"Can ask for publishing" permission has no effect
Steps to reproduce the error using Nuxeo 5.9.5 virtual machine:
- Create a new user
- Create a new section. Assign to the previous user the read permission and deny “Can ask for publishing” permission.
- Log in as the created user, create a document and publish it in the section.
Is there a way to enable users to see a section without being able to publish in it?
Thanks in advance. Regards.
0 votes
1 answers
2616 views
This is expected, as Read includes CanAskForPublishing and if you allow Read before denying CanAskForPublishing then the deny won't matter.
Note that this changed for Nuxeo 6.0 (NXP-15563).
 |
Florent Guillaume
Member (36K) 6 8 8 |
11/05/2014 ( History) |
Hi Florent,
I'm afraid the order of granting/denying the permissions shouldn't change the resultant permission. And in fact it doesn't change it. you can reproduce the behaviour in the Nuxeo VM easily:
- Create a new section.
- Deny "Can ask for publishing" permission for a user in that section.
- Then assign to the previous user the read permission.
- Log in as the created user, create a document and publish it in that section.
I'm glad Nuxeo 6 solves this behaviour. I guess we'll have to wait.
Thanks.
11/07/2014
The order in which you do 2. and 3. in the UI doesn't matter, in both cases from this screen Nuxeo will write the resulting ACL with the grants before the denies, so the granting of Read will come before the denying of CanAskForPublishing. Try with two levels of sections, doing the deny at one level and the grant in a subsection. Or use Java code or Automation to write a more fine-grained ACL on the object than what the UI does.
11/07/2014