Re: Protecting Project Screen from parties not listed as a resource

Thu, 28 Jul 2011 10:52:05 -0700

Create a permission service, then use that in your screens instead of specific permission checks. You can find examples of this in the Party Manager. 

-Adrian


On 7/28/2011 6:49 PM, Mansour Al Akeel wrote:

On my local system, any user with PROJECTMGR_VIEW can access projects
even if they are not listed as a resource. I wanted to limit this
permission so, I edited the ProjectScreens.xml to check for permissions.

<screen name="ProjectView">
     <section>
         <condition>
             <or>
                 <if-has-permission permission="PROJECTMGR_ADMIN"/>
                 <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/>
             </or>
         </condition>
         <actions>
             <set field="titleProperty" value="ProjectMgrProjectSummary"/>
             <set field="tabButtonItem" value="projectView"/>
             <set field="projectId" from-field="parameters.projectId" 
default-value="${parameters.workEffortId}"/>
             <service service-name="getProject" result-map="result">
                 <field-map field-name="projectId" from-field="projectId"/>
             </service>
             <set field="project" from-field="result.projectInfo"/>
         </actions>
         <widgets>
             <decorator-screen name="CommonProjectDecorator" 
location="${parameters.mainDecoratorLocation}">
                 <decorator-section name="body">
                     <container style="lefthalf">
                         <screenlet 
title="${uiLabelMap.PageTitleProjectInformation}">
                             <include-form name="ProjectInfo" 
location="component://projectmgr/widget/forms/ProjectForms.xml"/>
                         </screenlet>
                         <include-screen name="SubProjectsInfo"/>
                         <include-screen name="PhasesInfo"/>
                     </container>
                     <container style="righthalf">
                         <include-screen name="PartiesInfo"/>
                         <include-screen name="NoteInfo"/>
                         <include-screen name="ListProjectContent"/>
                         <include-screen name="OrderInfo"/>
                     </container>
                     <container style="clear"/>
                     <include-screen name="TasksInfo"/>
                 </decorator-section>
             </decorator-screen>
         </widgets>
     </section>
</screen>

However, a user with PROJECTMGR_ROLE_VIEW can still view any project
regardless if she is a member of that project or not, by navigating to:

https://localhost:8443/projectmgr/control/projectView?projectId=9100

If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to
entities owned by party, or if she is listed as a resource.

Any advice ?

Reply via email to