portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Spencer <pau...@apache.org>
Subject Re: Security for Portlet State (customize, maximize, minimize, close) not working
Date Wed, 22 May 2002 17:00:32 GMT


Glenn Golden wrote:

> Define the role "user" permissions in the admin interface - leave only
> "view" checked.
> 
> Portlets for a user (the user has role "user" only) still have minimize,
> maximize, close, configure icons.
> 
> When VelocityPortletContril.buildActionList() checks permissions:
> 
> StateFullPortletWrapper.allowCustomize()
> PortletWrapper.checkPermission()
> JetspeedSecurity.checkPermission()
> JetspeedDBSecurity.checkPermission() (line 222)
> JetspeedDBSecurity.checkPermission() (line 234)
> 
> Here it check's the RegistryEntry for the portlet for security, and seing
> none, calls "checkDefaultPermission()".
> 
> If it had seen a role for the Entry, and the user's acl has the role, it
> goes on to call "checkPermission()".
> 
> * Why the two different calls?
> 
> Further tracking reveals... In checkDefaultPermissions(), we get the set of
> permissions for the "CONFIG_DEFAULT_PERMISSION_LOGGEDIN"., which is "*".
> The "*" matches the permission and it is granted.  WRONG!
> 
> * Why are we going for default permissions, when I have a logged in user
> with an ACL?


The JR.p CONFIG_DEFAULT_PERMISSION_xxx should ONLY be user when Jetspeed 

can not find the allowable permissions.  So I would suggest what is "WRONG" is

a) Jetspeed can find the list of allowable permissions due to a bug.
or

b) Jetspeed can find the list of allowable permissions due to bad 
configuration

or


c) JR.p CONFIG_DEFAULT_PERMISSION_xxx needs to be correctly configure for the site


> 
> * * *
> 
> Proposal: This code:
> 
>     public boolean checkPermission(RunData runData, String permission,
> RegistryEntry entry)
> 
> In JetspeedDBSecurityService is wrong.  It's the only place that
> checkDefaultPermission() is called, and I believe it should not be doing so.
> checkPermission(rundata, premission) seems the proper call.  Just because an
> Entry has no specific role, doesn't mean that we should *ignore* the user's
> role derived ACL, right?
> 
> I'll fix this - but if anyone has another opinion, please speak up!
> 
> ****************************************
> 
> Another thing - When BasePortletSet.allowCustommize() is called, why does it
> check for "PERMISSION_INFO" permission?  Does anyone know what "info" means?
> Why is this not "PERMISSION_CUSTOMIZE"?
> 


The INFO permission will display information on a portlet.  See 

template/vm/screens/html/Info.vm.  I have only used this once while testing


> Thanks.
> 
> - Glenn
>  
> --------------------------------------------
> Glenn R. Golden, Systems Research Programmer
> University of Michigan School of Information
> ggolden@umich.edu               734-615-1419
> --------------------------------------------
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>
> 
> 



--
To unsubscribe, e-mail:   <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>


Mime
View raw message