[
http://jira.jboss.com/jira/browse/JBPORTAL-1742?page=comments#action_1238... ]
Mariusz Smykula commented on JBPORTAL-1742:
-------------------------------------------
In class ACLInterceptor (line: 270) is this code necessary?
securityContext.removeAttribute("command");
without this line, the ACLEnforcer know than my anonymous user want read subfolders, and
then show folders to him.
For full explanation:
* Logged user can see subfolders without write or manage permission (only read is needed).
* Anonymous user cant see subfolders with read permission - subfolders must be write or
manage for Anonymous.
I think this is bad behavior.
ACLEnforcer - folder.getFolders() give results for Anonymus user only
if child folders have write or manage permssion for anonymous (read is not enough)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Key: JBPORTAL-1742
URL:
http://jira.jboss.com/jira/browse/JBPORTAL-1742
Project: JBoss Portal
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: Portal CMS
Affects Versions: 2.6.2 Final
Environment: JBoss 4.2.1
Reporter: Mariusz Smykula
Assigned To: Sohil Shah
I want to execute simple code from my portlet:
Command listCMD =
cmsService.getCommandFactory().createFolderGetListCommand("/");
mainFolder = (Folder) cmsService.execute(listCMD);
LOG.info(mainFolder .getFolders().size());
This is ALWAYS empty folders list, if executed as Anonymous user. For real result I need
to set role write or manage for Anonymus user to all subfolders. This is correct?
This happens because in ACLEnforce there is checked for write or mange permssion, but
read is enough!
for(Iterator itr=specificPermissions.iterator();itr.hasNext();)
{
Permission specificPermission = (Permission)itr.next();
if( (specificPermission.getService().equals("cms")) &&
(specificPermission.getAction().equals("write") ||
specificPermission.getAction().equals("manage"))
)
{
for(Iterator itr2=userPermissions.iterator();itr2.hasNext();)
{
Permission userPermission = (Permission)itr2.next();
if( (userPermission.getService().equals("cms")) &&
(userPermission.getAction().equals("write") ||
userPermission.getAction().equals("manage"))
)
{
String pathCriteria =
userPermission.findCriteriaValue("path");
if(pathCriteria.equals(path))
{
//this means this user has read access to this path
toolAccess = true;
}
}
}
}
}
This is correct?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira