3

We're using Alfresco Community 4.2.c and are in need of restricting some user from downloading document.

From what we learn in this forum and other sources, we can remove/hide download button and document action from specific roles. We have successfully hidden download button and document actions and show them only to specific user with CanDownload permission. We created new role "Viewer" with no download access and added CanDownload permission to default permission Collaborator, Contributor, Editor, and Consumer. The first three work as expected but the last one, Consumer, doesn't. In Consumer the download button is still hidden though it has CanDownload permission.

Here's what we add to permissionDefinitions.xml

<permissions>
   <permissionSet type="sys:base" expose="all" >      
      <permissionGroup name="DownloadPermission" allowFullControl="false" expose="true" />
      <permission name="_DownloadPermission" expose="false" >
         <grantedToGroup permissionGroup="DownloadPermission" />
      </permission>
   </permissionSet>

   <permissionSet type="cm:cmobject" expose="selected">
      <permissionGroup name="Administrator" allowFullControl="true" expose="false" />

      <permissionGroup name="Coordinator" allowFullControl="true" expose="true" />

      <permissionGroup name="Collaborator" allowFullControl="false" expose="true">
         <includePermissionGroup permissionGroup="Editor" type="cm:cmobject" />
         <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" />
         <!-- Added 18/2/2015 -->
         <includePermissionGroup permissionGroup="CanDownload" type="cm:cmobject" />
      </permissionGroup>

      <permissionGroup name="Contributor" allowFullControl="false" expose="true" >
         <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject"/>
         <includePermissionGroup permissionGroup="AddChildren" type="sys:base"/>
         <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />
         <!-- Added 18/2/2015 -->
         <includePermissionGroup permissionGroup="CanDownload" type="cm:cmobject" />
      </permissionGroup>

      <permissionGroup name="Editor"expose="true" allowFullControl="false" >
         <includePermissionGroup type="cm:cmobject" permissionGroup="Consumer"/>
         <includePermissionGroup type="sys:base" permissionGroup="Write"/>
         <includePermissionGroup type="cm:lockable" permissionGroup="CheckOut"/>
         <includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/>
         <!-- Added 18/2/2015 -->
         <includePermissionGroup permissionGroup="CanDownload" type="cm:cmobject" />
      </permissionGroup>

      <permissionGroup name="Consumer" allowFullControl="false" expose="true" >
         <includePermissionGroup permissionGroup="Read" type="sys:base" />
         <!-- Added 18/2/2015 -->
         <includePermissionGroup permissionGroup="CanDownload" type="cm:cmobject" />
      </permissionGroup>

      <!-- Added 18/2/2015 -->
      <!-- Viewer cannot download documents -->
      <permissionGroup name="Viewer" allowFullControl="false" expose="true" >
         <includePermissionGroup permissionGroup="Read" type="sys:base" />
      </permissionGroup>

      <!-- Added 18/2/2015 -->
      <permissionGroup name="CanDownload" allowFullControl="false" expose="false" >
         <includePermissionGroup permissionGroup="DownloadPermission" type="sys:base" />
      </permissionGroup>
   </permissionSet>

   <permissionSet type="cm:content" expose="selected">
      <permissionGroup name="CanDownload" extends="true" expose="false"/>
      <permissionGroup name="Viewer" extends="true" expose="true"/>
   </permissionSet>

   <permissionSet type="cm:folder" expose="selected">
      <permissionGroup name="CanDownload" extends="true" expose="false"/>
      <permissionGroup name="Viewer" extends="true" expose="true"/>
   </permissionSet>
</permissions>

Any hint or suggestion would be very appreciated.

Thank you.

supta
  • 143
  • 14

1 Answers1

2

Unfortunately this is not supported by Alfresco/ by the user interface Share. Alfresco Share expects to have read access on cm:content (document) as a minimum which includes always download. Also the embedded flash-viewer only works if the user can read and download the document.

Since this is a common requirement we created an Alfresco Module (ecm4u View Only) which allows only to (pre)view special documents in the browser using flash and denies any access on the content. Special document means we use an aspect to attach other behavior to these documents. This required to extend Alfresco in many places to get that running. We support this concept in all available protocols and applications. Of course it would be easier to hide the download action for a special role like "Preview", but this would still allow to download the files if you have the know how.

Heiko Robert
  • 2,488
  • 11
  • 12