<br><br><div class="gmail_quote">2010/5/20 Matthew Wringe <span dir="ltr"><<a href="mailto:mwringe@redhat.com">mwringe@redhat.com</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div><div></div><div class="h5">On Thu, 2010-05-20 at 10:16 +0700, Trong Tran wrote:<br>
><br>
><br>
> On 14 May 2010 22:21, Matthew Wringe <<a href="mailto:mwringe@redhat.com">mwringe@redhat.com</a>> wrote:<br>
><br>
> On Wed, 2010-05-12 at 12:06 +0700, Trong Tran wrote:<br>
> ><br>
> ><br>
> > On 30 April 2010 01:15, Matthew Wringe <<a href="mailto:mwringe@redhat.com">mwringe@redhat.com</a>><br>
> wrote:<br>
> ><br>
> > On Thu, 2010-04-29 at 14:52 +0700, Trong Tran wrote:<br>
> > ><br>
> > ><br>
> > > On 29 April 2010 10:02, Trong Tran<br>
> <<a href="mailto:trongtt@gmail.com">trongtt@gmail.com</a>><br>
> > wrote:<br>
> > > Hi Matthew,<br>
> > ><br>
> > > On 29 April 2010 01:58, Matthew Wringe<br>
> > <<a href="mailto:mwringe@redhat.com">mwringe@redhat.com</a>><br>
> > > wrote:<br>
> > > I created<br>
> > ><br>
> > <a href="https://jira.jboss.org/jira/browse/GTNPORTAL-1137" target="_blank">https://jira.jboss.org/jira/browse/GTNPORTAL-1137</a><br>
> but<br>
> > > it seems<br>
> > > like it might be somewhat working<br>
> depending<br>
> > on what it<br>
> > > actually means.<br>
> > ><br>
> > > What is the permission setting in<br>
> > application registry<br>
> > > suppose to do<br>
> > > actually do? Is it suppose to<br>
> prevent a user<br>
> > from<br>
> > > accessing the content<br>
> > > or to prevent a user from adding<br>
> that type<br>
> > of portlet<br>
> > > to a page?<br>
> > ><br>
> > > It prevents a user from accessing the<br>
> content<br>
> > ><br>
> > ><br>
> > > Each portlet or gadget can specify<br>
> a 'access<br>
> > > permission', but this<br>
> > > doesn't seem to prevent users from<br>
> viewing<br>
> > the<br>
> > > application.<br>
> > ><br>
> > > What it does seem to do is if an<br>
> > unauthorized user<br>
> > > tries to add this<br>
> > > portlet to a page, they can add<br>
> the portlet,<br>
> > they just<br>
> > > can't view the<br>
> > > added portlet on the page. This<br>
> doesn't seem<br>
> > like<br>
> > > expected behaviour<br>
> > > either.<br>
> > ><br>
> > > now this behaviour is expected actually<br>
> except we<br>
> > re-define<br>
> > > clearly what it should be<br>
> ><br>
> ><br>
> > The only problem I see with this is that the user<br>
> probably<br>
> > shouldn't be<br>
> > able to see the portlet to add to the page.<br>
> ><br>
> > The fact that when the unauthorized user adds the<br>
> portlet to<br>
> > the page,<br>
> > and then cannot access the portlet on the page does<br>
> seem to be<br>
> > correct<br>
> > behavior.<br>
> ><br>
> > Yes, i agreed that user should not be able to add a portlet<br>
> to the<br>
> > page if he does not have access permission to that portlet<br>
> ><br>
> ><br>
> > The problem is what root creates a page, adds a<br>
> portlet to it<br>
> > and then<br>
> > unauthorized users can still access it.<br>
> ><br>
> > > About the GTNPORTAL-1137 :<br>
> > > + I can change the permission of a portlet<br>
> and still<br>
> > have an<br>
> > > unauthorized user view its content. This<br>
> is<br>
> > considered as a<br>
> > > bug and we are checking it<br>
> > ><br>
> > ><br>
> > > i can not reproduce it. in my test, the<br>
> unauthorized user<br>
> > can not view<br>
> > > the content of a portlet if its access permission<br>
> is set up<br>
> ><br>
> ><br>
> > Are you following the steps in the jira?<br>
> ><br>
> > please note that I am talking about changing the<br>
> access<br>
> > permission of<br>
> > the portlet (ie set in the app registry) not<br>
> changing the<br>
> > permission of<br>
> > a particular portlet instance on a page.<br>
> ><br>
> > changing the access permission in Application Registry does<br>
> not affect<br>
> > to its existing portlet instance<br>
><br>
><br>
> I am still confused over what is happening here and what the<br>
> designed<br>
> behaviour is suppose to be.<br>
><br>
> What I would expect the access permission in the application<br>
> registry to<br>
> do is to set the permission at the portlet level (not portlet<br>
> instance<br>
> level). This permission would override any portlet instance<br>
> access<br>
> permission. So each portlet would need to have both<br>
> permissions be valid<br>
> before allowing access to the portlet.<br>
> So if I have my portal setup and I decide that a particular<br>
> portlet<br>
> should only be view by a specific group of people, then I set<br>
> that<br>
> permission in the application registry and all portlet<br>
> instances should<br>
> only be accesible by that group.<br>
> I shouldn't need to go through all the portlet instances and<br>
> manually<br>
> change their permissions (and then periodically go through and<br>
> check<br>
> permissions to make sure nothing has changed or if a new<br>
> instance has<br>
> been added with the wrong permission).<br>
> We need per portlet access permissions.<br>
><br>
> It sounds like this is not how its suppose to work, and that<br>
> it was<br>
> designed to work in another manner. We need to at least change<br>
> the<br>
> wording in the application registry page to something other<br>
> than 'access<br>
> permission', its dangerous to use that term here when it<br>
> doesn't prevent<br>
> user access to that particular portlet.<br>
><br>
> How is it suppose to work right now?<br>
> -Is this meant to prevent a group from adding this particular<br>
> portlet to<br>
> a page? (currently doesn't do this, if I set the portlet's<br>
> access<br>
> permission in public, users still can't see it).<br>
><br>
> Currently No, it is not. But it makes sense to change this behaviour<br>
<br>
</div></div>Yes, it makes sense if the user can't access the portlet it shouldn't be<br>
taking up space in the page editor. </blockquote><div><br>Actually, we have defined something to work like that in the JIRA issue <a href="http://jira.jboss.org/browse/GTNPORTAL-715">http://jira.jboss.org/browse/GTNPORTAL-715</a>. the portlet should take space as the user can take it into account for other people who can see that protected component<br>
</div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">This will just confuse people as to<br>
why they can add the portlet to their dashboard pages but can't see<br>
them.<br></blockquote><div><br>As i said, this makes sense to prevent the user to newly add protected portlet<br> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
I don't know if this is currently working or not as changing a portlet<br>
to be public still doesn't make that portlet appear to users in their<br>
dashboards.<br>
<div class="im"><br>
><br>
> -Is it meant to set the default permission of a portlet<br>
> instance when<br>
> added to a page (also doesn't do this, the default access<br>
> permission for<br>
> a portlet instance is set to public).<br>
><br>
> Yes, it is. doesn't it work for you ?<br>
<br>
</div>no it doesn't work for me, it always makes the permission public<br>
regardless of what the permission of the portlet actually is.<br>
<br>
I have updated the original jira with this information<br>
<a href="http://jira.jboss.org/browse/GTNPORTAL-1137" target="_blank">http://jira.jboss.org/browse/GTNPORTAL-1137</a><br></blockquote><div><br>i can reproduce it now and this is considered as a cache issue at UI level. it means to require a re-login after changing permissions in Application Registry. we are going to fix it soon<br>
</div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div> </div></blockquote><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">
> Note that if a portlet is not setting any access permission == Public<br>
<br>
</div>ok, why don't we just set the portlet to be public in the first place?<br>
Its confusing that the default access permission in the application<br>
registry is not set to public, yet this is assumed to be the default<br>
state.<br></blockquote><div><br>yes, we should. i addressed it to <a href="https://jira.jboss.org/jira/browse/GTNPORTAL-1239">https://jira.jboss.org/jira/browse/GTNPORTAL-1239</a><br> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<br>
Also, we should change the wording in the application registry for this<br>
to make it clear what its meant to do.<br>
(<a href="http://jira.jboss.org/browse/GTNPORTAL-1229" target="_blank">http://jira.jboss.org/browse/GTNPORTAL-1229</a>)<br>
<div><div></div><div class="h5"><br>
><br>
> I am trying to figure out the designed behaviour before<br>
> opening jiras<br>
> about these issues.<br>
><br>
><br>
> ><br>
> > > + It does seem to prevent a user from<br>
> viewing a<br>
> > gadget as a<br>
> > > portlet on the dashboard page, but they<br>
> can still<br>
> > add the<br>
> > > gadget as a gadget to the dashboard page.<br>
> This<br>
> > behaviour is<br>
> > > expected too except we re-define it :-)<br>
> ><br>
> ><br>
> > I think we should have some sort of gadget<br>
> permission settings<br>
> > for the<br>
> > dashboard, and we should also see if we can restrict<br>
> gadget<br>
> > access from<br>
> > outside sources. The gadget xml files are publicly<br>
> available<br>
> > for anyone<br>
> > to access.<br>
> > Even if we could restrict what gadget a user can put<br>
> on the<br>
> > dashboard,<br>
> > they could just add the gadget back using the gadget<br>
> url.<br>
> ><br>
> ><br>
> > ><br>
> > ><br>
> > _______________________________________________<br>
> > > gatein-dev mailing list<br>
> > > <a href="mailto:gatein-dev@lists.jboss.org">gatein-dev@lists.jboss.org</a><br>
> > ><br>
> > <a href="https://lists.jboss.org/mailman/listinfo/gatein-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/gatein-dev</a><br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> > > --<br>
> > > Tran The Trong<br>
> > > eXo Platform SAS<br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> > > --<br>
> > > Tran The Trong<br>
> > > eXo Platform SAS<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > --<br>
> > Tran The Trong<br>
> > eXo Platform SAS<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> --<br>
> Tran The Trong<br>
> eXo Platform SAS<br>
<br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Tran The Trong<br>eXo Platform SAS<br>