Should I grant base.ReadPermissions to Alfresco Consumer?

Question

• Short story : I'm thinking of granting this Action to all Consumers. Security-wise, how stupid would that be ?

• Long story :

I'd like to use the OpenCmis API to get a User's allowed actions, on a given Alfresco Resource.

This way, I will decide which UI-controls I should Enable or Render. I have created a function that scans the user's allowed actions on that resource and Checks if a given one is among them, e.g CAN_CHECK_OUT, or CAN_GET_CONTENT_STREAM.

My function works like that:

private static Boolean canUserPerformAction_(Session cmisSession, String cmisObjId, String actionKey){

    try{
        OperationContext operationContext = new OperationContextImpl();
        operationContext.setIncludeAcls(true);
        CmisObject obj = getResourceById(cmisSession, cmisObjId);

        obj = (CmisObject)cmisSession.getObject(obj, operationContext);

        Acl acl = obj.getAcl();
        AllowableActions actions = obj.getAllowableActions();
        Set<Action> allowedActions = actions.getAllowableActions();


        for(Action act :allowedActions){
            if(actionKey.equals( act.name() ) ){
                return true;
            }
        }
    }catch (Exception e){
        log.debug("Error accessing Object allowed actions | "+e.toString());
    }
    return false;
}

But this method returns false Negatives for Users with Consumer/Read Role. It took me some time to realize that the Action CAN_GET_ACL was binded for role cmis:all and base.ReadPermissions, so a Consumer couldn't fetch the ACLs at all, so my method will create an empty 'allowedActions' Array. Looking at the cmis:mapping I can see that:

<cmis:mapping>
          <cmis:key>canGetACL.Object</cmis:key>
          <cmis:permission>cmis:all</cmis:permission>
          <cmis:permission>{http://www.alfresco.org/model/system/1.0}base.ReadPermissions</cmis:permission>
        </cmis:mapping>

An obvious solution would be to enable base.ReadPermissions to all users on the Company Home. But I'm not sure if this is the best way to deal with that, maybe I'm opening some security holes. Would that be a good solution ?

Or maybe I should find another way to check permissions? Any suggestions?

Thank you for your time !

Answer 1

I'm not sure if this is what you mean, but why do you need the ACLS of an object?

You want to enable/disable actions, so if you can get the Allowable Actions then that's enough. Why do you even want to see if user/group x has permissions on an object?

If you look at the possible result of the Allowable Actions CMIS API then there is all you need to know. Also set in the operationContext the include Actions to true)

If you want to know the permissions on an object and what to do other stuff than enable/disable actions then use an admin account to check the permissions and cross-check it with the current user.

Secondly: I don't think it can do harm to enable the permission, but in long-term regarding upgrades etc. I wouldn't change the default permissions. I'd then create a custom permissionGroup which has this permission and apply that on the EVERYONE group at the top level.