File permissions

[moonwolf]

I don't understand how they work.

I have a few directoires:

Code: Select all

root - RO for ROLE_USER
|- dirA - owned by user1, read and write permissions for ROLE_USER
   |- dirB - owned by user2, read and write permissions for ROLE_USER
      |- dirC - owned by user3, read and write permissions for ROLE_USER
         |- file.pdf  - added by user1, read and write permissions for ROLE_USER (user1, user2, user3 and okmAdmin are separately listed with all permissions)

Now i'm logging as user4. and i'm unable to delete file with context menu or toolbar.

BUT

When i check checkbox on the left of filename, i'm able to delete this file (same goes for directories. Read only directories are safe, but delete icon is active, error message appears after clicking on it). Why does it work this way? Am i missing something?

Some update: now i can't purge trash because of this file. It confuses me - why can i move file to trash but cannot empty trash? It doesn't make sense to me...

Code: Select all

OKM-012001(PurgeTrash): Repository internal error

Could not delete file '/home/moonwolf/Dokumenty/openkm-6.2.2-community/tomcat/repository/datastore/64/26/39/dd/642639dd-2aa0-4f97-8151-9eb4fa324192'

I think it's little too late for permission checking...

[jllort]

ROLE_USER and ROLE_ADMIN should be removed from okm:root ( categories and templates )
user1 should have ROLE_X + ROLE_USER ( ROLE_USER is used to all users to pass login and should not be propagated to repository )
at okm:root major users should only have read access

[moonwolf]

OK. So another test:

okm:root - read only for ROLE_OFFICE
one directory: 'test' - created by okmAdmin, read and write permissions for ROLE_OFFICE
In this directory user1 (ROLE_OFFICE) has added file - 'test.pdf'. Of course it has read and write permissions for ROLE_OFFICE (no delete permission). And all permissions for okmAdmin and user1.
Now i'm logging as user2 (ROLE_OFFICE). And as before i can't delete file when i click on filename, but i'm able to do it by checking checkbox. File is in trash which i am unable to purge. I have removed ROLE_USER from everywhere in the repository.

And another strange thing - user1 cannot delete his own file despite of fact he has all permissions (same thing as for user2). I still don't understand what am i doing wrong.

[jllort]

Are you sure you can delete file from checkbox but not without it ?
Make here some screenshot to understand better, with a detailed example step by step ( and seeing security panels )

[moonwolf]

OK, let's try:

Root and directory permissions:




File permissions:


Note that i'm logged as file owner and still can't delete file.

But:


Trash can be purged with this file.

I uploaded file again. And again - no delete possibility.


Now other user (i forgot to change language):


With checkbox - i can delete:


File is in trash:


But:


What more informations can i provide? Users are from LDAP (both have ROLE_OFFICE + ROLE_USER), there is Fedora 16 on the server. i don't know what informations may be useful.

[jllort]

- You can not delete folder test because is child of okm:root and there you have not delete privileges ( to delete a folder you need parend grant, that's the idea ).

- You can delete test1.pdf file because it's into test folder into which do you have delete grants from folder ( If you do not have folder grants document grants are revoked, because really you're deleting a child node of folder that's the idea ).

- With checkbox delete grants are not evaluated because will be so much complex doing it and is delegated to operation if you select some operation massive that can not be completed you'll get the error.

The only strange problem I see in your screenshots is purge from trash ( could you make a capture with documents grants there and nowak trash folder grants ).

[moonwolf]

- You can not delete folder test because is child of okm:root and there you have not delete privileges ( to delete a folder you need parend grant, that's the idea ).
- You can delete test1.pdf file because it's into test folder into which do you have delete grants from folder ( If you do not have folder grants document grants are revoked, because really you're deleting a child node of folder that's the idea ).

Now i understand - i need to add delete grants to folder to be able to delete files in this folder. Now i'm wondering why i didn't figure it out at first - it's simple and intuitive (:)

- With checkbox delete grants are not evaluated because will be so much complex doing it and is delegated to operation if you select some operation massive that can not be completed you'll get the error.

But deleting (moving to trash) file is executed with no error (as opposite to deleting read only directories - there i have error message). With no checkbox there is no possibility to delete file, so shouldn't i get an error message when trying to delete the file with checkbox?

The only strange problem I see in your screenshots is purge from trash ( could you make a capture with documents grants there and nowak trash folder grants ).

File:


And folder:


Now almost everything is now clear to me, so thank you for clarifying me out this. The only thing i still don't understand is deleting file with checkbox. User wont purge this file, but with many deleted files this will be painful to restore them all.

[jllort]

Massive purge and restores are still not already implemented I will add the issue for it http://issues.openkm.com/view.php?id=2621

[dummy]

I have the same issue with version 6.2.4, all the users in group with the read/write permission can create folder/add document, but cannot delete items without checking these items. But when I check these items, the delete toolbar button is enable to delete them all, I tried and it deleted them into trash which I can restore back. Is it a mistake because infact without delete permission, these users cannot delete these items?

[jllort]

Ensure you really do not have grants to delete because API is same for both cases massive delete or simple. Remember grants are in Or logic that mean "not have delete gran Or have delete grant Or others .....= have delete grant

[dummy]

This is my case, this user didn't have the DELETE permission.

Cannot delete the item without checked


...but can delete the checked item


Can you examinate this situation?

[jllort]

When you select several files or folders at same time, the UI security analyzers is not used and is delegated to action. The UI evaluation will be really complex and is more easy select several files and folders and then if someone can not be deleted when you execute the action you'll get the error. That's the way how we've deciced to implement it.

[dummy]

In my case, when I execute the DELETE button in the toolbar, there are no errors, and the checked items are deleted to the TRASH.

[moonwolf]

This is exactly my case.

[jllort]

In this screenshot you're connected as administrator, users with ROLE_ADMIN are super users and has not limitations by security grants, can do anything.