[jboss-jira] [JBoss JIRA] Updated: (JBPORTAL-1239) page level security not honored in the navigation system

Stephen Westbom (JIRA) jira-events at lists.jboss.org
Thu Feb 15 11:17:33 EST 2007 

     [ http://jira.jboss.com/jira/browse/JBPORTAL-1239?page=all ]

Stephen Westbom updated JBPORTAL-1239:
--------------------------------------


Ok, I think I am in the right place:

server/default/deploy/jboss-portal.sar/conf/data/default-object.xml

Here is the original:

<deployments>
   <deployment>
      <parent-ref/>
      <if-exists>keep</if-exists>
      <portal>
         <portal-name>default</portal-name>
         <properties>
            <!--
            | Set the layout for the default portal, see also portal-layouts.xml.
            -->
            <property>
               <name>layout.id</name>
               <value>generic</value>
            </property>
            <!--
            | Set the theme for the default portal, see also portal-themes.xml.
            -->
            <property>
               <name>theme.id</name>
               <value>renaissance</value>
            </property>
            <!--
            | Set the default render set name (used by the render tag in layouts), see also portal-renderSet.xml
            -->
            <property>
               <name>theme.renderSetId</name>
               <value>divRenderer</value>
            </property>
            <!--
            | Set the default strategy name (used by the strategy interceptor), see also portal-strategies.xml
            -->
            <property>
               <name>layout.strategyId</name>
               <value>maximizedRegion</value>
            </property>
            <!--
            | The default page name, if the property is not explicited then the default page name is "default"
            -->
            <property>
               <name>portal.defaultObjectName</name>
               <value>default</value>
            </property>
         </properties>
         <supported-modes>
            <mode>view</mode>
            <mode>edit</mode>
            <mode>help</mode>
         </supported-modes>
         <supported-window-states>
            <window-state>normal</window-state>
            <window-state>minimized</window-state>
            <window-state>maximized</window-state>
         </supported-window-states>
         <page>
            <page-name>default</page-name>
            <properties>
               <property>
                  <name>order</name>
                  <value>1</value>
               </property>
            </properties>
            <window>
               <window-name>JSPPortletWindow</window-name>
               <instance-ref>JSPPortletInstance</instance-ref>
               <region>left</region>
               <height>0</height>
            </window>
            <window>
               <window-name>CMSWindow</window-name>
               <content>
                  <content-type>cms</content-type>
                  <content-uri>/default/index.html</content-uri>
               </content>
               <region>center</region>
               <height>0</height>
            </window>
            <window>
               <window-name>UserPortletWindow</window-name>
               <instance-ref>UserPortletInstance</instance-ref>
               <region>left</region>
               <height>1</height>
            </window>
         </page>
         <security-constraint>
            <policy-permission>
               <unchecked/>
               <action-name>viewrecursive</action-name>
               <action-name>personalizerecursive</action-name>
            </policy-permission>
         </security-constraint>
      </portal>
   </deployment>

I am assuming the preceding security entry is the view recursive permission that needs to be removed

I took the security-constraint element, moved it up into the end of the page element before it, removed personalizerecursive and changed viewrecursive to simply be view.

Is this correct?  Anyway, it doesn't work for me on Alpha 2.







> page level security not honored in the navigation system
> --------------------------------------------------------
>
>                 Key: JBPORTAL-1239
>                 URL: http://jira.jboss.com/jira/browse/JBPORTAL-1239
>             Project: JBoss Portal
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Portal Security
>    Affects Versions: 2.6.Alpha2
>         Environment: Windows XP
>            Reporter: Stephen Westbom
>         Assigned To: Thomas Heute
>
> In 2.4 sp1 pages are checked for security before being displayed as a tab in the navigation using this jsp:
> jboss-portal.sar\portal-core.war\WEB-INF\jsp\catalog\index.jsp
> This seems to be handled by the psib request parameter (a map). In 2.4 the map only gives you PortalNodeURLs that you have permissions on, in all the 2.6 versions you get all the siblingURLs (your term in the JSP page) regardless of the permission settings in the {project name}_object.xml
> Can this be fixed so that the psib parameter only gives you a handle to a map that gives you objects you have permissions to see?
> Thanks
> Stephen

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list