portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Santiago Gala <sg...@hisitech.com>
Subject Re: Security Changes
Date Tue, 15 Jan 2002 23:21:41 GMT
Paul Spencer wrote:

(I snip most. I agree with most of it)

> Missing group = all user have access based on roles. 

As turbine roles are defined in a triple group-role-user, this should 
better be rephrased as "all users have access based on roles in global 
group". I'm not picky, this is important. This misunderstanding is the 
root of most problems we have experienced. A user has *no* role unless 
you pick up a group.

> Missing roles = all user have "default access" 

This could be the users have the permissions returned by 
 data.getACL().hasPermission("xxx"), but, again, this is implemented in 
turbine as return hasPermission(permission, 
TurbineSecurity.getGlobalGroup());, so it means "access according to 
permissions in the global group"
The precise meaning of a role constraint is "data.getACL().hasRole( role 
) && data.getACL().hasPermission( "xxx" ) returns true", where xxx is 
the action to be performed. It restricts the permission further, since I 
could have view permission, but not clerk role, for instance.

> We also need to define a standard set of permissions:
> view       - Allows portlet content to be viewed and
>              added to pane
> customize  - Allows portlet to be customized 

This can/should be required at the portletset level

> minimize   - allows portlet to be minimized
> maximize   - allows portlet to be maximized
> remove     - allows portlet to be removed from pane
> move       - allows portlet to be moved in pane 

This one looks very difficult to implement, since in a two column 
layout, moving one portlet shuffles the rest (effectively moving them). 

> One other area the is related, it the ability to have common 
> portlet(s) the are maintained in one place for a group of users.  As 
> an example corporate E-mail and corporate News should be on all pages 
> and in the left column.  (I am not ask this be addressed now, just be 
> aware of this desired functionality while designing the security changes)

This again could be implemented with relative ease at the portletset 
level, except that a multi-column layout is *not* a portletset. I mean 
something like the customiser not allowing to modify a given part of the 
PSML. If a Document is composed of a (role=admin)set which includes 
several (unrestricted)portletsets, the user could modify only the inner 
ones, but should respect the structure of the outer one. We will work 
security in the PSML structure/customiser later on, when we have the 
basics sorted out.

To unsubscribe, e-mail:   <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>

View raw message