Entity view (Content)

Partial Access to Metadata in Alfresco

By jjian
Jun. 25, 2015

As Alfresco developers know the permission management in Alfresco is based on the object like folder or document. If the end user has the access to an object, he should have the access to the whole set of the metadata fields, either Read or Write. The truth is that the partial access on metadata fields is always being needed. It is quite normal for certain group to have the Write permission on set of properties of certain types.

At this stage, Alfresco development doesn’t support the permission on metadata fields, so the only thing we can do is to implement this function via the Share UI. Since this function is always for custom metadata fields, so it’s possible to control the exposure of the custom fields via Share form settings.

Firstly, the form with custom ID of the type needs to be created.  In this form, only the restricted fields would be included.

Secondly, the custom browsing actions need to be created. These actions would be copies of the ‘Edit Properties’ but the parameter of the form ID would be introduced so that the form service could pick up the predefined custom form.

The last and most important thing is to add the restriction to the actions, to expose the action to certain groups on certain types. Two evaluators would be needed: one for object type, one for group.

Here is an example of the evaluators:

    <bean id="evaluator.doclib.isCompanyAdmin" parent="evaluator.doclib.action.groupMembership">

     <property name="relation" value="OR"/>

      <property name="groups">

         <list>

            <value>GROUP_company_admin</value>

            <value>GROUP_ALFRESCO_ADMINISTRATORS</value>

         </list>

      </property>

   </bean>

  

<bean id="evaluator.doclib.isProjectType" parent="evaluator.doclib.action.nodeType">

      <property name="types">

         <list>

            <value>someco:project</value>

         </list>

      </property>

   </bean>

With these evaluators, the end user can see the actions only if he is belonging to certain groups, on certain types. The evaluators could be applied to the action like the following:

<action id="edit-custom-meta" type="javascript" label="Custom Meta" icon="custom-meta">

     <param name="function">onActionCustomMeta</param>

     <permissions>

          <permission allow="true">Write</permission>

      </permissions>

     <evaluator>evaluator.doclib.isCompanyAdmin </evaluator>

     <evaluator>evaluator.doclib.isProjectType </evaluator>           

</action>

Post Tags: