<br><br><div class="gmail_quote">On 30 April 2010 01:15, Matthew Wringe <span dir="ltr"><<a href="mailto:mwringe@redhat.com">mwringe@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div><div></div><div class="h5">On Thu, 2010-04-29 at 14:52 +0700, Trong Tran wrote:<br>
><br>
><br>
> On 29 April 2010 10:02, Trong Tran <<a href="mailto:trongtt@gmail.com">trongtt@gmail.com</a>> wrote:<br>
> Hi Matthew,<br>
><br>
> On 29 April 2010 01:58, Matthew Wringe <<a href="mailto:mwringe@redhat.com">mwringe@redhat.com</a>><br>
> wrote:<br>
> I created<br>
> <a href="https://jira.jboss.org/jira/browse/GTNPORTAL-1137" target="_blank">https://jira.jboss.org/jira/browse/GTNPORTAL-1137</a> but<br>
> it seems<br>
> like it might be somewhat working depending on what it<br>
> actually means.<br>
><br>
> What is the permission setting in application registry<br>
> suppose to do<br>
> actually do? Is it suppose to prevent a user from<br>
> accessing the content<br>
> or to prevent a user from adding that type of portlet<br>
> to a page?<br>
><br>
> It prevents a user from accessing the content<br>
><br>
><br>
> Each portlet or gadget can specify a 'access<br>
> permission', but this<br>
> doesn't seem to prevent users from viewing the<br>
> application.<br>
><br>
> What it does seem to do is if an unauthorized user<br>
> tries to add this<br>
> portlet to a page, they can add the portlet, they just<br>
> can't view the<br>
> added portlet on the page. This doesn't seem like<br>
> expected behaviour<br>
> either.<br>
><br>
> now this behaviour is expected actually except we re-define<br>
> clearly what it should be<br>
<br>
</div></div>The only problem I see with this is that the user probably shouldn't be<br>
able to see the portlet to add to the page.<br>
<br>
The fact that when the unauthorized user adds the portlet to the page,<br>
and then cannot access the portlet on the page does seem to be correct<br>
behavior.<br></blockquote><div><br>Yes, i agreed that user should not be able to add a portlet to the page if he does not have access permission to that portlet<br> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<br>
The problem is what root creates a page, adds a portlet to it and then<br>
unauthorized users can still access it.<br>
<div class="im"><br>
> About the GTNPORTAL-1137 :<br>
> + I can change the permission of a portlet and still have an<br>
> unauthorized user view its content. This is considered as a<br>
> bug and we are checking it<br>
><br>
><br>
> i can not reproduce it. in my test, the unauthorized user can not view<br>
> the content of a portlet if its access permission is set up<br>
<br>
</div>Are you following the steps in the jira?<br>
<br>
please note that I am talking about changing the access permission of<br>
the portlet (ie set in the app registry) not changing the permission of<br>
a particular portlet instance on a page.<br></blockquote><div><br>changing the access permission in Application Registry does not affect to its existing portlet instance<br> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im"><br>
> + It does seem to prevent a user from viewing a gadget as a<br>
> portlet on the dashboard page, but they can still add the<br>
> gadget as a gadget to the dashboard page. This behaviour is<br>
> expected too except we re-define it :-)<br>
<br>
</div>I think we should have some sort of gadget permission settings for the<br>
dashboard, and we should also see if we can restrict gadget access from<br>
outside sources. The gadget xml files are publicly available for anyone<br>
to access.<br>
Even if we could restrict what gadget a user can put on the dashboard,<br>
they could just add the gadget back using the gadget url.<br>
<div><div></div><div class="h5"><br>
><br>
> _______________________________________________<br>
> gatein-dev mailing list<br>
> <a href="mailto:gatein-dev@lists.jboss.org">gatein-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/gatein-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/gatein-dev</a><br>
><br>
><br>
><br>
><br>
> --<br>
> Tran The Trong<br>
> eXo Platform SAS<br>
><br>
><br>
><br>
><br>
> --<br>
> Tran The Trong<br>
> eXo Platform SAS<br>
<br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Tran The Trong<br>eXo Platform SAS<br>