Tutorials

Handling Permissions

Updated: March 18, 2024

Learn how to set up permissions on a structure and see the results of a security policy.

Assigning Permissions

Goal

The goal is to allow Read and Write access to the sales group members on the North America contract portfolio. Permissions are inherited, which means they will apply to all documents below unless the inheritance is blocked.

Prerequisites

Procedure

  1. Create a file called grantReadWriteToSales.js with the following content.

    const Nuxeo = require('nuxeo');
    const nuxeo = new Nuxeo({
      auth: {
        method: 'basic',
        username: 'Administrator',
        password: 'Administrator'
      }
    });
    
    var whichPermission = {
      'permission': 'ReadWrite',
      'username': 'sales'
    };
    var onWhichDoc = '/default-domain/workspaces/North America';
    nuxeo.repository()
      .fetch(onWhichDoc)
      .then(function(doc) {
        return doc.addPermission(whichPermission);
      })
      .then(function(doc) {
        console.log('Permission has been added on the document!');
      })
      .catch(function(error) {
        console.log('Apologies, an error occurred while adding the permission.');
        console.log(error);
      });
    
  2. Save and run:

    $ node grantReadWriteToSales.js
    

Checking Granted Permissions

Goal

Verify the permissions that have been set on the document.

Prerequisites

  • Assigning Permissions step (above)

Procedure

  1. Create a file called checkPermissions.js with the following content.

    const Nuxeo = require('nuxeo');
    const nuxeo = new Nuxeo({
      auth: {
        method: 'basic',
        username: 'Administrator',
        password: 'Administrator'
      }
    });
    
    var onWhichDoc = '/default-domain/workspaces/North America';
    
    nuxeo.repository()
      // We add the ACLs enricher to obtain current permissions on the doc
      .enricher('document', 'acls')
      // Then fetch the document
      .fetch(onWhichDoc)
      .then(function(doc) {
        console.log('Permissions defined on ' + doc.title + ':')
        for (var indexAcls = 0; indexAcls < doc.contextParameters.acls.length; indexAcls++) {
          console.log(doc.contextParameters.acls[indexAcls]);
        }
      })
      .catch(function(error) {
        console.log('Apologies, an error occurred while retrieving the permissions.');
        console.log(error);
      });
    
  2. Save and run:

    $ node checkPermissions.js
    

Learn more

 

Restricting File Download Using a Security Policy

Goal

A file download security policy has been defined in the addon Getting started with the Nuxeo Platform. It only allows Administrators and users that are members of the managers group to download files. We will check it by trying to download a contract:

  1. Using Alicia's account. Alicia has Read and Write permissions on the contract but is not a manager.
  2. Using Sarah's account. Sarah has Read and Write permissions and is a manager.

Procedure

  1. Create a file called checkFileDownloadPolicy.js to check the policy against a contract named To the Moon and Back in the Beyond Space Travel Agency portfolio.

    const Nuxeo = require('nuxeo');
    const nuxeo = new Nuxeo({
      auth: {
        method: 'basic',
        username: 'afraser',
        password: 'afraser'
      }
    });
    
    var contractToDownload = '/default-domain/workspaces/North America/Beyond Space Travel Agen/To the Moon and back';
    
    nuxeo.repository()
      .fetch(contractToDownload)
      .then(function(contract) {
        return contract.fetchBlob();
      })
      .then(function(blob) {
        console.log('Contract\'s file can be downloaded!');
      })
      .catch(function(error) {
        console.log('The contract\'s file can\'t be downloaded, response is:');
        console.log(error.response.status + ' ' + error.response.statusText);
      });
    
  2. Save and run:

    $ node checkFileDownloadPolicy.js
    

    You are getting an error 403: forbidden because the file download is restricted in that case.

  3. Now, in the same file, change the login information at the beginning to use Sarah's account.

    const Nuxeo = require('nuxeo');
    const nuxeo = new Nuxeo({
      auth: {
        method: 'basic',
        username: 'sconnor', // Change username
        password: 'sconnor'  // and password to use Sarah's account
      }
    });
    
  4. Execute the file checkFileDownloadPolicy.js again.

    $ node checkFileDownloadPolicy.js
    

    This time the contract can be downloaded.