I know there is a way to set permissions for Branches so specific people can't read/check-out/check-in files.
But, is there a way to completely hide those folders/branches so these people can't even see them?
Btw, we're using TFS2010.
Let's say that I have $/Proj/Branch1, and I deny read permission for $/Proj/Branch1 to user A. This would make $/Proj/Branch1 and everything underneath it invisible to user A. This is because by default items don't have any permissions on them, and just inherit from their parents.
If this is your scenario then there is no more work to do other than denying Read permission to the user in question.
The exception to the rule is when there is some child item of $/Proj/Branch1 to which user A has an allow. Let's call this item $/Proj/Branch1/Child/Several/Folders/Down.txt. Because user A is allowed to read this item, he or she has to be able to see all the parent folders, all the way up to $/. In this scenario the parent folders are visible, but not their contents (other than that one file Down.txt).
So if you want the path to truly disappear for a user, they have to lack read permission on the item in question and all children of that item. As I said, in the typical case, all you have to do is set a Deny for Read permission on the root item and it will propagate all the way down.
Thanks
P.Kelly's way work unless you broke the permission inheritance. If you broke it you'll have to repeat the deny rule at each node you broke it.
You can delete the branch (and undelete it if needed), but it will be for everybody. The feature you're asking is simply not implemented in TFS (and I too miss it), so your solution will be good only for some cases.
Related
Out-of-the-box, an Alfresco user can read a document based on:
The document's permissions
The user's role
The user's groups
Whether the user owns the document or not
Maybe some other factors I forgot?
Now, I want to add a new factor: Whether the document is currently part of a workflow.
Alfresco's permissionDefinitions.xml allows me to define permissions based on authorities such as ROLE_LOCK_OWNER etc, but it does not seem to be the right place to add permission conditions.
I guess I will have to write some Java source code, but I am not sure what classes are responsible for this, and whether there is an Alfresco way to customize them?
So, I assume you want to somehow have nodes that are attached to a workflow have different access rights? You need to think about the behavior you want in all of the UIs and protocols you are exposing (e.g. share, WebDAV, CIFS, FTP, etc.).
If you want to set a permission on a node, you can do that via JavaScript as well as Java (See http://docs.alfresco.com/5.2/references/API-JS-setPermission.html and http://docs.alfresco.com/5.2/references/dev-services-permission.html). As was mentioned in one of the comments, you can also get the number of active workflows on a node by referencing the activeWorkflows property in JavaScript (http://docs.alfresco.com/5.2/references/API-JS-ScriptNode.html) or in Java
Depending on the specifics, I might implement this in different ways, but if all you want to do is have the permission change, you could just update it at the beginning and end of your workflow with a simple javascript call. The only thing bad about that is that it doesn't take into consideration the workflow getting canceled. You could also create a policy/behavior on an aspect you attach or even have a rule or job run that updates content based on the activeWorkflows values.
As I understand it, the only way to control which documents an editor can create/edit/delete/publish is by choosing their start node?
In the case, say, of an intranet, there might be users who can edit 'news' documents but nothing else.
Would I then create a news 'root' node, with news items being allowable child documents.
But if I then give those users the news 'root' node as their starting point, yes, they can create news documents as planned, but surely they can also edit, unpublish (!) or even delete (!!!!!!!!!!!!!) the 'root' node which destroys everything.
My testing seems to support this.
Is there another way?
You are right in your understanding of the "start node" concept, as well as your editors being able to mess with the root node. But realistically, will they do that, just because they can?
In the past, we've used a simple true/false property on all nodes to determine whether the node can be deleted. We called it "undeletable", and set in on nodes that were extra important not to get removed by accident. It does NOT prevent users from going to that node, remove the check mark in "Undeletable?", save the node, and THEN delete it, but then it's no longer by accident.
We hooked into miscellaneous events and checked for the property - if undeletable == true on the node or any of its children, trashing/deleting/unpublishing would be cancelled.
I've made a quick update to the methods to use ContentService, but I haven't tested them. Grab'em from here: https://gist.github.com/jannikanker/b1864522fa0b86da89903f05d107518a
OK, so I know that under the new SandBox guidelines, opening a file must abide by certain rules (a.k.a. the opening action must be triggered by the user using an NSOpenPanel, given of course the necessary "open" permissions).
However, here's the catch :
In my application, I've got an NSOutlineView with a complete file manager in it (the full tree structure)
The user is supposed to be able to select a file from the outline view and then the app will open it.
How am I supposed to do that, given that the app should be 100% sandbox-compliant? Is there any known workaround? Is it even possible?
Any ideas?
Short answer: You can't do that. In order to show the contents of a folder within your app's UI, you'd first have to get the user to open it either using an open panel or dragging it in from the Finder.
You can do this, as #omz said, your application needs to request permission to access the folder containing all the files/folders that your application is showing. You don't need permission of individual files, but can get an entire directory structure as a single permission, and then store that as a security scoped bookmark so future executions of your application will already have that permission.
You could even at app launch ask the user for permission to access the entire hard drive, or their entire user directory.
You can use this class I wrote to wrap all that up into a single function call, which will then persist the permission so they are only asked on first run. https://github.com/leighmcculloch/AppSandboxFileAccess
Alternatively if you want to do it with NSOpenPanel manually, just take a look at the code in AppSandboxFileAccess as it uses it to get permissions and then persist those permissions.
I have a multi-part, possibly confusing question... it's been a while
since I've dug in to the Authorization bundle, so it's taking me a bit
to remember how it all works. Bear with me as I struggle to make sense
of my thoughts, here :)
The majority of the code that I'm writing in my system uses a call to
the documentSession.IsAllowed method to check and see if the
AuthorizationUser has permissions for the Activity specified. This has
been working wonderfully for us, no problem. I'm expanding my app's
authorization to make use of tags now and I'm wondering:
Does the documentSession.IsAllowed method account for Tags on document
permissions, role permissions, and user permissions?
For example:
If I have Bob assigned to the Manager role. The Manager role is
assigned a permission to allow a "Review" operation, with a Tag of
"ReadyForReview" on that permission. How do I make a call to
documentSession.isAllowed in a way that verifies that Bob can "Review"
things that are tagged "ReadyForReview" ?
I realize that I may be asking the wrong question and/or looking at
this from the wrong perspective. If I am going about this wrong,
please let me know.
The end goal is really to say "Can Bob review this assignment?" Where
an Assignment is a document in RavenDB that may or may not have a
"ReadyForReview" tag. Bob should only be allowed to review assignments
that have the "ReadyForReview" tag. I would like to have a method that
gives me a boolean value telling me if Bob can review that document.
Derick,
In addition to simply IsAllowed, you also have IsOperationAllowedOnDocument.
That allows you to ask security questions about a specific document instance, not just globally.
On a Drupal 6 site, I have a 'moderator' role, who worka with an 'article' content type.
I want the moderators to be able to see the list of published/unpublished articles, and have the option to edit the articles (and change their 'published' status).
I do not want, however, for moderators to be able to edit (or see the list of) any other type of content.
If I give moderators the permission to 'administer nodes' I cannot stop them from editing other content types. If I remove that permission, they cannot access the content list (which is crucial for them).
Any ideas?
You might want to check out the Views Bulk Operations Module (http://drupal.org/project/views_bulk_operations). You should be able to use this module to build a custom view that displays only the content types you want the 'moderator' role to edit.
If you all your content types are created with CCK you can unset each content type's permissions for moderators. If not, I'd recommend you do create them in CCK :)
you definitely don't want to give them "administer nodes" permissions since it's a huge can of worms. if the nodes are unpublished you'll need to use the views module to get listings that will let them see the nodes.
that said unless the node type is one created by a specific contrib module you should be able to set the permissions on a per-role basis. if not you might look at using a node access module to control permissions.