Deny Access to a Folder

Introduction

Goal

Deny a group access to a specific folder in the content repository.

Use Case

The use case is based on a Hippo project created using the Maven archetype, with the News feature added.

Such a project contains two root content folders:

• /content/documents/myhippoproject
  Contains the news articles.
• /content/documents/administration
  Contains resource bundles to manage static labels on the website.

By default the 'editor' group has editor privileges on both folders, and the 'author' group has author privileges in both folders.

You want to deny the 'author' group access to the administration folder, while the 'editor' group retains all its privileges.

Strategy

To be able to deny access to the administration folder you will customize the default security domains as follows:

• Exclude the administration folder from the default hippodocuments and hippofolders domains.
• Define a new domain administrationdocuments that includes only the administration folder.
• Assign the 'editor' group editor privileges on the administrationdocuments domain.

Customize Security Domains

Exclude the Folder from the Default Domains

Log in to the Console as 'admin'.

At /hippo:configuration/hippo:domains/hippodocuments/hippo-document add a new facet rule exclude-administration-folder:

/hippo:configuration/hippo:domains/hippodocuments/hippo-document
  + exclude-administration-folder [hipposys:facetrule]
    - hipposys:equals:  false
    - hipposys:facet:  jcr:path
    - hipposys:filter:  false
    - hipposys:type:  Reference
    - hipposys:value:  /content/documents/administration

At /hippo:configuration/hippo:domains/hippofolders/hippostd-folder add the same facet rule exclude-administration-folder:

/hippo:configuration/hippo:domains/hippofolders/hippostd-folder
  + exclude-administration-folder [hipposys:facetrule]
    - hipposys:equals:  false
    - hipposys:facet:  jcr:path
    - hipposys:filter:  false
    - hipposys:type:  Reference
    - hipposys:value:  /content/documents/administration

Create a New Domain for the Folder

At /hippo:configuration/hippo:domains add a new security domain administrationdocuments:

/hippo:configuration/hippo:domains
  + administrationdocuments [hipposys:domain]
    + hippo-document [hipposys:domainrule]
      + hide-prototypes [hipposys:facetrule]
        - hipposys:equals:  false
        - hipposys:facet:  nodename
        - hipposys:filter:  false
        - hipposys:type:  Name
        - hipposys:value:  hipposysedit:prototype
      + include-administration-folder [hipposys:facetrule]
        - hipposys:equals:  true
        - hipposys:facet:  jcr:path
        - hipposys:filter:  false
        - hipposys:type:  Reference
        - hipposys:value:  /content/documents/administration
      + nodetype-hippo-document [hipposys:facetrule]
        - hipposys:equals:  true
        - hipposys:facet:  nodetype
        - hipposys:filter:  false
        - hipposys:type:  Name
        - hipposys:value:  hippo:document

Grant Permissions

Grant the Admin and Editors Groups Editor Privileges on the New Domain

Log in to the CMS as 'admin'.

Browse to the Admin perspective.

Select 'Permissions'.

Grant the group 'admin' editor privileges in the administrationdocuments domain.

Grant the group 'editor' editor privileges  in the administrationdocuments domain.

Log out.

Verify Permissions

Log in to the CMS as 'editor'.

Verify that you can browse to the administration folder and can edit documents inside the administration folder.

Log out.

Log in to the CMS as 'author'.

Verify that you can't see the administration folder.