Topic
  • 4 replies
  • Latest Post - ‏2012-12-28T16:09:41Z by SystemAdmin
SystemAdmin
SystemAdmin
76 Posts

Pinned topic Document Type Access Rights

‏2012-12-27T15:24:04Z |
Hi all,

We have an issue with access rights to a document type (class). We have a cmis client developed with opencmis (apache chemistry) with Filenet CMIS. Even though the user does not have access to a document class, the logged in user can still retrieve the document class with the following call:
List descendants = session.getTypeDescendants("cmis:document", Integer.MAX_VALUE, true);

The logged in user that creates the session, is not supposed to see a specific descendant document class, but it shows up in the list of descendants. How could we prevent this? Any help would be appreciated.

Thank you
Updated on 2012-12-28T16:09:41Z at 2012-12-28T16:09:41Z by SystemAdmin
  • Dave Sanders
    Dave Sanders
    19 Posts

    Re: Document Type Access Rights

    ‏2012-12-27T19:54:47Z  
    By default, CMIS for FileNet caches class definitions. That caching gives better performance. Set SecureMetadataCache [1] to true to prevent caching of metadata and thus honor a user's security. SecureMetadataCache is a property in WEB-INF/classes/cmis.properties. Either edit that file and restart the fncmis web app, or follow [2].
    [1] http://pic.dhe.ibm.com/infocenter/p8docs/v5r1m0/index.jsp?topic=%2Fcom.ibm.installingp8cmis.doc%2Fcmico022.htm
    Note: This Info Center topic does not mention class definitions. That will be corrected in the next release of the Info Center.

    [2] http://pic.dhe.ibm.com/infocenter/p8docs/v5r1m0/index.jsp?topic=%2Fcom.ibm.installingp8cmis.doc%2Fcmico015.htm
  • SystemAdmin
    SystemAdmin
    76 Posts

    Re: Document Type Access Rights

    ‏2012-12-27T20:49:08Z  
    By default, CMIS for FileNet caches class definitions. That caching gives better performance. Set SecureMetadataCache [1] to true to prevent caching of metadata and thus honor a user's security. SecureMetadataCache is a property in WEB-INF/classes/cmis.properties. Either edit that file and restart the fncmis web app, or follow [2].
    [1] http://pic.dhe.ibm.com/infocenter/p8docs/v5r1m0/index.jsp?topic=%2Fcom.ibm.installingp8cmis.doc%2Fcmico022.htm
    Note: This Info Center topic does not mention class definitions. That will be corrected in the next release of the Info Center.

    [2] http://pic.dhe.ibm.com/infocenter/p8docs/v5r1m0/index.jsp?topic=%2Fcom.ibm.installingp8cmis.doc%2Fcmico015.htm
    Thank you for your answer, but neither way worked out.
  • Dave Sanders
    Dave Sanders
    19 Posts

    Re: Document Type Access Rights

    ‏2012-12-28T06:43:00Z  
    Thank you for your answer, but neither way worked out.
    > Even though the user does not have access to a document class, the logged in user can still retrieve the document class via session.getTypeDescendants("cmis:document")
    Can the user retrieve that descendant class via session.getTypeDefinition when SecureMetadataCache=true? If yes, please open an issue with IBM Support.

    If a "no access" class is returned by getTypeDescendants and getTypeChildren but not by getTypeDefinition, that's probably due to allowedSuperClass.get_ImmediateSubclassDescriptions (recursively) returning subclasses regardless of access.

    What release/fix pack of CMIS for FileNet do you have?
  • SystemAdmin
    SystemAdmin
    76 Posts

    Re: Document Type Access Rights

    ‏2012-12-28T16:09:41Z  
    > Even though the user does not have access to a document class, the logged in user can still retrieve the document class via session.getTypeDescendants("cmis:document")
    Can the user retrieve that descendant class via session.getTypeDefinition when SecureMetadataCache=true? If yes, please open an issue with IBM Support.

    If a "no access" class is returned by getTypeDescendants and getTypeChildren but not by getTypeDefinition, that's probably due to allowedSuperClass.get_ImmediateSubclassDescriptions (recursively) returning subclasses regardless of access.

    What release/fix pack of CMIS for FileNet do you have?
    Yes, unfortunately the user can get the descendant class via getTypeDefinition too while SecureMetadataCache=true. I tried with a custom class I created and also "CodeModule" class which is a descendant of cmis:document class. Anyway, I think I have to open an issue with IBM support even though I dont know how to open it. Thank you for your help though, I appreciate it.

    I am using CMIS v1.0 FP2 I think it makes the version 1.0.0.2.

    Thanks again