Publishing security

Publishing security issues

There is metadata on the InputDocument and PublicationDocument properties to require that the user has "Publish" access to the Document instances to which it is pointing to.

After the queue item is instantiated, you must have rights to modify the instance. The Content Engine Servers group would have only read and delete access—delete access so they can delete their original request (or possibly only the user that created the publish request would have delete access). Since the user that created the queue item is the owner of the object, they can ultimately modify the security DACL to give them any access.

You can take some extra precautions. At the time the publish engine reads the item out of the queue, it can take ownership of the object and grant Content Engine Servers only read access. There is still a window when non-engine users could modify the queue item, however this approach is sufficient. The publish request is just an object owned by the user that created it until the publish engine finds it and takes ownership of it.

Many of the properties of the queue item have access enforced through metadata. Properties like InputDocument and PublicationDocument are settable only on create. Property level security could be applied to the Status property in the Default Instance Security to deny write access to Publish Authors. The metadata already gives this property a default value of InQueue, the appropriate value for a new queue item. Again, this would only be an added precaution since the user is the owner of the object at least for a time.

Property level security in the Default Instance Security could also be applied to the TargetDocument property, denying write access to Publish Authors. This depends on an implementation detail where the publish engine is the one to create the new document or version the existing document, rather than doing it at the time the publish request is made.

More Security Usage

A User should have a certain level of access to the document before they can initiate a publish request. In a similar way, there is metadata on the SourceDocumentDependentOf and SourceDocumentNonDependentOf properties to require that the user has "Publish" access on the source document.

For a publication document, access will be controlled by setting up certain access rights when the publishing engine finishes publishing the document. For example, the only user that should be allowed to version a publication document is a Publish Engine user. We will restrict the access rights Version, WRITE_DAC and WRITE_OWNER to Content Engine users. We will probably restrict the Relate access as well since a user should not be adding any compound doc relationships after a document has been published. In this way, we ensure that the only user that can version a document is a Publish Engine user which supposedly is an engine application versioning it at the proper, republish, time.

Restricting access to write the DACL implies that the user that initiated the publish request will never be able to go and change the security of the publication document to anything other than what they selected initially (with the restrictions mentioned above). Of course they can always republish that document, replacing the current publication document if they want, and selecting different security settings.