In this post we'll look at a requested customization for Alfresco Share and how it can be implemented by overriding the controller of an existing Alfresco Web Script.
First let's look at the following functionality in Alfresco Share.
By default, any user in Alfresco can start a workflow on a document which they have access to. If a user chooses to create a New Task (ad hoc task) workflow on a document, the workflow creation form is displayed, and on that form, the user is able to select a user to assign the new task to.
In the "Select..." dialog that pops up, the user is able to search across all registered Alfresco users.
It looks like this:
The requirement for the customization is, for all users other than admin users, to limit the search result to include only users that belong to the same groups which they are members of.
ImplementationHow can we achieve that?
[Note that this file can be found bundled in the repo jar file: alfresco-remote-api-5.x.x.jar]
Within the Web Script, the function that gets called to search for users is findUsers(). We'll change this method to limit the search results from the Picker to include only those users that belong to same groups that the user belongs to.
The requirement for the customization is to change the search by limiting the results to only those users that belong to the same group as the current user. We can again use the 'people' root-scoped object to find which groups the user belongs to:
But the problem with the method getContainerGroups() is that it does not include system groups with the results. It would be great if this method took another parameter as a flag to specify that system groups should be included in the result, but it doesn't. System groups include the Share groups created for each site for managing the four default Site roles: site manager, collaborator, contributor, and consumer.
If a user belongs to a Share site, we also want to include in the results any users which belong to any of the four Share site groups for that site. To find the additional site groups corresponding to the sites that a user belongs to, we will write a new method. That is shown in the following code which takes a list and adds the Share site groups to the list.
Here we query the site service to find all sites that the current user is able to access. Then we get the names of the roles for the site -- there typically will be just the four we mentioned earlier. Then we get the group corresponding to each of those permissions and push the group nodes onto the list of groups:
Once we have the list of groups that the user belongs to, we can make a query to find only those people that match the search criteria and also are members of those groups.
First we a build a string which contains part of the condition for the query that lists the groups that the user belongs:
The query is as follows. Note that 'filterTerm' corresponds to the text entered by the user within the UI. 'grpQuery' corresponds to the criteria for the group restriction. Note that we search for objects that are type cm:person and which do not have the cm:personDisabled flag applied.
Putting it all together, the combined changes to the Web Script are as follows:
To override the existing Web Script file, copy the original file into the extensions area and make the change to the findUsers() method as shown above here:
One additional thing to notice is that filtering by group is only applied when the user is not an admin:
Workflow assignments of tasks to users will now use the override method defined here and users will be filtered by group.