Disabling inherited permissions on a Site causes the SiteManager to loose rights
It's been a while since I last posted something, that didn't mean I wasn't into Alfresco on the contrary I was too busy with Alfresco stuff to post ;).
So what's this issue all about??
The issue has to do with the permissions based on roles(SiteConsumer, SiteContributer,SiteCollaborator and SiteManager) handled and configured within Sites.
Within an Enterprise organisation it's not sufficient to group everyone within these roles. Most likely you'll have departments with their own access rights. E.g. there will be a group Finance department with a role SiteContributer.
So before you'll know it, the repository view will be used to set permissions. This is were the issue starts.
The following image is the default Site Manage Permissions view:
But we want to add the "Finance Department" group, so we need the Repository view "Manage Permissions":
So the normal way setting a permission will be the following:
Click on "Inherit Permissions" button to disable the current active permissions
Click on Add User/Group to add our "Finance Department"
Save
Which will result in the following:
Outside a site this is a proper permission-set but within a site this disables the Site Manager to have admin rights. So the Site Manager can't even fix the issue he/she has noticed afterwards :(.
So there are 3 solutions for this:
Use the default Site "Manage Permissions" View to first disable all the roles to have access. This will disable the "Inherit Permissions" and will add the SiteManager permission to the folder/content.
Write a Java Behaviour which will run on NodeServicePolicies.OnUpdatePropertiesPolicy and will add the SiteManager permission after inheritsPermissions() has been set to false.
Or like what I did, because I can't shutdown production for a while, is write a JavaScript which fires from the JavaScript-Console within Share
This is the piece of code I use after an issue is submitted:
var site = space; recurse(site.childByNamePath("documentLibrary"), function(node) { if (!node.inheritsPermissions()) { logger.log("BEFORE: " + node.getPermissions()); node.removePermission("SiteManager", "GROUP_site_" + site.name + "_SiteManager"); node.removePermission("SiteManager", "GROUP_" + site.name + "_SiteManager"); node.setPermission("SiteManager", "GROUP_site_" + site.name + "_SiteManager"); logger.log("AFTER: " + node.getPermissions()); } });
I've instructed all the Site Admin's to follow step 1 before changing permissions, but like always there are cases where users don't follow guide lines.
--- UPDATE ---
Alfresco opened a JIRA ticket: https://issues.alfresco.com/jira/browse/ALF-16522













