Alfresco Share (Prototype) Security Hack

Zahlenschloss

Alfresco Share comes with an access control list (ACL) based security model consiting of Site Manager, Collaborator, Contributor and Consumer groups and permissions. This terminology can get you confused. In the permissions diaslog, it may read “Collaborators have Collaborator privileges”. These privileges are actually convenience aggregations of low lovel base permissions (i.e. _ReadProperties, _ReadChildren, etc.) as documented in the wiki. The default site model may address various uses, but some there are situations where it needs tweeting tweaking or “tricky” usage based on custom groups.

While working on a prototype system, I was faced with the following security requirements:

  • On one (project) site,  we want to invite an arbitrary amount of external users from various companies
  • Users of these companies must not see other companies documents or activities
  • The Site Manager is responsible for cross company security

The wiki page Custom Permissions in Share was not very encouraging regarding the technical route outlined and efforts associated. Nevertheless it shows that at its core, the alfresco ACL security model is very fine grained and provides a lot of flexibility.

The challenge was to find the most simple (as in effort) technical solution addressing the requirements. I came up with the following approach:

  • Do not allow people without Site Collaborator Privileges to create folder in the document library.
  • The site manager creates folders for companies. One folder for each company.
  • Extend Hack (Prototype !;) the permissions dialog to assign individual users Collaborator privileges on a specific folder
  • Assign external users Site Contributor privileges
Individual alfresco share user roles

Hacked Alfresco Share permission dialog

The funny thing is that you can assign a username to the group property of the json request:


params.push({group: username,role: "SiteCollaborator"});

This works, because the repository treats the value as an “authority”, and users are authorities just as groups.

For prototyping this is  all fine. Still don’t know how I would implement these requirements “seriously” in a real project. Suggestions are welcome.

Download Alfresco Share 3.4.c permissions hack

 
Dieser Eintrag wurde veröffentlicht in Alfresco und verschlagwortet mit , , von Andreas Steffan. Permanenter Link zum Eintrag.

Über Andreas Steffan

Freelance Java-Platform and Content-Management Architect / Web-Geek / Code-Mixer / Alfresco-, Grails and Linux Evangelist / Groovy- and Clojure-Fanboy / Javascript-and Wordpress-Cherrypicker / Scala-Sceptic / Emacs-Veteran / Content-Gourmet and -Cook / Agilo / Conference-Tourist / Physicist / Father / Japanese Kitchen Explorer / BBQ-Chef / Wine-Drinker / Photographer-Wannabe / Elektronica- and Frisbee-Friend / Hammock- and Backyard-Chiller / Asia-, Outdoor and Scuba-Diving-Traveller

Ein Gedanke zu “Alfresco Share (Prototype) Security Hack

  1. Pingback: Individuelle Alfresco Share Site Gruppen | CONTENTREICH

Hinterlasse eine Antwort

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind markiert *

*

Du kannst folgende HTML-Tags benutzen: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>