Learn how to set up permissions on a structure and see the results of a security policy.
Assigning Permissions
Goal
The goal is to allow Read and Write access to the sales group members on the North America contract portfolio. Permissions are inherited, which means they will apply to all documents below unless the inheritance is blocked.
Prerequisites
- Install the addon Getting started with the Nuxeo Platform. See Setting up Your Nuxeo Environment.
- Create users on your Nuxeo instance. See Setting up Your JavaScript Environment.
Procedure
Create a file called
grantReadWriteToSales.jswith the following content.const Nuxeo = require('nuxeo'); const nuxeo = new Nuxeo({ auth: { method: 'basic', username: 'Administrator', password: 'Administrator' } }); var whichPermission = { 'permission': 'ReadWrite', 'username': 'sales' }; var onWhichDoc = '/default-domain/workspaces/North America'; nuxeo.repository() .fetch(onWhichDoc) .then(function(doc) { return doc.addPermission(whichPermission); }) .then(function(doc) { console.log('Permission has been added on the document!'); }) .catch(function(error) { console.log('Apologies, an error occurred while adding the permission.'); console.log(error); });Save and run:
$ node grantReadWriteToSales.js
Checking Granted Permissions
Goal
Verify the permissions that have been set on the document.
Prerequisites
- Assigning Permissions step (above)
Procedure
Create a file called
checkPermissions.jswith the following content.const Nuxeo = require('nuxeo'); const nuxeo = new Nuxeo({ auth: { method: 'basic', username: 'Administrator', password: 'Administrator' } }); var onWhichDoc = '/default-domain/workspaces/North America'; nuxeo.repository() // We add the ACLs enricher to obtain current permissions on the doc .enricher('document', 'acls') // Then fetch the document .fetch(onWhichDoc) .then(function(doc) { console.log('Permissions defined on ' + doc.title + ':') for (var indexAcls = 0; indexAcls < doc.contextParameters.acls.length; indexAcls++) { console.log(doc.contextParameters.acls[indexAcls]); } }) .catch(function(error) { console.log('Apologies, an error occurred while retrieving the permissions.'); console.log(error); });Save and run:
$ node checkPermissions.js
Restricting File Download Using a Security Policy
Goal
A file download security policy has been defined in the addon Getting started with the Nuxeo Platform. It only allows Administrators and users that are members of the managers group to download files. We will check it by trying to download a contract:
- Using Alicia's account. Alicia has Read and Write permissions on the contract but is not a manager.
- Using Sarah's account. Sarah has Read and Write permissions and is a manager.
Procedure
Create a file called
checkFileDownloadPolicy.jsto check the policy against a contract namedTo the Moon and Backin theBeyond Space Travel Agencyportfolio.const Nuxeo = require('nuxeo'); const nuxeo = new Nuxeo({ auth: { method: 'basic', username: 'afraser', password: 'afraser' } }); var contractToDownload = '/default-domain/workspaces/North America/Beyond Space Travel Agen/To the Moon and back'; nuxeo.repository() .fetch(contractToDownload) .then(function(contract) { return contract.fetchBlob(); }) .then(function(blob) { console.log('Contract\'s file can be downloaded!'); }) .catch(function(error) { console.log('The contract\'s file can\'t be downloaded, response is:'); console.log(error.response.status + ' ' + error.response.statusText); });Save and run:
$ node checkFileDownloadPolicy.jsYou are getting an
error 403: forbiddenbecause the file download is restricted in that case.Now, in the same file, change the login information at the beginning to use Sarah's account.
const Nuxeo = require('nuxeo'); const nuxeo = new Nuxeo({ auth: { method: 'basic', username: 'sconnor', // Change username password: 'sconnor' // and password to use Sarah's account } });Execute the file
checkFileDownloadPolicy.jsagain.$ node checkFileDownloadPolicy.jsThis time the contract can be downloaded.