[gatein-dev] Permission in Application Registry
Trong Tran
trongtt at gmail.com
Wed May 12 01:06:18 EDT 2010
On 30 April 2010 01:15, Matthew Wringe <mwringe at redhat.com> wrote:
> On Thu, 2010-04-29 at 14:52 +0700, Trong Tran wrote:
> >
> >
> > On 29 April 2010 10:02, Trong Tran <trongtt at gmail.com> wrote:
> > Hi Matthew,
> >
> > On 29 April 2010 01:58, Matthew Wringe <mwringe at redhat.com>
> > wrote:
> > I created
> > https://jira.jboss.org/jira/browse/GTNPORTAL-1137 but
> > it seems
> > like it might be somewhat working depending on what it
> > actually means.
> >
> > What is the permission setting in application registry
> > suppose to do
> > actually do? Is it suppose to prevent a user from
> > accessing the content
> > or to prevent a user from adding that type of portlet
> > to a page?
> >
> > It prevents a user from accessing the content
> >
> >
> > Each portlet or gadget can specify a 'access
> > permission', but this
> > doesn't seem to prevent users from viewing the
> > application.
> >
> > What it does seem to do is if an unauthorized user
> > tries to add this
> > portlet to a page, they can add the portlet, they just
> > can't view the
> > added portlet on the page. This doesn't seem like
> > expected behaviour
> > either.
> >
> > now this behaviour is expected actually except we re-define
> > clearly what it should be
>
> The only problem I see with this is that the user probably shouldn't be
> able to see the portlet to add to the page.
>
> The fact that when the unauthorized user adds the portlet to the page,
> and then cannot access the portlet on the page does seem to be correct
> behavior.
>
Yes, i agreed that user should not be able to add a portlet to the page if
he does not have access permission to that portlet
>
> The problem is what root creates a page, adds a portlet to it and then
> unauthorized users can still access it.
>
> > About the GTNPORTAL-1137 :
> > + I can change the permission of a portlet and still have an
> > unauthorized user view its content. This is considered as a
> > bug and we are checking it
> >
> >
> > i can not reproduce it. in my test, the unauthorized user can not view
> > the content of a portlet if its access permission is set up
>
> Are you following the steps in the jira?
>
> please note that I am talking about changing the access permission of
> the portlet (ie set in the app registry) not changing the permission of
> a particular portlet instance on a page.
>
changing the access permission in Application Registry does not affect to
its existing portlet instance
>
> > + It does seem to prevent a user from viewing a gadget as a
> > portlet on the dashboard page, but they can still add the
> > gadget as a gadget to the dashboard page. This behaviour is
> > expected too except we re-define it :-)
>
> I think we should have some sort of gadget permission settings for the
> dashboard, and we should also see if we can restrict gadget access from
> outside sources. The gadget xml files are publicly available for anyone
> to access.
> Even if we could restrict what gadget a user can put on the dashboard,
> they could just add the gadget back using the gadget url.
>
> >
> > _______________________________________________
> > gatein-dev mailing list
> > gatein-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/gatein-dev
> >
> >
> >
> >
> > --
> > Tran The Trong
> > eXo Platform SAS
> >
> >
> >
> >
> > --
> > Tran The Trong
> > eXo Platform SAS
>
>
>
--
Tran The Trong
eXo Platform SAS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/gatein-dev/attachments/20100512/284861ec/attachment.html
More information about the gatein-dev
mailing list