Server

HOWTO: Grant the Edit Permission without the Remove Permission

Updated: December 2, 2024

As described on the page Managing Permissions, the Edit permission, visible in the UI, contains the permission to remove content (Remove).
It means that you cannot grant the Edit permission (Write) without the Remove permission at the same time.

So if you want to be able to grant the Edit permission without the Remove one, you need to override the default ReadWrite permission.

We will do that in two steps:

  • First, override the default Edit permission to remove the Remove permission.
  • Then, create a new permission ReadWriteAndRemove (equivalent to the default Edit permission overridden above).

Override the Edit Permission

  1. Add a new contribution to remove the Remove permission from Write permission.
    Check the Nuxeo Explorer page to update the suitable extension point.

    <extension target="org.nuxeo.ecm.core.security.SecurityService"
    point="permissions">
    <permission name="Write">
      <remove>Remove</remove>
    </permission>
    </extension>
    

This change will make the permission ReadWrite, displayed under the permission label Edit in the UI, act as wanted: it no longer includes the right to remove content.

Create a New Permission

If you want users to be able to add and remove content, you must now grant them the Write permission and Remove permission. Or you can add a new permission that will behave like the default ReadWrite permission used to.

  1. Define a new global permission to read, edit and remove content.

      <extension target="org.nuxeo.ecm.core.security.SecurityService"
        point="permissions">
       <permission name="ReadWriteAndRemove">
            <include>Read</include>
            <include>Write</include>
            <include>Remove</include>
        </permission>
      </extension>
    
  2. Make the new ReadWriteAndRemove permission visible in the drop down list in the UI.
    Check the Nuxeo Explorer page to see how to register permission visibility in user interface.

    <extension point="permissionsVisibility" target="org.nuxeo.ecm.core.security.SecurityService">
        <visibility>
          <item order="10" show="true">Read</item>
          <item denyPermission="Write" order="50" show="true">ReadWrite</item>
          <item denyPermission="Write" order="55" show="true">ReadWriteAndRemove</item>
          <item denyPermission="Remove" order="60" show="true">ReadRemove</item>
          <item order="100" show="true">Everything</item>
        </visibility>
      </extension>
    
  3. Deploy your customizations.

readwriteandremove-permission-ui.png
readwriteandremove-permission-ui.png