Disable non-admin users from deleting or updating site permissions – Alfresco Share

We can also disable permissions to delete a site or update site visibility for sites that are already created before we applied the disable create site permission update to share.

Requisites
1. Alfresco 5.x
2. Notepad++ or text editor
 Steps
Assuming Alfresco is installed on C:\Alfresco on a windows machine, goto
Edit the xml file called “custom-site-security-model-context.xml”, which we added in the previous article and update only the highlighted entries
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
  <bean id="SiteService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
   <property name="authenticationManager">
      <ref bean="authenticationManager"/> 
   </property>
   <property name="accessDecisionManager">
      <ref bean="accessDecisionManager"/>
   </property>
   <property name="afterInvocationManager">
      <ref bean="afterInvocationManager"/>
   </property>
   <property name="objectDefinitionSource">
    <value>               org.alfresco.service.cmr.site.SiteService.cleanSitePermissions=ACL_NODE.0.sys:base.ReadProperties
               org.alfresco.service.cmr.site.SiteService.createContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
               org.alfresco.service.cmr.site.SiteService.createSite=ACL_METHOD.ROLE_ADMINISTRATOR
               org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_METHOD.ROLE_ADMINISTRATOR 
               org.alfresco.service.cmr.site.SiteService.findSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
               org.alfresco.service.cmr.site.SiteService.getContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
               org.alfresco.service.cmr.site.SiteService.listContainers=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
               org.alfresco.service.cmr.site.SiteService.getMembersRole=ACL_ALLOW
               org.alfresco.service.cmr.site.SiteService.getMembersRoleInfo=ACL_ALLOW
               org.alfresco.service.cmr.site.SiteService.resolveSite=ACL_ALLOW
               org.alfresco.service.cmr.site.SiteService.getSite=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
               org.alfresco.service.cmr.site.SiteService.getSiteShortName=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
               org.alfresco.service.cmr.site.SiteService.getSiteGroup=ACL_ALLOW
               org.alfresco.service.cmr.site.SiteService.getSiteRoleGroup=ACL_ALLOW
               org.alfresco.service.cmr.site.SiteService.getSiteRoles=ACL_ALLOW
               org.alfresco.service.cmr.site.SiteService.getSiteRoot=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
               org.alfresco.service.cmr.site.SiteService.hasContainer=ACL_ALLOW
               org.alfresco.service.cmr.site.SiteService.hasCreateSitePermissions=ACL_ALLOW
               org.alfresco.service.cmr.site.SiteService.hasSite=ACL_ALLOW
               org.alfresco.service.cmr.site.SiteService.isMember=ACL_ALLOW
               org.alfresco.service.cmr.site.SiteService.listMembers=ACL_ALLOW
               org.alfresco.service.cmr.site.SiteService.listMembersInfo=ACL_ALLOW
               org.alfresco.service.cmr.site.SiteService.listMembersPaged=ACL_ALLOW
               org.alfresco.service.cmr.site.SiteService.listSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
               org.alfresco.service.cmr.site.SiteService.listSitesPaged=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
               org.alfresco.service.cmr.site.SiteService.removeMembership=ACL_ALLOW
               org.alfresco.service.cmr.site.SiteService.canAddMember=ACL_ALLOW
               org.alfresco.service.cmr.site.SiteService.setMembership=ACL_ALLOW
               org.alfresco.service.cmr.site.SiteService.updateSite=ACL_METHOD.ROLE_ADMINISTRATOR
               org.alfresco.service.cmr.site.SiteService.countAuthoritiesWithRole=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.isSiteAdmin=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.*=ACL_DENY

     </value>
    </property>
  </bean>
</beans>

The file should be as defined above, as even though we are updating only specific settings, this file overrides all the built in permissions. Therefore we to have list all the available permissions as well for Share to work properly.
Now after restarting Alfresco server, go to a site and select “Edit Site Details” as shown below
disable edit site 1
Even if the current logged in user is not an admin they can see the “Edit Site Details” page and they can even change the site visibility options.
disable edit site 2
But they cannot save any changes.
disable edit site 3
When a non admin user tries to change the permission, even if they actually created the site, they would get the above message when they try to apply the changes.
Advertisements

Leave a Reply

Your email address will not be published. Required fields are marked *