Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

API to check user access to DAM asset where the folder is protected by CUG permissions

Avatar

Level 5

Is there a quick API available to say pass two parameters

User, Path of DAM asset

and returns true or false if the user has access to it?

1 Accepted Solution

Avatar

Correct answer by
Level 5

I used this and it's working as expected now

 

             
            /* Retrieving User authorizable instance */
            Authorizable auth = userManager.getAuthorizable(userInfo.getUserId());
            final ResourceResolver resolver = resolverFactory.getAdministrativeResourceResolver(null);
            final Session adminSession = resolver.adaptTo(Session.class);
              //logger.info("User Id"+a.getID());
            final Session userSession = adminSession.impersonate(new javax.jcr.SimpleCredentials(auth.getID(),new char[0]));
            AccessControlManager acMgr = userSession.getAccessControlManager();
            hasAccess = userSession.getAccessControlManager().hasPrivileges(resourcePath, new Privilege[]             {acMgr.privilegeFromName(Privilege.JCR_READ)});

View solution in original post

6 Replies

Avatar

Level 9
Well, In order to check whether particular asset has permission or not,  you need to create a filter. Filter is nothing  but a osgi service. Here is sample code which might help you. https://github.com/Adobe-Consulting-Services/acs-aem-samples/blob/master/bundle/src/main/java/com/ad...

Avatar

Employee Advisor

Hi,

on publish the CUGs are translated into ACLs; so if you already have the path of the asset, you can simply use resourceResolver.get(PATH) and check the return value. On authoring environment this does not work, but I don't see there any necessity to perform actions like you described.

Jörg

Avatar

Level 5

We actually need it on author. We've a process where in an event listnerer parses a pdf posted to a node, pushes that pdf to a location in DAM and sends users who are subscribed to that pdf an email based on a tag associated. However before sending an email, we need to make sure that the asset is not protected by CUG

Avatar

Employee Advisor

Hi,

so you have all users and all groups, which are available on publish for the CUG mechanism, also available on author with the very same membership relations? If that's not case, I wonder how you want the system to compute the actual membership relations, so that the CUG resolution works on author as well.

Why can't you solve it on publish?

kind regards,
Jörg

Avatar

Correct answer by
Level 5

I used this and it's working as expected now

 

             
            /* Retrieving User authorizable instance */
            Authorizable auth = userManager.getAuthorizable(userInfo.getUserId());
            final ResourceResolver resolver = resolverFactory.getAdministrativeResourceResolver(null);
            final Session adminSession = resolver.adaptTo(Session.class);
              //logger.info("User Id"+a.getID());
            final Session userSession = adminSession.impersonate(new javax.jcr.SimpleCredentials(auth.getID(),new char[0]));
            AccessControlManager acMgr = userSession.getAccessControlManager();
            hasAccess = userSession.getAccessControlManager().hasPrivileges(resourcePath, new Privilege[]             {acMgr.privilegeFromName(Privilege.JCR_READ)});

Avatar

Employee Advisor

chetanvajre2014 wrote...

I used this and it's working as expected now

 

             
            /* Retrieving User authorizable instance */
            Authorizable auth = userManager.getAuthorizable(userInfo.getUserId());
            final ResourceResolver resolver = resolverFactory.getAdministrativeResourceResolver(null);
            final Session adminSession = resolver.adaptTo(Session.class);
              //logger.info("User Id"+a.getID());
            final Session userSession = adminSession.impersonate(new javax.jcr.SimpleCredentials(auth.getID(),new char[0]));
            AccessControlManager acMgr = userSession.getAccessControlManager();
            hasAccess = userSession.getAccessControlManager().hasPrivileges(resourcePath, new Privilege[]             {acMgr.privilegeFromName(Privilege.JCR_READ)});

 

I am quite sure, that this does not work on author, unless you have all users/groups amd the very same set of privileges there as well. Because with the above code you check on a JCR level for the READ permissions (ACL); and on author the CUG properties are not translated into ACLs, but only on publish.

A remark: You can also use (see [1])

hasAccess = userSession.hasPermission(resourcepath, "read");

kind regards,
Jörg

 

[1] https://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Session.html#hasPermission%28java.lang.S...