Individual ACL for cabinets and metadata

Requests for new functionality or improvements in existing functionality. Please provide clear descriptions of your request, an example or if possible a real life scenario.
Post Reply
HarryE
Posts: 5
Joined: Wed Apr 03, 2019 12:01 pm

Individual ACL for cabinets and metadata

Post by HarryE » Wed Apr 03, 2019 12:47 pm

Hello all,
It would be nice to actually apply an ACL for accessing (or not) specific (sub)cabinets and metadata.
I have a a case of sensitive metadata applied to several document types and I want to restrict specific roles from reading it (Grant view permission for a specific metadata type). Currently there is only a grant view for all metadata types.

For the metadata I tried to solve the issue by checking the permision while building the list of metadata for a document

Code: Select all

return format_html_join(
        '\n', '<div class="metadata-display"><b>{}: </b><span data-metadata-type="{}" data-pk="{}">{}</span></div>',
        (
            (
                document_metadata.metadata_type, document_metadata.metadata_type_id, document_metadata.id, document_metadata.value
            ) for document_metadata in document.metadata.all() # if permission_metadata_document_view in document.permissions
        )

in apps/metadata/permissions.py but I do not understand yet where the permissions are stored and work, hence it didn't work.

User avatar
rosarior
Posts: 211
Joined: Tue Aug 21, 2018 3:28 am

Re: Individual ACL for cabinets and metadata

Post by rosarior » Sat Apr 06, 2019 8:55 pm

We have this in out work list. Implementing this change requires improving one of the most fundamental pieces of code in the project, the permission system. We have some work done and we plan to add support for this (https://gitlab.com/mayan-edms/mayan-edm ... ers.py#L93) once the changes in the permission system are validated by the community after the release of version 4.0. So we are looking at maybe adding this in version 4.1. Version 4.0 is schedule for Q3 of 2019.

The metadata permission changes are already implemented in the code for version 4.0. We've added more layers of permission to metadata. In order to see the metadata for a document, the user will need the metadata view permission for both: the metadata type and the document (or document type). This change landed in the development version and will be include in version 4.0. It might be possible to backport this change to an interim version (maybe 3.3) depending on schedule changes and workload of the team.

Thanks for the feedback!

User avatar
rosarior
Posts: 211
Joined: Tue Aug 21, 2018 3:28 am

Re: Individual ACL for cabinets and metadata

Post by rosarior » Sat Apr 06, 2019 9:02 pm

Unreleased code (4.0):

https://gitlab.com/mayan-edms/mayan-edm ... ws.py#L111

The metadata access is now a dual permission operation:

Permission requirements for the metadata operations:

Code: Select all

    object_permission_map = {
        'list': permission_metadata_view,
        'partial_update': permission_metadata_edit,
        'destroy': permission_metadata_remove,
        'retrieve': permission_metadata_view,
        'update': permission_metadata_edit,
    }
Permission requirements for the external object (document, or document type):

Code: Select all

    def get_external_object_permission(self):
        action = getattr(self, 'action', None)
        if action is None:
            return None
        elif action == 'create':
            return permission_metadata_add
        elif action == 'destroy':
            return permission_metadata_remove
        elif action in ['partial_update', 'update']:
            return permission_metadata_edit
        else:
            return permission_metadata_view
As you can see if you compare these pieces of code with the existing code, many updates were required to support this change. We are attempting to backport as many platform changes as we can to close the code gap between the 3.x and 4.x versions. If we manage to backport the API and permissions changes it could be possible to support and release this in a 3.x version.

Post Reply