> Originally, the check was there to avoid hard coding a specific > role in the > action. Also, this provides a method of security for Turbine actions as > well as portlet actions. > > I like the idea of using the portlet's security access. The only > question I > have deals with action events. Most of the portlets were written > before the > GenericMVCPortlet and GenericMVCAction were created. To fire > actions/events, they specify the action on the url. Because of this, > Turbine runs the action event before the GenericMVCAction does. > When this > happens, there is no portlet in the context. What should be done in this > case? Can the security access still be used? >
This is why we concluded before that a viable solution would be to create a custom portlet action loader which would replace the Turbine's. The portlet action loader would always check the portlet's security ref before allowing the action to proceed. I haven't thought this completely thru so there may be other complications. IMO that would be a good approach but minimally it would require moving all portlet actions to a separate package (a.j.modules.portletaction) so it's a backward compatibility issue. Best regards, Mark Orciuch - [EMAIL PROTECTED] Jakarta Jetspeed - Enterprise Portal in Java http://jakarta.apache.org/jetspeed/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
