Re: [gatein-dev] Permission in Application Registry
On Thu, 2010-04-29 at 14:52 +0700, Trong Tran wrote:
On 29 April 2010 10:02, Trong Tran <trongtt(a)gmail.com> wrote:
Hi Matthew,
On 29 April 2010 01:58, Matthew Wringe <mwringe(a)redhat.com>
wrote:
I created
https://jira.jboss.org/jira/browse/GTNPORTAL-1137 but
it seems
like it might be somewhat working depending on what it
actually means.
What is the permission setting in application registry
suppose to do
actually do? Is it suppose to prevent a user from
accessing the content
or to prevent a user from adding that type of portlet
to a page?
It prevents a user from accessing the content
Each portlet or gadget can specify a 'access
permission', but this
doesn't seem to prevent users from viewing the
application.
What it does seem to do is if an unauthorized user
tries to add this
portlet to a page, they can add the portlet, they just
can't view the
added portlet on the page. This doesn't seem like
expected behaviour
either.
now this behaviour is expected actually except we re-define
clearly what it should be
The only problem I see with this is that the user probably shouldn't be
able to see the portlet to add to the page.
The fact that when the unauthorized user adds the portlet to the page,
and then cannot access the portlet on the page does seem to be correct
behavior.
The problem is what root creates a page, adds a portlet to it and then
unauthorized users can still access it.
About the GTNPORTAL-1137 :
+ I can change the permission of a portlet and still have an
unauthorized user view its content. This is considered as a
bug and we are checking it
i can not reproduce it. in my test, the unauthorized user can not view
the content of a portlet if its access permission is set up
Are you following the steps in the jira?
please note that I am talking about changing the access permission of
the portlet (ie set in the app registry) not changing the permission of
a particular portlet instance on a page.
+ It does seem to prevent a user from viewing a gadget as a
portlet on the dashboard page, but they can still add the
gadget as a gadget to the dashboard page. This behaviour is
expected too except we re-define it :-)
I think we should have some sort of gadget permission settings for the
dashboard, and we should also see if we can restrict gadget access from
outside sources. The gadget xml files are publicly available for anyone
to access.
Even if we could restrict what gadget a user can put on the dashboard,
they could just add the gadget back using the gadget url.
_______________________________________________
gatein-dev mailing list
gatein-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/gatein-dev
--
Tran The Trong
eXo Platform SAS
--
Tran The Trong
eXo Platform SAS