Re: Protecting Project Screen from parties not listed as a resource

Thu, 28 Jul 2011 12:46:41 -0700 

another approach is to use the portlets and follow the myxxxx like
mytasks. Then only allow them to login to myportal and have the portal
permissions.

Mansour Al Akeel sent the following on 7/28/2011 10:49 AM:
> On my local system, any user with PROJECTMGR_VIEW can access projects
> even if they are not listed as a resource. I wanted to limit this
> permission so, I edited the ProjectScreens.xml to check for permissions.
> 
> <screen name="ProjectView">
>     <section>
>         <condition>
>             <or>
>                 <if-has-permission permission="PROJECTMGR_ADMIN"/>
>                 <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/>
>             </or>
>         </condition>
>         <actions>
>             <set field="titleProperty" value="ProjectMgrProjectSummary"/>
>             <set field="tabButtonItem" value="projectView"/>
>             <set field="projectId" from-field="parameters.projectId" 
> default-value="${parameters.workEffortId}"/>
>             <service service-name="getProject" result-map="result">
>                 <field-map field-name="projectId" from-field="projectId"/>
>             </service>
>             <set field="project" from-field="result.projectInfo"/>
>         </actions>
>         <widgets>
>             <decorator-screen name="CommonProjectDecorator" 
> location="${parameters.mainDecoratorLocation}">
>                 <decorator-section name="body">
>                     <container style="lefthalf">
>                         <screenlet 
> title="${uiLabelMap.PageTitleProjectInformation}">
>                             <include-form name="ProjectInfo" 
> location="component://projectmgr/widget/forms/ProjectForms.xml"/>
>                         </screenlet>
>                         <include-screen name="SubProjectsInfo"/>
>                         <include-screen name="PhasesInfo"/>
>                     </container>
>                     <container style="righthalf">
>                         <include-screen name="PartiesInfo"/>
>                         <include-screen name="NoteInfo"/>
>                         <include-screen name="ListProjectContent"/>
>                         <include-screen name="OrderInfo"/>
>                     </container>
>                     <container style="clear"/>
>                     <include-screen name="TasksInfo"/>
>                 </decorator-section>
>             </decorator-screen>
>         </widgets>
>     </section>
> </screen>
> 
> However, a user with PROJECTMGR_ROLE_VIEW can still view any project
> regardless if she is a member of that project or not, by navigating to:
> 
> https://localhost:8443/projectmgr/control/projectView?projectId=9100
> 
> If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to
> entities owned by party, or if she is listed as a resource. 
> 
> Any advice ? 
> 
> 
>

Reply via email to