Restrict Workflow for Certain Folders and Groups
This page describes the recommended method for disabling the folder workflow (add folder, add document, rename, etc.) for certain folders and groups. A simple but realistic use case would be that we have a top level folder created by an editor and we don’t want authors to be able to modify that folder.
The workflow we're interested in lives under node /hippo:configuration/hippo:workflows/threepane/folder and for this example let's assume that the folder /content/documents/applications/, and all its child folders, shouldn’t expose this workflow to authors.
Disabling the workflow could be done via security domains configuration (by changing the security domain in /hippo:configuration/hippo:domains/workflow/frontend-workflow so the aforementioned workflow node is not anymore available for authors). However, this applies globally in the CMS, i.e. to all folders, so usually is not desirable.
A better approach exists, providing for finer control of the access to the workflow. The approach takes advantage of the fact that the workflow allows you to specify the minimum privileges a user must have in order to be elligible to access it. This is done on the workflow node, by adding the attribute hippo:privileges.
In Hippo CMS a user can have different privileges depending on which node they are accessing. This is specified via security domains, where we can decide what privilege to assign based on the path of the node the user is navigating under. To come back to our example, it should be clear now what we need to do:
For the folder nodes where we don't want the user to access the workflow, we give to them a privilege that simply is not sufficient for the workflow to be enabled.
1. Specify what privilege is sufficient
The hippo:author privilege seems suitable since we do want the authors to be able to access the workflow in general. We'll then make sure the authors don't get this privilege for any folders we want to disable the workflow in. So first step, we add attribute hipposys:privileges with value hippo:author to /hippo:configuration/hippo:workflows/threepane/folder:
/hippo:configuration/hippo:workflows/threepane/folder - hipposys:classname = org.hippoecm.repository.standardworkflow.FolderWorkflowImpl - hipposys:display = Workflow on folders (authors) - hipposys:nodetype = hippostd:folder - hipposys:privileges = hippo:author
2. Modify security domains
By default the authors get the hippo:author privilege for all hippo:document type nodes (including folders). This is assigned in domain /hippo:configuration/hippo:domains/hippodocuments. There we can see that an authrole is assigning the author role to group authors for any node that matched the criteria defined in the domainrules under /hippo:configuration/hippo:domains/hippodocuments/hippo-document. Assigning the author role enables the workflow, therefore we'd like to avoid giving this privilege if the user is navigating under any of our workflow-disabled folders. So we need to add a child domainrule to /hippo:configuration/hippo:domains/hippodocuments/hippo-document to exclude our folders.
This can be done easily by copying an existing one, for instance copy the domainrule /hippo:configuration/hippo:domains/hippodocuments/hippo-document/nodetype-hippo-document under the same location, rename it to exclude-my-folders and change the following attributes to these values:
hipposys:facet -> "jcr:path"
hipposys:type -> "Reference"
hipposys:value -> "/content/documents/applications"
hipposys:equals -> false
/hippo:configuration/hippo:domains/hippodocuments/hippo-document + exclude-my-folders [hipposys:facetrule] - hipposys:facet = jcr:path - hipposys:type = Reference - hipposys:value = /content/documents/applications - hipposys:equals = false - hipposys:filter = false
This will effectively remove our folder and its children from this domain, so our users won't get any privilege at all for those folders, so no access at all. We must fix this of course, and this takes us to the last step.
3. Create a new security domain only for our special folders
- Copy the whole domain /hippo:configuration/hippo:domains/hippodocuments into a new one (rename it as well)
- Navigate to the child domainrule named exclude-my-folders and rename it to include-my-folders
- On this domainrule, change the attribute hipposys:equals to true
- Change the authrole in the domain to give readonly role (it was author role) to the authors group
/hippo:configuration/hippo:domains/hippodocuments-readonly/hippo-document + include-my-folders [hipposys:facetrule] - hipposys:facet = jcr:path - hipposys:type = Reference - hipposys:value = /content/documents/applications - hipposys:equals = true - hipposys:filter = false
/hippo:configuration/hippo:domains/hippodocuments-readonly + hippo:authrole [hipposys:authrole] - hipposys:groups = hippo:author - hipposys:role = readonly
Now you have a domain that assigns the readonly role to authors when they navigate under your workflow-disabled folders. Since they don't have author role anymore, the workflow won't be enabled.