Ask Question
« General Questions on Nuxeo

Block permissions inheritance programatically

Hello,

is it possible to block permission inheritance via API?

When we try by resetting the ACP it seems not to work, and still permissions are inherited.

Thank you

EDIT: my use case is the following:

i want to create a document (folder) inside a tree of other folders, but want only the creator and users from the admin group to have access on it

bledii
Member (350)   2   3   4 		09/26/2013 ( History)
0 votes
1 answers
6371 views
ANSWER
vieville
Hello,

I also have the same question but in the contexte of the content automation with the rest api…

My need is to block inheritance on a specific folder

Thank you for your help

10/04/2013
Florent Guillaume
@vieville Automation is a different matter, please ask a new question.
10/04/2013
ANSWERS

Don't know about the API, but you could create a listener for various document creation events (DOCUMENT_CREATED, DOCUMENT_CREATED_BY_COPY, DOCUMENT_DUPLICATED, etc.) and then remove inheritance and set default ACL.

Something like…

DocumentRef docRef = docModel.getRef();
ACP acp = this.session.getACP(docRef);

// delete existing 'local' ACL 
acp.removeACL(ACL.LOCAL_ACL);

// block inheritance
acp.getOrCreateACL().add(new ACE(SecurityConstants.EVERYONE, SecurityConstants.EVERYTHING, false));

// and then create the local ACL entries you do want
ACL acl = acp.getOrCreateACL(ACL.LOCAL_ACL);
... and then create desired ACEs ...
acl.add(new ACE("testgroup","Read", true));
acp.addACL(acl);
this.session.setACP(docRef, acp, true);
bruce Grant
Member (7.6K)   2   7   6 		09/27/2013 ( History)
0 votes
bledii
hello Bruce thank you very much for your answer i have tried what you suggest above, and, while the inheritance is removed, local permissions do not seem to work. Do you have any suggestions on that / have you ever had such a case?

Thanks again

09/30/2013
bruce Grant
I added lines to above example to create ACE and then save updated ACL to doc - is this what you tried?
09/30/2013
bledii
hello bruce, thanks for the info,the main difference i can find is the override=true in setACP, will try that and get back to you with the result, thanks
09/30/2013
bledii
hello bruce, it doesn't seem to work, unless we are doing something wrong.

We found out it works if we set the local ACL before doing acp.getOrCreateACL().add(new ACE(SecurityConstants.EVERYONE, SecurityConstants.EVERYTHING, false));

We are thinking it may have something to do with the fact that the above line may remove also the right te set the new ACP.

09/30/2013
bruce Grant
The only other thing I can think is that I have this code running in a class that extends UnrestrictedSessionRunner so it has fully trusted status
09/30/2013
bledii
bruce, i am going to accept your answer as it pointed me in the right direction, thank you
10/03/2013
Anurag Kumar
Hey Bruce,

How you are getting docModel Object if you want to write a stand alone java program and do the same ?

Thanks in Advance.

11/04/2015
Follow
Tags
Linked Questions
Related Questions
ReST API call for blocking inherited rights
Block permissions inheritance with automation Chain
Unable to deny "ask for publication" on a section when permission inheritance is disabled
Multi repository and permissions
What is the difference between Acp: listUsernamesForPermission(String permission) and UserManager.getUsersForPermission(String permission, Acp acp) ?
Publishing rights with users groups
Block access to nuxeo administrator
Remove privilege on a document
Endpoint for fetching acl