Re: Local ECM Provider

Sato wrote:

> Hi,
>
>> Security:
>>    - in a workspace (let's use this term to define a space where
>> several people can share and work on document), you put some document
>>    - you define rights on this workspaces for example applying roles
>> to users (let's say you applied 2 roles: reader and contributor)
>>    - user A has the contributor role while user B has the reader role
>>    - when user A access to the workspace via Apogee, he needs to be
>> able to modify the document (thus apogee need to display the Modify
>> action / menu on the document)
>>    - when user B access to the workspace, we have to hide all
>> actions/menu items his role doesn't have access to
>
>
> Can I think that a role defines which ISiteOperation are allowed to be
> executed
> by ISiteControler#execute method?
>
> e.g.
> reader: - (no operation)
> contributer - COPY, CREATE, DELETE, EDIT, MOVE

I've added a method in the API

public boolean isOperationEnabled(ISiteResource resource, String
operationType);

that should check if an operation is enabled.
The ISiteController also provides 2 functions:

    /**
     * Open a new session using given credentials
     * @param credentials the credetials to use to login
     * @throws CoreException if an errormoccurs or login failed
     */   
    public void login(Map credentials) throws CoreException;

   
    /**
     * End current session
     * @throws CoreExceptionif amn error occurs
     */
    public void logout() throws CoreException;

to handle authentication.

So based on the current session (started when authenticating by calling
login() method)
the ECM provider should check if an operation is enabled or not for the
given resource depending on the internal security and workflow

The API is not too explicit on how to handle user sessions - I will try
to make this more explicit when implementing the CPS session.
So based on the current user you can fetch the user roles and to compare
with the permissions of the operation on the target resource.
If user roles contains the needed permissions then the operation may be
performed.

Example on how CPS is handling security checks:

Let say a resource is supporting 2 type of actions (operations): view
and edit.
Let say the CPS provider specify that the view operation requires the
"view" permission and the edit operation requires the "modify" permission
Let say you are logged in using the user "sato" and the user sato is
having the "Guest Role" that allows "view" and "create" permissions but
not modify permissions. Then when you will try to edit the resource the
security will detec your role is not containing the "modify" permission
an thus the security check will fail.
Roles are defined to ease declaring permissions on users or groups of
users. For example if you want to define that some users have the
"view", "modify", "delete" and "create" permissions you may create a
role containing these permissions and bind this role to those users. So
roles are a sort of grouping permissions to ease permission administration.
Eric, correct me if I am wrong about roles...

This is the CPS approach but I think is very flexible.

Now about the ISiteControler#execute method:
Yes, if you want to define an operation that was not defined explicitely
by the API you may create a new operation type and use this function to
dispatch the operation to the ecm provider. So each provider may define
custom actions and not be limited on actions defined by the API.

I will demonstrate this by implementing a custom operation in the
FileSystem provider

Anyway, when a provider is implementing a custom action it should also
customize the UI interface to add support for the new operation.
The generic views provided by apogee will support by default only
generic actions defined in the API.
I need to think about a method to ease adding new operation types at the
UI level.

>
>> Apogee needs, for that, to have a security model that can be mapped
>> to the ECM security model so that user actions / menu items available
>> on resources can depends on access rights defined by the server.
>
>
> Does "ECM security model" mean the one of CPS?
>
>> Extension of this:
>>
>>
>> Workflow:
>>    - on my workspace, I have a document on which I have to do some
>> workflow action
>>    - Apogee needs to know what workflow actions are to be done for
>> the current user on a resources
>>    - moreover, apogee need to know where to find the interface to
>> display to the user so that he can do the workflow action
>>
>> Then, Apogee need to have a generic model to get actions from the
>> remote ecm platform (what we call operations in the model, I have
>> well understood - Bogdan, correct me if I'm wrong .
>
>
> So there would be a definition of a workflow
> so that a content could be displayed in sequence with proper actions.

Yes we should develop a workflow engine. I think there are some workflow
engines already developed in java. We may try to use them.

>
>> Does it answer to you questions? (I hope to be enough clear on what I
>> have in mind on those points, do not hesitate to ask more .
>
>
> I wonder if I am missing something.
> I'd better learn CPS?

I think it will be good to install or to login on a demo cps server
server to see how it is working 
I will look for an account on a demo CPS server and I will send you.

>
> Takenori
> _______________________________________________
> Apogee mailing list
> Apogee@...
> http://lists.nuxeo.com/cgi-bin/mailman/listinfo/apogee

--

-- 

Bogdan Stefanescu - Apogee project Team Leader

Nuxeo - Open Source ECM - www.nuxeo.com
Apogée - the rich client platform for ECM
http://apogee.nuxeo.org/ - http://www.nuxeo.com/en