Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

How to prevent authors from deleting a node in aem

anelem1760873
Level 4
Level 4

Hi there,

 

I have a Handler which listens for DELETE operation from JCR in specific locations, i want to prevent users from deleting those nodes under those locations.

Any idea how i can achieve this.

Thanks 

1 Accepted Solution
Kiran_Vedantam
Correct answer by
Community Advisor
Community Advisor

Hi @anelem1760873,

 

This can be achieved by denying access to that node to all the users.

  1. Go to localhost:4502/useradmin
  2. Either deny the access at group level or user level
  3. Please allow access for the user who is creating the node programmatically as mentioned below.

 

Hope this helps.

 

Thanks,

Kiran Vedantam.

View solution in original post

2 Replies
Kiran_Vedantam
Correct answer by
Community Advisor
Community Advisor

Hi @anelem1760873,

 

This can be achieved by denying access to that node to all the users.

  1. Go to localhost:4502/useradmin
  2. Either deny the access at group level or user level
  3. Please allow access for the user who is creating the node programmatically as mentioned below.

 

Hope this helps.

 

Thanks,

Kiran Vedantam.

View solution in original post

markus_bulla_adobe
Employee
Employee

Hi @anelem1760873!

Your outlined approach to listen for DELETE events unfortunately won't work out as it is triggered after the actual deletion has taken place. So the node is already gone when your code gets notified. Unfortunately, events and listeners/handlers won't help in this situation.

 

Depending on your use case probably the best solution will be based on permissions as mentioned by @Kiran_Vedantam

When it comes to permissions, it's always important to have a proper concept and a well designed content architecture that is aligned with the authorization concept. So please make sure to embed the required permissions into your concept.

That being said, you should be able to satisfy your requirement by defining an ACL of type DENY with the jcr:removeNode privilege for the according group.

Please also note: in general, it is recommended to built a hierarchy of groups to implement your authorization concept. It is a best practice to start with groups denying as much as possible/needed on to top level and only set ALLOW ACLs from there on. It can cause unexpected side effects if you mix allow and deny ACLs through your permission hierarchy. However, in some cases it may still be necessary to have few, well designed denys at some point in the hierarchy.

 

Hope that helps!