Hello all,
This is something I was working on a whiles back and I've come back to it. The idea is that users can create some XML form in a given folder. When this happens my repository service comes into play and changes the permissions so that only admin and owner have FULL_CONTROL while Everyone has READ access.
It all works great when the logged on user has the ContentManager role but regular users throw a NotAuthorizedException and don't change the ACL. Obviously I can't give hundreds of users content admin privilages so..... any ideas?
Here is the received method in my repository service:
public void received(IEvent event) { IResource resource = (IResource)event.getParameter(); try{ String rid = resource.getRID().toString(); if(rid.equals("/documents/corkBoard/"+resource.getName())){ ISecurityManager sm = resource.getRepositoryManager().getSecurityManager(resource); if(sm != null && sm instanceof IAclSecurityManager){ IAclSecurityManager asm = (IAclSecurityManager)sm; IResourceAclManager ram = asm.getAclManager(); ram.removeAcl(resource); IResourceAcl ra = ram.createAcl(resource); IUMPrincipal everyone = WPUMFactory.getGroupFactory().getGroup("Everyone"); IUMPrincipal newsManager = WPUMFactory.getRoleFactory().getRole("com.sapro.KM_News_Manager"); IUMPrincipal owner = WPUMFactory.getUserFactory().getUser(resource.getCreatedBy()); IResourceAclEntryList rel = ra.getEntries(); IResourceAclEntryListIterator it = rel.iterator(); while(it.hasNext()){ ra.removeEntry(it.next()); } ra.addEntry(ram.createAclEntry(everyone, false, ram.getPermission(IAclPermission.ACL_PERMISSION_READ), 0)); ra.addEntry(ram.createAclEntry(newsManager, false, ram.getPermission(IAclPermission.ACL_PERMISSION_FULL_CONTROL), 1)); ra.addEntry(ram.createAclEntry(owner, false, ram.getPermission(IAclPermission.ACL_PERMISSION_FULL_CONTROL), 2)); } } }catch(AclPersistenceException e){ LOCATION.errorT("I raised an AclPersistenceException @"+(new Date()).toString()+": " + LoggingFormatter.extractCallstack(e)); }catch(ResourceException e){ LOCATION.errorT("I raised a ResourceException @"+(new Date()).toString()+": " + LoggingFormatter.extractCallstack(e)); }catch(NotAuthorizedException e){ LOCATION.errorT("I raised a NotAuthorizedException @"+(new Date()).toString()+": " +e.getMessage() + "**" + LoggingFormatter.extractCallstack(e)); }catch(AclExistsException e){ LOCATION.errorT("I raised an AclExistsException @"+(new Date()).toString()+": " + LoggingFormatter.extractCallstack(e)); }catch(UserManagementException e){ LOCATION.errorT("I raised a UserManagementException @"+(new Date()).toString()+": " + LoggingFormatter.extractCallstack(e)); }catch(InvalidClassException e){ LOCATION.errorT("I raised an InvalidClassException @"+(new Date()).toString()+": " + LoggingFormatter.extractCallstack(e)); }catch(AlreadyAssignedToAclException e){ LOCATION.errorT("I raised an AlreadyAssignedToAclException @"+(new Date()).toString()+": " + LoggingFormatter.extractCallstack(e)); }catch(PermissionNotSupportedException e){ LOCATION.errorT("I raised a PermissionNotSupportedException @"+(new Date()).toString()+": " + LoggingFormatter.extractCallstack(e)); } }
When a resource is created I check to see if it's in the folder that interests me, if so I remove the current ACL so's not to inherit from the parent folder, I grab the role, group and user that interest me and set the permissions that I want.
Again, when I run this as myself it works great. Other users, not having the same permissions as me in KM, throw the NotAuthorizedException. Is there any way around this?
I look forward to any response/help.
Yours,
Patrick.