[gatein-issues] [JBoss JIRA] Commented: (GTNPORTAL-1163) Missing permission check on displayed item in 'portalnavigation' node 's page

Minh Hoang TO (JIRA) jira-events at lists.jboss.org
Thu May 6 00:48:05 EDT 2010 

    [ https://jira.jboss.org/jira/browse/GTNPORTAL-1163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12529279#action_12529279 ] 

Minh Hoang TO commented on GTNPORTAL-1163:
------------------------------------------

At the moment, cheking edit layout and edit navigation permissions simultaneously is quite complex as PortalConfig and PageNavigation are not linked together.  The 'find' methods in DataStorage do not allow us to get the couple <PortalConfig, PageNavigation>  within one query.  

 For this issue, i suggest two solutions

1. Remove the 'Edit Layout' link (which is not really useful),  then the UISiteManagement plays the same roles as UIGroupNavigationManagement and could be merged into a single class. Some ugly Java code in UIPortalComposer could be thrown away too!


2. Define a wrapper of PortalConfig and PageNavigation, and ofcourse methods to load this wrapper in DataStorage. That should be st like

 SiteConfig{

 PortalConfig siteLayout;

 PageNavigation siteNavigation;

 public boolean couldEditSiteNavigation()

 public boolean couldEditSiteLayout()

}


Personally, i vote for (1).

> Missing permission check on displayed item in 'portalnavigation' node 's page
> -----------------------------------------------------------------------------
>
>                 Key: GTNPORTAL-1163
>                 URL: https://jira.jboss.org/jira/browse/GTNPORTAL-1163
>             Project: GateIn Portal
>          Issue Type: Bug
>    Affects Versions: 3.0.0-GA
>            Reporter: Minh Hoang TO
>            Assignee: Minh Hoang TO
>
>  When user clicks on 'Site' node, the page content shows portal sites for which he/she has edit permission either on navigation or layout. The current Java code check only edit permissions on PortalConfig
> // Get portals without edit permission
>       UserACL userACL = getApplicationComponent(UserACL.class);
>       Iterator<PortalConfig> iterPortals = tempArrayList.iterator();
>       PortalConfig portalConfig;
>       while (iterPortals.hasNext())
>       {
>          portalConfig = iterPortals.next();
>          if (!userACL.hasEditPermission(portalConfig))
>          {
>             iterPortals.remove();
>          }
>       }

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the gatein-issues mailing list