You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@chemistry.apache.org by ma...@structr.com on 2015/12/07 14:44:11 UTC

Strange ACL Test (TCK) failures, Issue to disable Copy Object in CMIS Workbench

Hello everyone,

my name is Marcel Romagnuolo and I am using the great OpenCMIS Server 
Framework to build a CMIS server for the CMS "Structr".

I am working a lot with the CMIS Workbench to test my implementations.
Over the time I got some problems, which I wanted to solve with your 
help.

1)
I am getting some failures in the ACL part of the TCK tests, which I 
dont understand:
"FAILURE: ACE contains a non-basic permission: xxx"

(See: http://www2.pic-upload.de/img/29059098/problem1.png )

In the repository are only non-basic permissions allowed! See here for 
the repository info: http://www2.pic-upload.de/img/29059109/problem2.png

As you can see the Supported Permissions are set on "REPOSITORY", which 
should indicate, that there are no basic permissions integrated, right? 
The OASIS Standard also says, that there are no basic permissions 
necessary.
But why are the TCK tests failing then?

2)
If I select a cmis:document, there is always the option under "Actions" 
to Copy the object, although all Allowable Actions are disabled. It just 
never disappears like the other Actions based on the Allowable Actions. 
How do I disable it?

See: http://www2.pic-upload.de/img/29059129/problem3.png

3)
Also some Allowable Actions don't get applied for some reason. For 
example the "CAN_GET_ACL" Allowable Action is not really working, 
because the user can always see the ACL of a object independent of his 
permissions.


I really would appreciate your help.

Thank you for reading and best regards, Marcel

Re: Strange ACL Test (TCK) failures, Issue to disable Copy Object in CMIS Workbench

Posted by ma...@structr.com.

Hello Florian,

thanks a lot for the helpful answer.
Everything is clear now and I already fixed the TCK failures.

There are still other TCK failures I have to check, but I will try to 
fix them myself first.

Have a nice day!

Marcel

On 2015-12-07 15:23, Florian Müller wrote:
> Hi Marcel,
> 
> Here are a few answers.
> 
> Re 1)
> The TCK calls getAcl() with the parameter onlyBasicPermissions = true.
> That is, the repository must translate the native permissions into
> CMIS basic permissions.
> The spec says in 2.2.10.2.1: "The repository SHOULD make a best effort
> to fully express the native security applied to the object."
> 
> Re 2)
> There is no Allowable Action that can express whether a document can
> be used as the source in a createDocumentFromSource() call or not.
> Therefore, the Workbench provides this button for all documents. In
> the worst case, the repository throws an exception, which should be ok
> for a developer tool like the Workbench.
> 
> Re 3)
> The Workbench calls getObject() with the parameter includeAcls = true,
> if the repository supports ACLs in general.
> If the repository returns an ACL with the object, then it is used. If
> the repository really doesn't want that the user gets the ACL, it
> shouldn't return it.
> Allowable Actions are only hints for the clients. They don't enforce 
> anything.
> 
> 
> - Florian
> 
> 
> 
>> Hello everyone,
>> 
>> my name is Marcel Romagnuolo and I am using the great OpenCMIS Server
>> Framework to build a CMIS server for the CMS "Structr".
>> 
>> I am working a lot with the CMIS Workbench to test my implementations.
>> Over the time I got some problems, which I wanted to solve with your 
>> help.
>> 
>> 1)
>> I am getting some failures in the ACL part of the TCK tests, which I
>> dont understand:
>> "FAILURE: ACE contains a non-basic permission: xxx"
>> 
>> (See: http://www2.pic-upload.de/img/29059098/problem1.png )
>> 
>> In the repository are only non-basic permissions allowed! See here for
>> the repository info:
>> http://www2.pic-upload.de/img/29059109/problem2.png
>> 
>> As you can see the Supported Permissions are set on "REPOSITORY",
>> which should indicate, that there are no basic permissions integrated,
>> right? The OASIS Standard also says, that there are no basic
>> permissions necessary.
>> But why are the TCK tests failing then?
>> 
>> 2)
>> If I select a cmis:document, there is always the option under
>> "Actions" to Copy the object, although all Allowable Actions are
>> disabled. It just never disappears like the other Actions based on the
>> Allowable Actions. How do I disable it?
>> 
>> See: http://www2.pic-upload.de/img/29059129/problem3.png
>> 
>> 3)
>> Also some Allowable Actions don't get applied for some reason. For
>> example the "CAN_GET_ACL" Allowable Action is not really working,
>> because the user can always see the ACL of a object independent of his
>> permissions.
>> 
>> 
>> I really would appreciate your help.
>> 
>> Thank you for reading and best regards, Marcel

Re: Strange ACL Test (TCK) failures, Issue to disable Copy Object in CMIS Workbench

Posted by Florian Müller <fm...@apache.org>.

Hi Marcel,

Here are a few answers.

Re 1)
The TCK calls getAcl() with the parameter onlyBasicPermissions = true.
That is, the repository must translate the native permissions into CMIS 
basic permissions.
The spec says in 2.2.10.2.1: "The repository SHOULD make a best effort 
to fully express the native security applied to the object."

Re 2)
There is no Allowable Action that can express whether a document can be 
used as the source in a createDocumentFromSource() call or not.
Therefore, the Workbench provides this button for all documents. In the 
worst case, the repository throws an exception, which should be ok for a 
developer tool like the Workbench.

Re 3)
The Workbench calls getObject() with the parameter includeAcls = true, 
if the repository supports ACLs in general.
If the repository returns an ACL with the object, then it is used. If 
the repository really doesn't want that the user gets the ACL, it 
shouldn't return it.
Allowable Actions are only hints for the clients. They don't enforce 
anything.


- Florian



> Hello everyone,
> 
> my name is Marcel Romagnuolo and I am using the great OpenCMIS Server
> Framework to build a CMIS server for the CMS "Structr".
> 
> I am working a lot with the CMIS Workbench to test my implementations.
> Over the time I got some problems, which I wanted to solve with your 
> help.
> 
> 1)
> I am getting some failures in the ACL part of the TCK tests, which I
> dont understand:
> "FAILURE: ACE contains a non-basic permission: xxx"
> 
> (See: http://www2.pic-upload.de/img/29059098/problem1.png )
> 
> In the repository are only non-basic permissions allowed! See here for
> the repository info:
> http://www2.pic-upload.de/img/29059109/problem2.png
> 
> As you can see the Supported Permissions are set on "REPOSITORY",
> which should indicate, that there are no basic permissions integrated,
> right? The OASIS Standard also says, that there are no basic
> permissions necessary.
> But why are the TCK tests failing then?
> 
> 2)
> If I select a cmis:document, there is always the option under
> "Actions" to Copy the object, although all Allowable Actions are
> disabled. It just never disappears like the other Actions based on the
> Allowable Actions. How do I disable it?
> 
> See: http://www2.pic-upload.de/img/29059129/problem3.png
> 
> 3)
> Also some Allowable Actions don't get applied for some reason. For
> example the "CAN_GET_ACL" Allowable Action is not really working,
> because the user can always see the ACL of a object independent of his
> permissions.
> 
> 
> I really would appreciate your help.
> 
> Thank you for reading and best regards, Marcel