableActions
> Description: Gets the list of allowable actions for an Object
> My guess is that this should be granted to any authenticated
> user.
>
> 2.4) getRenditions
> Description: Gets the list of associated Renditions for the
> specified object. Only rendition attributes are returned, not
> rendition
> stream.
> The related Permission Mapping was removed in the errata
> version of
> CMIS 1.0.
> My guess is to apply canGetProperties.
> NOTE: In openCMIS 0.8.x and 0.9.0-beta-1 this permission
> mapping is
> included in org.apache.chemistry.opencmis.commons.enums.Action but
> not in
> org.apache.chemistry.opencmis.commons.data.PermissionMapping
> See same JIRA as in 2.2.2.
>
> 3) Discovery Services
>
> 3.1) query
> Description: Executes a CMIS query statement against the
> contents
> of the Repository.
> Based on the definition, all authenticated user is granted to
> query
> all query-able.
> In our implementation, we will restrict the output to all
> query-able objects whose ACL has at least one ACE for the current
> user. In
> this way, we can be sure the user can use all the returned objects in
> some
> way.
>
> 4) Versioning Services
>
> 4.1) getObjectOfLatestVersion
> Description: Get a the latest Document object in the Version
> Series.
> My guess is to apply canGetProperties.Object
>
> 4.2) getPropertiesOfLatestVersion
> Description: Get a subset of the properties for the latest
> Document
> Object in the Version Series.
> My guess is to apply canGetProperties.Object
>
> Would you mind to clarify if my guessings are correct?
>
> Thank you very much in advance.
>
> Regards,
>
> Jaime Porras.