Alfresco ACL on WCM WebForms, an howto
When it comes to setting up an Alfresco WebProjects, you configure it to make use of a set of WebForms already available on the Alfresco repository. From that moment on, every user with write rights on the web project will be able to pick one web form and push some content through it into the AVM repository. But what if you want to forbid some users to actually make use of some web forms? The default Alfresco doesn’t present any GUI control that allows you to define web forms level ACLs, but in facts there’s a way to define them in an easy way, without the need of any real customization. Let’s see how to do that on the Alfresco WCM we setup in the previous chapters of this series.
The idea
So, we want to be able to relate web forms and users or groups, thus restricting access to web forms depending on your credentials. We want to configure a number of web forms to be available on the web project, while users will see only the ones they’ve access to when trying to create some contents, so that dropdowns and links will appear only when it’s appropriate. Moreover, we do not want to waste our time on custom code, we just want Alfresco to do its job.
The way we are going to address this requirement is through the use of real ACL setup configured on the web forms themselves, so that the Alfresco permission checks will be able to trim the list of available web forms to the users whenever they ask for create content. Sounds reasonable, right?
Bug!
As a disclaimer, I must say the proposed approach doesn’t work with a vanilla Alfresco3.2r because of a nasty bug that will throw Exceptions all over the place once you configured restrictive ACLs on web forms. Thanks to the OpenSource nature of Alfresco, and thanks to Brad Davis that provided a patch for it, we can just change the Alfresco source code and we’ll be able to go forward. While we wait for a real mavenized Alfresco, this involves having the Alfresco SDK properly installed on your system, apply the patch and upload it to your local maven repo. To ease your life, you can just go with this last step using this patched Alfresco WAR and type:
utopia-II:Downloads skuro$ mvn install:install-file -DartifactId=alfresco -DgroupId=org.alfresco -Dversion=3.2r -Dtype=war -Dclassifier=community-patched -Dfile=alfresco-3.2r-community-patched.war
After that you have to switch to this artifact in your alfresco-extension project’s pom dependencies.
Define the ACL
Now start up Alfresco and login as the admin. To prove the ACL effectiveness, we will need two users and one group. In the following I’ll assume the users are called bob and todd and the group, where only bob is listed, is called full-access.
Now go to the Company Home/Data Dictionary/Web Forms folder and open the property sheet of the article web form folder.
You’ll be now able to customize the permissions on this level by clicking on Manage Space users, that will bring you to the ACL managing wizard. Uncheck the Inherit Parent Space Permissions box and then click on Invite.., setting up the full-access group to have the Coordinator role.
Test it
We’re already done! Now, try to log in into Alfresco with the two users and verify that only bob can actually see the article web form appearing on the UI.
Conclusion
This technique allows for a whole lot of use cases, where different divisions are not allowed to author content of different types. The only drawback of this solution is that when you have more than one web project per Alfresco instance, and you want to reuse the web forms, you will need to setup different groups for the different web projects (this will almost always be the case, anyway) and do the ACL configuration twice. Not that big deal, of course, but the lack of any centralized ACL managing tool will make it harder to maintain the permissions schemes.
| Print article | This entry was posted by Carlo Sciolla on January 12, 2010 at 5:54 pm, and is filed under Alfresco, Alfresco Dev Series, Developer, OpenSource, Sourcesense. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |
No trackbacks yet.
Spring Surf meets Clojure
about 3 months ago - 5 comments
For those who missed it, some time ago the Alfresco guys donated their Surf Platform to SpringSource, giving birth to the now-called SpringSurf, which is thereby described as: a view composition framework for Spring MVC that plugs into your existing Spring applications. It provides a scriptable and content-centric approach to building web applications. I’m not
Handling Microsoft Windows NTP sync
about 4 months ago - 3 comments
This post should raise some eyebrows around, as I’m advocating Linux since ages and I’m not at all into Microsoft stuff for the 99.99% of my time. This story comes out of that (usually negligible) 0.01%. Why bother with NTP on MS Windows? The Alfresco implementation I’m working on has to integrate with a fully
Amsterdam Clojurians meeting #4 – Dojo style
about 4 months ago - 1 comment
Today the fourth meeting of the Amsterdam Clojure user group was held at the now usual Sourcesense offices venue in Amsterdam. It has been probably the most successful one until now: thanks to some newcomers we had the most participated event ever with 10 nerdy, awesome geeks sitting together to discuss about nerdy, awesome stuff
From the grounds up, your Maven powered Alfresco dev box
about 7 months ago - 4 comments
The target To start your Alfresco development experience, you need a development environment. Let’s say you’re more into this Maven and you’d rather leverage its capabilities instead of using the default ant based build system provided along with the SDK. In this tutorial, I’ll guide you through the process of setting up from scratch your
Alfresco ECM moving forward on the Maven path
about 9 months ago - 1 comment
These days some milestones have been placed that are both consolidating past efforts and promising great improvements on maven based processes around Alfresco ECM. First and foremost, to prove the Alfresco commitment in mavenizing the product, have a look at their hosted Sonatype Nexus instance. Even if big changes are still due, you’ll be more
Multiple Eclipse instances, a smart way
about 11 months ago - 4 comments
I’m one of the many Java devs around the world that chose Eclipse as IDE platform. It happens to me that when I reuse the same Eclipse instance across various projects I almost always end up transforming my IDE in a fat elephant with a broken leg, with tons of plugins and extensions that have
Alfresco and LDAP sync lock my Admin no more!
about 11 months ago - No comments
On the custom Alfresco Enterprise project I’m working we use LDAP sync to import users from a Novell eDirectory server[1]. Now, it happened from time to time that the user Alfresco binds itself with, i.e. the LDAP admin user, got locked in eDirectory as a “Intrusion prevention” mechanism or something like that. The LDAP sysadmin
Deploy your site on Nexus™ OpenSource
about 1 year ago - 2 comments
These days I have to provide a documentation site to one customer, so I started playing around with the maven site plugin and I created a really beautiful set of pages that will be able to teach all the details of my project to a chimp. Now, it’s time to make it available for that
GOTO’s spirit still haunts Java…
about 1 year ago - No comments
Some days ago I was debugging some LDAP-related customizations I made on Alfresco, and I run into an odd piece of code which made my eyebrow raise: labeled break (and continue) statements. Believe it or not, labels are still there, and someone still uses them. Here’s a dumb example: String[] someStrings = getStringsFromSomewhere (); String[]
about 7 months ago
The “previous chapter” of the Alfresco WCM Dev Series mentioned in the beginning of this post is being actually written. It will be published after this one, hopefully in a short time