Return-Path: X-Original-To: apmail-chemistry-dev-archive@www.apache.org Delivered-To: apmail-chemistry-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 96DBDEF80 for ; Thu, 30 May 2013 08:39:06 +0000 (UTC) Received: (qmail 83421 invoked by uid 500); 30 May 2013 08:39:06 -0000 Delivered-To: apmail-chemistry-dev-archive@chemistry.apache.org Received: (qmail 83245 invoked by uid 500); 30 May 2013 08:39:05 -0000 Mailing-List: contact dev-help@chemistry.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@chemistry.apache.org Delivered-To: mailing list dev@chemistry.apache.org Received: (qmail 83221 invoked by uid 99); 30 May 2013 08:39:05 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 May 2013 08:39:05 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of aquiporras@gmail.com designates 209.85.214.178 as permitted sender) Received: from [209.85.214.178] (HELO mail-ob0-f178.google.com) (209.85.214.178) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 May 2013 08:38:59 +0000 Received: by mail-ob0-f178.google.com with SMTP id fb19so5110528obc.9 for ; Thu, 30 May 2013 01:38:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=byjh+zPgtRIm4+aFHvkc2D27Nwl8GcDg7drLEo9G2KI=; b=gLcQvFO8wGoGrL380XUcnDTICHd/fP2cPN13vtcHOHMBzPDDV8JJu3LIhCOwr5xNj1 GYuBNckFocE7NumxpkLUoiCvouGCXasCyRdBr3dVQ4O+qk1yk9kYY73Sr6NjXE2FFz+H kpqHvwIZyWylPkRtFvOkMhw3hziUV8rWCPZQd8eDOST/0pF3y/1LddrsdDLokS/N1Nl9 7v45+fRXyv4gCmERUvvhQRp1GZ0R/UuO5zrqdLOd5WJnpHRQIYC7oIB1L5LTsuR7ThYz 89ylmeH4mtUYTZ42MLuQy9ICn9uhrjK3C3gkBdYpZIQsVSVOsyjxuQgQ84EPea/qyHCE CEag== MIME-Version: 1.0 X-Received: by 10.182.237.77 with SMTP id va13mr3717263obc.65.1369903118201; Thu, 30 May 2013 01:38:38 -0700 (PDT) Received: by 10.76.120.199 with HTTP; Thu, 30 May 2013 01:38:38 -0700 (PDT) Date: Thu, 30 May 2013 10:38:38 +0200 Message-ID: Subject: Services without a clearly defined Permission Mapping filter From: =?ISO-8859-1?Q?Jaime_Porras_L=F3pez?= To: dev@chemistry.apache.org Content-Type: multipart/alternative; boundary=e89a8ff1cdccbcb70404ddeb6c75 X-Virus-Checked: Checked by ClamAV on apache.org --e89a8ff1cdccbcb70404ddeb6c75 Content-Type: text/plain; charset=ISO-8859-1 Hello, Following are listed some services without a clearly defined Permission Mapping filter, based on CMIS 1.0 ( http://docs.oasis-open.org/cmis/CMIS/v1.0/errata-01/os/cmis-spec-v1.0-errata-01-os-complete.doc) and CMIS 1.1 ( http://docs.oasis-open.org/cmis/CMIS/v1.1/cos01/CMIS-v1.1-cos01.pdf ) 1) Navigation Services 1.1) getCheckedOutDocs Description: Gets the list of documents that are checked out that the user has access to. I see two options: 1.1.1) Granted to any authenticated user. (The result will be already filtered by the user permissions related with the objects) 1.1.2) If a folder is specified then apply the Permission Mapping canGetDescendants.Folder My guess is to go for the option 1.1.2. 2) Object Services 2.1) createDocumentFromSource Description: Creates a document object as a copy of the given source document in the (optionally) specified location. My guess is that the Permission Mappings to apply would be: 2.1.1) Always canGetProperties.Object 2.1.2) If the object has a content stream, also apply canViewContent.Object 2.1.3) If the optional folder is specified, also apply canCreateDocument.Folder 2.2) createPolicy Description: Creates a policy object of the specified type 2.2.1) CMIS 1.0 There is no Permission Mapping defined for this operation in CMIS 1.0. My guess is to apply the nearest permission mapping: canCreateDocument.Folder 2.2.2) CMIS 1.1 The permission mapping defined is canCreatePolicy.Folder. NOTE: In openCMIS 0.9.0-beta-1 this permission mapping is not included neither in org.apache.chemistry.opencmis.commons.enums.Action or in org.apache.chemistry.opencmis.commons.data.PermissionMapping See JIRA: https://issues.apache.org/jira/browse/CMIS-662 2.3) getAllowableActions Description: Gets the list of allowable actions for an Object My guess is that this should be granted to any authenticated user. 2.4) getRenditions Description: Gets the list of associated Renditions for the specified object. Only rendition attributes are returned, not rendition stream. The related Permission Mapping was removed in the errata version of CMIS 1.0. My guess is to apply canGetProperties. NOTE: In openCMIS 0.8.x and 0.9.0-beta-1 this permission mapping is included in org.apache.chemistry.opencmis.commons.enums.Action but not in org.apache.chemistry.opencmis.commons.data.PermissionMapping See same JIRA as in 2.2.2. 3) Discovery Services 3.1) query Description: Executes a CMIS query statement against the contents of the Repository. Based on the definition, all authenticated user is granted to query all query-able. In our implementation, we will restrict the output to all query-able objects whose ACL has at least one ACE for the current user. In this way, we can be sure the user can use all the returned objects in some way. 4) Versioning Services 4.1) getObjectOfLatestVersion Description: Get a the latest Document object in the Version Series. My guess is to apply canGetProperties.Object 4.2) getPropertiesOfLatestVersion Description: Get a subset of the properties for the latest Document Object in the Version Series. My guess is to apply canGetProperties.Object Would you mind to clarify if my guessings are correct? Thank you very much in advance. Regards, Jaime Porras. --e89a8ff1cdccbcb70404ddeb6c75--