<br><br><div class="gmail_quote">On 14 May 2010 22:21, Matthew Wringe <span dir="ltr"><<a href="mailto:mwringe@redhat.com">mwringe@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div><div></div><div class="h5">On Wed, 2010-05-12 at 12:06 +0700, Trong Tran wrote:<br>
><br>
><br>
> On 30 April 2010 01:15, Matthew Wringe <<a href="mailto:mwringe@redhat.com">mwringe@redhat.com</a>> wrote:<br>
><br>
> On Thu, 2010-04-29 at 14:52 +0700, Trong Tran wrote:<br>
> ><br>
> ><br>
> > On 29 April 2010 10:02, Trong Tran <<a href="mailto:trongtt@gmail.com">trongtt@gmail.com</a>><br>
> wrote:<br>
> > Hi Matthew,<br>
> ><br>
> > On 29 April 2010 01:58, Matthew Wringe<br>
> <<a href="mailto:mwringe@redhat.com">mwringe@redhat.com</a>><br>
> > wrote:<br>
> > I created<br>
> ><br>
> <a href="https://jira.jboss.org/jira/browse/GTNPORTAL-1137" target="_blank">https://jira.jboss.org/jira/browse/GTNPORTAL-1137</a> but<br>
> > it seems<br>
> > like it might be somewhat working depending<br>
> on what it<br>
> > actually means.<br>
> ><br>
> > What is the permission setting in<br>
> application registry<br>
> > suppose to do<br>
> > actually do? Is it suppose to prevent a user<br>
> from<br>
> > accessing the content<br>
> > or to prevent a user from adding that type<br>
> of portlet<br>
> > to a page?<br>
> ><br>
> > It prevents a user from accessing the content<br>
> ><br>
> ><br>
> > Each portlet or gadget can specify a 'access<br>
> > permission', but this<br>
> > doesn't seem to prevent users from viewing<br>
> the<br>
> > application.<br>
> ><br>
> > What it does seem to do is if an<br>
> unauthorized user<br>
> > tries to add this<br>
> > portlet to a page, they can add the portlet,<br>
> they just<br>
> > can't view the<br>
> > added portlet on the page. This doesn't seem<br>
> like<br>
> > expected behaviour<br>
> > either.<br>
> ><br>
> > now this behaviour is expected actually except we<br>
> re-define<br>
> > clearly what it should be<br>
><br>
><br>
> The only problem I see with this is that the user probably<br>
> shouldn't be<br>
> able to see the portlet to add to the page.<br>
><br>
> The fact that when the unauthorized user adds the portlet to<br>
> the page,<br>
> and then cannot access the portlet on the page does seem to be<br>
> correct<br>
> behavior.<br>
><br>
> Yes, i agreed that user should not be able to add a portlet to the<br>
> page if he does not have access permission to that portlet<br>
><br>
><br>
> The problem is what root creates a page, adds a portlet to it<br>
> and then<br>
> unauthorized users can still access it.<br>
><br>
> > About the GTNPORTAL-1137 :<br>
> > + I can change the permission of a portlet and still<br>
> have an<br>
> > unauthorized user view its content. This is<br>
> considered as a<br>
> > bug and we are checking it<br>
> ><br>
> ><br>
> > i can not reproduce it. in my test, the unauthorized user<br>
> can not view<br>
> > the content of a portlet if its access permission is set up<br>
><br>
><br>
> Are you following the steps in the jira?<br>
><br>
> please note that I am talking about changing the access<br>
> permission of<br>
> the portlet (ie set in the app registry) not changing the<br>
> permission of<br>
> a particular portlet instance on a page.<br>
><br>
> changing the access permission in Application Registry does not affect<br>
> to its existing portlet instance<br>
<br>
</div></div>I am still confused over what is happening here and what the designed<br>
behaviour is suppose to be.<br>
<br>
What I would expect the access permission in the application registry to<br>
do is to set the permission at the portlet level (not portlet instance<br>
level). This permission would override any portlet instance access<br>
permission. So each portlet would need to have both permissions be valid<br>
before allowing access to the portlet.<br>
So if I have my portal setup and I decide that a particular portlet<br>
should only be view by a specific group of people, then I set that<br>
permission in the application registry and all portlet instances should<br>
only be accesible by that group.<br>
I shouldn't need to go through all the portlet instances and manually<br>
change their permissions (and then periodically go through and check<br>
permissions to make sure nothing has changed or if a new instance has<br>
been added with the wrong permission).<br>
We need per portlet access permissions.<br>
<br>
It sounds like this is not how its suppose to work, and that it was<br>
designed to work in another manner. We need to at least change the<br>
wording in the application registry page to something other than 'access<br>
permission', its dangerous to use that term here when it doesn't prevent<br>
user access to that particular portlet.<br>
<br>
How is it suppose to work right now?<br>
-Is this meant to prevent a group from adding this particular portlet to<br>
a page? (currently doesn't do this, if I set the portlet's access<br>
permission in public, users still can't see it).<br></blockquote><div><br>Currently No, it is not. But it makes sense to change this behaviour <br> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
-Is it meant to set the default permission of a portlet instance when<br>
added to a page (also doesn't do this, the default access permission for<br>
a portlet instance is set to public).<br></blockquote><div><br>Yes, it is. doesn't it work for you ?<br><br>Note that if a portlet is not setting any access permission == Public<br> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<br>
I am trying to figure out the designed behaviour before opening jiras<br>
about these issues.<br>
<div><div></div><div class="h5"><br>
><br>
> > + It does seem to prevent a user from viewing a<br>
> gadget as a<br>
> > portlet on the dashboard page, but they can still<br>
> add the<br>
> > gadget as a gadget to the dashboard page. This<br>
> behaviour is<br>
> > expected too except we re-define it :-)<br>
><br>
><br>
> I think we should have some sort of gadget permission settings<br>
> for the<br>
> dashboard, and we should also see if we can restrict gadget<br>
> access from<br>
> outside sources. The gadget xml files are publicly available<br>
> for anyone<br>
> to access.<br>
> Even if we could restrict what gadget a user can put on the<br>
> dashboard,<br>
> they could just add the gadget back using the gadget url.<br>
><br>
><br>
> ><br>
> ><br>
> _______________________________________________<br>
> > gatein-dev mailing list<br>
> > <a href="mailto:gatein-dev@lists.jboss.org">gatein-dev@lists.jboss.org</a><br>
> ><br>
> <a href="https://lists.jboss.org/mailman/listinfo/gatein-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/gatein-dev</a><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > --<br>
> > Tran The Trong<br>
> > eXo Platform SAS<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > --<br>
> > Tran The Trong<br>
> > eXo Platform SAS<br>
><br>
><br>
><br>
><br>
><br>
><br>
> --<br>
> Tran The Trong<br>
> eXo Platform SAS<br>
<br>
<br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Tran The Trong<br>eXo Platform SAS<br>