CODEWITHSUNDEEP
alfresco
Alessio Gaeta
Alessio Gaeta

Reputation: 5940

Alfresco: query documents readable by specific user

I need to get all documents readable by a specific user. Assuming that the performer user is admin, Is that possible with "standard" queries or some kind of workaround?

As an example, to be clear, say there are only two documents in the repository and only two users (beside admin). The ACL is something like that:

    \  Mike | Bob
doc1 | rw   | r
doc2 | r    | -

I want to perform a query as admin to get all documents readable by Bob, thus I expect only doc1 as result.

Thanks

Upvotes: 0

Views: 107

Answers (2)

Tahir Malik
Tahir Malik

Reputation: 6643

The only thing which is possible is to write some Java code to execute the query with another runas user.

Here is a working Java code which extends the default Alfresco webscript behaviour where you can submit a runas parameter. If you create a Java Backend Webscript and implement the runas function and perform a SearchService.query then you're good to go.

@Override
    protected void transactionedExecute(final WebScript script,
            final WebScriptRequest scriptReq, final WebScriptResponse scriptRes)
            throws IOException
    {
        //already authenticated here
        //already pass the authentication
        //get the runAs Parameter
        String runAs = scriptReq.getParameter(runAsParamName);

        final String fixCurrentAuthenticatedUser = authenticationService.getCurrentUserName();
        RetryingTransactionCallback<Boolean> exampleWork = new RetryingTransactionCallback<Boolean>()
        {
            public Boolean execute() throws Exception
            {
                return authorityService.isAdminAuthority(fixCurrentAuthenticatedUser);
            }
        };

        boolean isAdmin = retryingTransactionHelper.doInTransaction(exampleWork);


        //only admins are allowed to do that
        if ( !isAdmin || runAs == null || runAs == "")
        {
             //ignore runAs
             super.transactionedExecute(script, scriptReq, scriptRes);
             return;
        }
        final RunAsRepositoryContainer thisIsThis = this;
        RunAsWork<Object> work = new RunAsWork<Object>()
        {
            public Object doWork() throws Exception
            {
                super.transactionedExecute(script, scriptReq, scriptRes);
                return null;
            }
        };
        AuthenticationUtil.runAs(work, runAs);
   }

Upvotes: 1

Jeff Potts
Jeff Potts

Reputation: 10538

I don't think this is possible without traversing the entire collection of search results and inspecting the permissions on each result.

As others have said, if you do the search as the user instead of admin, you'll only get the results the user is allowed to see.

I suppose as admin you could do a search as the user and see what comes back, but if you have multiple users, as in your example, this will become tedious.

Upvotes: 2

Related Questions