Re: Protecting Project Screen from parties not listed as a resource

Thu, 28 Jul 2011 12:14:18 -0700 

there is another permission in the ProjectMgrSecurityData.xml
PROJECTUSER
so remove the PROJECTMGR_ from those that you don't want to have that
permission.


Mansour Al Akeel sent the following on 7/28/2011 10:49 AM:
> On my local system, any user with PROJECTMGR_VIEW can access projects
> even if they are not listed as a resource. I wanted to limit this
> permission so, I edited the ProjectScreens.xml to check for permissions.
> 
> <screen name="ProjectView">
>     <section>
>         <condition>
>             <or>
>                 <if-has-permission permission="PROJECTMGR_ADMIN"/>
>                 <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/>
>             </or>
>         </condition>
>         <actions>
>             <set field="titleProperty" value="ProjectMgrProjectSummary"/>
>             <set field="tabButtonItem" value="projectView"/>
>             <set field="projectId" from-field="parameters.projectId" 
> default-value="${parameters.workEffortId}"/>
>             <service service-name="getProject" result-map="result">
>                 <field-map field-name="projectId" from-field="projectId"/>
>             </service>
>             <set field="project" from-field="result.projectInfo"/>
>         </actions>
>         <widgets>
>             <decorator-screen name="CommonProjectDecorator" 
> location="${parameters.mainDecoratorLocation}">
>                 <decorator-section name="body">
>                     <container style="lefthalf">
>                         <screenlet 
> title="${uiLabelMap.PageTitleProjectInformation}">
>                             <include-form name="ProjectInfo" 
> location="component://projectmgr/widget/forms/ProjectForms.xml"/>
>                         </screenlet>
>                         <include-screen name="SubProjectsInfo"/>
>                         <include-screen name="PhasesInfo"/>
>                     </container>
>                     <container style="righthalf">
>                         <include-screen name="PartiesInfo"/>
>                         <include-screen name="NoteInfo"/>
>                         <include-screen name="ListProjectContent"/>
>                         <include-screen name="OrderInfo"/>
>                     </container>
>                     <container style="clear"/>
>                     <include-screen name="TasksInfo"/>
>                 </decorator-section>
>             </decorator-screen>
>         </widgets>
>     </section>
> </screen>
> 
> However, a user with PROJECTMGR_ROLE_VIEW can still view any project
> regardless if she is a member of that project or not, by navigating to:
> 
> https://localhost:8443/projectmgr/control/projectView?projectId=9100
> 
> If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to
> entities owned by party, or if she is listed as a resource. 
> 
> Any advice ? 
> 
> 
>

Reply via email to