[jboss-user] [JBoss Portal] - Re: Security constraints for portlets

[zerrt]

anonymous wrote : This is not a bug. The whole idea of the portal is to let the users customize their portal (next version of portal will include dashboard management). 
  | 
  | You want to let the users edit the preferences of a portlet. Let's say you want to let one user display 15 posts per forum page and the other display 20. 
  | 
  | That's why we have management portlets (for admins). 
  | 
  | That said, one custom state could be an administration state restricted to some roles.

I suppose I understand what you are saying about the most common use of the edit mode and that all users should be able to access it if it is used for things like personal settings, etc.  This is the intended use for this mode, I know.  But I don't think that it should be taken for granted that this will always the case and that the ability to permission the edit mode is not needed.  All other portals that I have ever worked with allow you to set permissions on the view and edit modes independantly.  Reading this thread, it is clear that cases that need this kind of functionality are not that uncommon.

For my case, since I have no user edit functions for my portlet but I have admin edit functions, it would be convenient for me to use the edit mode of a portlet for admin use.  It may not be the common use but it is a valid use in my opinion and should be allowed.  It allows me to take advantage of the built in icon in the portal header, etc without having to do extra work.

I looked more closely at the permissions and it looks like the personalize option does set permissions for the edit mode.  It's just that you can only set them on portal or page instances.  So in theory I could set up a portlet with the edit mode only for the admin role - as long as it is OK that all the portlets on that page have the same permissions.  But I can't figure out why it is set up like that.  Why not keep the permissions consistent at every level.  There is nothing to be gained by limiting the flexibility in this way.  It just makes the permission system less fine-grained.  Maybe it's just that I am used to doing things a different way and I have to get used to this new way for it to make sense.  I know that these kinds of things are being addressed for version 2.6 so maybe all this will be straightened out soon.  I'm not sure what dashboard management is, though.  What kind of functionality does that include?

Anyway, thanks for the suggestion of creating a custom mode.  To create a custom "admin" mode, would I have to create my own layout and render set if I want to add a new icon for the this mode on the portlet header?  Maybe it might be easier to just have a link inside the body of the portlet that only appears for the admin role.  Then the admin edit functionality can just be a view of the portlet that doesn't need a special mode.  Not ideal but it should be fairly easy to do.

I'm sure I'll figure something out.  At least I know why what I was trying to do won't work.  This forum has really helped me out a lot.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3975046#3975046

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3975046