[PATCH] Security applied to BasePortletSet.getContent()

Weaver, Scott Mon, 22 Jul 2002 07:15:58 -0700

Here is a proposed patch containing security over BasePortletSet. Logic applied per Paul Spencer's suggestion.

This negates my initial proposal.

@see: [PROPOSAL] add checkPermission(JetspeedUser, SecurityReference, String) to PortalAccessController

Scott

Index: src/java/org/apache/jetspeed/portal/BasePortletSet.java
===================================================================
RCS file: 
/home/cvspublic/jakarta-jetspeed/src/java/org/apache/jetspeed/portal/BasePortletSet.java,v
retrieving revision 1.22
diff -u -r1.22 BasePortletSet.java
--- src/java/org/apache/jetspeed/portal/BasePortletSet.java     1 Jul 2002 06:04:28 
-0000       1.22
+++ src/java/org/apache/jetspeed/portal/BasePortletSet.java     22 Jul 2002 14:28:05 
+-0000
@@ -67,16 +67,17 @@
 
 import org.apache.jetspeed.services.persistence.PersistenceManager;
 import org.apache.jetspeed.services.persistence.PortalPersistenceException;
-import org.apache.jetspeed.portal.PortletInstance;
 
 //turbine stuff
 import org.apache.turbine.util.Log;
 import org.apache.turbine.util.RunData;
 import org.apache.jetspeed.services.resources.JetspeedResources;
+import org.apache.jetspeed.services.rundata.JetspeedRunData;
 import org.apache.jetspeed.services.portletcache.Cacheable;
 
 //ECS stuff
 import org.apache.ecs.ConcreteElement;
+import org.apache.ecs.StringElement;
 
 /**
  * The PortletSet is basically a wrapper around an array of portlets. It provides
@@ -316,9 +317,24 @@
     */
     public ConcreteElement getContent(RunData rundata)
     {
+        ConcreteElement content = null; 
+        PortletController controller = getController();        
 
-        ConcreteElement content = null;
-        PortletController controller = getController();
+        if(!JetspeedSecurity.checkPermission((JetspeedRunData) rundata, 
+                  JetspeedSecurity.PERMISSION_VIEW, this))
+        {   
+            Log.debug("Unauthorized access by user 
+\""+rundata.getUser().getUserName()+"+\"");
+            // Clear any portlets that exist in this set
+            if(this.portlets != null)
+            {
+                this.portlets.clear();
+            }
+            return new StringElement("You do not have access to these portlets.");
+        }
+        else
+        {
+            Log.debug("User \""+rundata.getUser().getUserName()+" is authorized to 
+portlet set "+getID());
+        }
             
         if ( controller == null )
         {

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

[PATCH] Security applied to BasePortletSet.getContent()

Reply via email to