Uploaded image for project: '[Read Only] - Hippo Repository'
  1. [Read Only] - Hippo Repository
  2. REPO-2239

Editors/Authors should not require write permissions to folders and sanitize CMS permission checks



    • Bug
    • Status: Closed
    • Top
    • Resolution: Fixed
    • None
    • 14.0.0
    • None
    • None


      Editors and Authors need to be able to create new folders, copy folders, duplicate documents, move to folders, delete folders, etc.

      The check in the FolderWorkFlowImpl is for all the above whether the author/editor has "jcr:write" on the folder.

      The above is very unhandy as it results in very complex security domain setup which is also very awkward: An author for example needs write access (hierarchical) on all folders, but not on the preview | live variant below a handle. Also an author then typically can add a new node of type X and save it, but afterward does not have write access to the new node at all any more.

      However, rethinking it, it shouldn't be about "jcr:write" in the first place. The role "hippo:author" should be enough to give an author all kind of folder workflow rights. Since workflow is executed with a workflow session, the author does not need and should not need actual jcr:write access on folders!!

      All jcr:write an editor and author need in the content perspective is on draft documents for which they are the holder. All the rest should and is handled by a workflow user with elevated jcr access


        Issue Links



              Unassigned Unassigned
              aschrijvers Ard Schrijvers
              0 Vote for this issue
              2 Start watching this issue