Expand my Community achievements bar.

Guidelines for the Responsible Use of Generative AI in the Experience Cloud Community.
SOLVED

How to prevent authors from deleting a node in aem

Avatar

Level 4

Hi there,

 

I have a Handler which listens for DELETE operation from JCR in specific locations, i want to prevent users from deleting those nodes under those locations.

Any idea how i can achieve this.

Thanks 

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @anelem1760873,

 

This can be achieved by denying access to that node to all the users.

  1. Go to localhost:4502/useradmin
  2. Either deny the access at group level or user level
  3. Please allow access for the user who is creating the node programmatically as mentioned below.

 

Hope this helps.

 

Thanks,

Kiran Vedantam.

View solution in original post

2 Replies

Avatar

Correct answer by
Community Advisor

Hi @anelem1760873,

 

This can be achieved by denying access to that node to all the users.

  1. Go to localhost:4502/useradmin
  2. Either deny the access at group level or user level
  3. Please allow access for the user who is creating the node programmatically as mentioned below.

 

Hope this helps.

 

Thanks,

Kiran Vedantam.

Avatar

Employee Advisor

Hi @anelem1760873!

Your outlined approach to listen for DELETE events unfortunately won't work out as it is triggered after the actual deletion has taken place. So the node is already gone when your code gets notified. Unfortunately, events and listeners/handlers won't help in this situation.

 

Depending on your use case probably the best solution will be based on permissions as mentioned by @Kiran_Vedantam

When it comes to permissions, it's always important to have a proper concept and a well designed content architecture that is aligned with the authorization concept. So please make sure to embed the required permissions into your concept.

That being said, you should be able to satisfy your requirement by defining an ACL of type DENY with the jcr:removeNode privilege for the according group.

Please also note: in general, it is recommended to built a hierarchy of groups to implement your authorization concept. It is a best practice to start with groups denying as much as possible/needed on to top level and only set ALLOW ACLs from there on. It can cause unexpected side effects if you mix allow and deny ACLs through your permission hierarchy. However, in some cases it may still be necessary to have few, well designed denys at some point in the hierarchy.

 

Hope that helps!