Glenn Golden wrote:
> Define the role "user" permissions in the admin interface - leave only
> "view" checked.
>
> Portlets for a user (the user has role "user" only) still have minimize,
> maximize, close, configure icons.
>
> When VelocityPortletContril.buildActionList() checks permissions:
>
> StateFullPortletWrapper.allowCustomize()
> PortletWrapper.checkPermission()
> JetspeedSecurity.checkPermission()
> JetspeedDBSecurity.checkPermission() (line 222)
> JetspeedDBSecurity.checkPermission() (line 234)
>
> Here it check's the RegistryEntry for the portlet for security, and seing
> none, calls "checkDefaultPermission()".
>
> If it had seen a role for the Entry, and the user's acl has the role, it
> goes on to call "checkPermission()".
>
> * Why the two different calls?
>
> Further tracking reveals... In checkDefaultPermissions(), we get the set of
> permissions for the "CONFIG_DEFAULT_PERMISSION_LOGGEDIN"., which is "*".
> The "*" matches the permission and it is granted. WRONG!
>
> * Why are we going for default permissions, when I have a logged in user
> with an ACL?
The JR.p CONFIG_DEFAULT_PERMISSION_xxx should ONLY be user when Jetspeed
can not find the allowable permissions. So I would suggest what is "WRONG" is
a) Jetspeed can find the list of allowable permissions due to a bug.
or
b) Jetspeed can find the list of allowable permissions due to bad
configuration
or
c) JR.p CONFIG_DEFAULT_PERMISSION_xxx needs to be correctly configure for the site
>
> * * *
>
> Proposal: This code:
>
> public boolean checkPermission(RunData runData, String permission,
> RegistryEntry entry)
>
> In JetspeedDBSecurityService is wrong. It's the only place that
> checkDefaultPermission() is called, and I believe it should not be doing so.
> checkPermission(rundata, premission) seems the proper call. Just because an
> Entry has no specific role, doesn't mean that we should *ignore* the user's
> role derived ACL, right?
>
> I'll fix this - but if anyone has another opinion, please speak up!
>
> ****************************************
>
> Another thing - When BasePortletSet.allowCustommize() is called, why does it
> check for "PERMISSION_INFO" permission? Does anyone know what "info" means?
> Why is this not "PERMISSION_CUSTOMIZE"?
>
The INFO permission will display information on a portlet. See
template/vm/screens/html/Info.vm. I have only used this once while testing
> Thanks.
>
> - Glenn
>
> --------------------------------------------
> Glenn R. Golden, Systems Research Programmer
> University of Michigan School of Information
> [EMAIL PROTECTED] 734-615-1419
> --------------------------------------------
>
>
> --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
