Tutorials

Handling Permissions

Updated: February 21, 2017 Page Information Edit on GitHub

Learn how to set up permissions on a structure and see the results of a security policy.

Assigning Permissions

Goal

The goal is to allow Read and Write access to the sales group members on the North America contract portfolio. Permissions are inherited, which means they will apply to all documents below unless the inheritance is blocked.

Prerequisites

Procedure

  1. Create a file called grantReadWriteToSales.js with the following content.

    const Nuxeo = require('nuxeo');
    const nuxeo = new Nuxeo({
      auth: {
        method: 'basic',
        username: 'Administrator',
        password: 'Administrator'
      }
    });
    
    var whichPermission = {
      'permission': 'ReadWrite',
      'username': 'sales'
    };
    var onWhichDoc = '/default-domain/workspaces/North America';
    nuxeo.repository()
      .fetch(onWhichDoc)
      .then(function(doc) {
        return doc.addPermission(whichPermission);
      })
      .then(function(doc) {
        console.log('Permission has been added on the document!');
      })
      .catch(function(error) {
        console.log('Apologies, an error occurred while adding the permission.');
        console.log(error);
      });
    
  2. Save and run:

    $ node grantReadWriteToSales.js
    

Checking Granted Permissions

Goal

Verify the permissions that have been set on the document.

Prerequisites

  • Assigning Permissions step (above)

Procedure

  1. Create a file called checkPermissions.js with the following content.

    const Nuxeo = require('nuxeo');
    const nuxeo = new Nuxeo({
      auth: {
        method: 'basic',
        username: 'Administrator',
        password: 'Administrator'
      }
    });
    
    var onWhichDoc = '/default-domain/workspaces/North America';
    
    nuxeo.repository()
      // We add the ACLs enricher to obtain current permissions on the doc
      .enricher('document', 'acls')
      // Then fetch the document
      .fetch(onWhichDoc)
      .then(function(doc) {
        console.log('Permissions defined on ' + doc.title + ':')
        for (var indexAcls = 0; indexAcls < doc.contextParameters.acls.length; indexAcls++) {
          console.log(doc.contextParameters.acls[indexAcls]);
        }
      })
      .catch(function(error) {
        console.log('Apologies, an error occurred while retrieving the permissions.');
        console.log(error);
      });
    
  2. Save and run:

    $ node checkPermissions.js
    

Learn more

 

Restricting File Download Using a Security Policy

Goal

A file download security policy has been defined in the addon Getting started with the Nuxeo Platform. It only allows Administrators and users that are members of the managers group to download files. We will check it by trying to download a contract:

  1. Using Alicia's account. Alicia has Read and Write permissions on the contract but is not a manager.
  2. Using Sarah's account. Sarah has Read and Write permissions and is a manager.

Procedure

  1. Create a file called checkFileDownloadPolicy.js to check the policy against a contract named To the Moon and Back in the Beyond Space Travel Agency portfolio.

    const Nuxeo = require('nuxeo');
    const nuxeo = new Nuxeo({
      auth: {
        method: 'basic',
        username: 'afraser',
        password: 'afraser'
      }
    });
    
    var contractToDownload = '/default-domain/workspaces/North America/Beyond Space Travel Agen/To the Moon and back';
    
    nuxeo.repository()
      .fetch(contractToDownload)
      .then(function(contract) {
        return contract.fetchBlob();
      })
      .then(function(blob) {
        console.log('Contract\'s file can be downloaded!');
      })
      .catch(function(error) {
        console.log('The contract\'s file can\'t be downloaded, response is:');
        console.log(error.response.status + ' ' + error.response.statusText);
      });
    
  2. Save and run:

    $ node checkFileDownloadPolicy.js
    

    You are getting an error 403: forbidden because the file download is restricted in that case.

  3. Now, in the same file, change the login information at the beginning to use Sarah's account.

    const Nuxeo = require('nuxeo');
    const nuxeo = new Nuxeo({
      auth: {
        method: 'basic',
        username: 'sconnor', // Change username
        password: 'sconnor'  // and password to use Sarah's account
      }
    });
    
  4. Execute the file checkFileDownloadPolicy.js again.

    $ node checkFileDownloadPolicy.js
    

    This time the contract can be downloaded.

3 months ago Karin Touchie NXDOC-1114: Allow download policy for Administrators
4 months ago Solen Guitter NXDOC-1087: Use new previous/next navigation
5 months ago GitHub Update review date
6 months ago Andrew Goodricke content-review-lts2016 label added
6 months ago Karin Touchie NXDOC-922: Correct English in Getting Started doc
7 months ago Solen Guitter Add missing navigation to previous/next steps in Getting Started with the Nuxeo Platform
7 months ago manonlumeau Moved Getting Started, update parents
8 months ago Solen Guitter 21
8 months ago Solen Guitter 20
8 months ago Solen Guitter 19
8 months ago Solen Guitter 18 | Use const instead of var
9 months ago Solen Guitter 17
9 months ago Bertrand Chauvin 16 | occured => occurred
9 months ago Bertrand Chauvin 15 | Grant read write to sales, not managers
9 months ago Solen Guitter 14
9 months ago Solen Guitter 13
9 months ago Solen Guitter 12
9 months ago Solen Guitter 11
9 months ago Solen Guitter 10
9 months ago Solen Guitter 9
10 months ago Bertrand Chauvin 8
10 months ago Bertrand Chauvin 7
10 months ago Bertrand Chauvin 6
10 months ago Bertrand Chauvin 5 | Added check permissions
10 months ago Solen Guitter 4
10 months ago Bertrand Chauvin 3
10 months ago Bertrand Chauvin 2
10 months ago Bertrand Chauvin 1
History: Created by Bertrand Chauvin