[portal-commits] JBoss Portal SVN: r11927 - in branches/JBoss_Portal_2_6_6_JBPORTAL-2109: core-cms/src/main/org/jboss/portal/core/cms/ui/admin and 2 other directories.
portal-commits at lists.jboss.org
portal-commits at lists.jboss.org
Thu Sep 18 00:12:56 EDT 2008
Author: sohil.shah at jboss.com
Date: 2008-09-18 00:12:53 -0400 (Thu, 18 Sep 2008)
New Revision: 11927
Added:
branches/JBoss_Portal_2_6_6_JBPORTAL-2109/core-cms/src/resources/portal-cms-war/WEB-INF/jsp/cms/admin/accessdenied.jsp
Modified:
branches/JBoss_Portal_2_6_6_JBPORTAL-2109/cms/src/main/org/jboss/portal/cms/workflow/ApprovePublishImpl.java
branches/JBoss_Portal_2_6_6_JBPORTAL-2109/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
branches/JBoss_Portal_2_6_6_JBPORTAL-2109/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource.properties
Log:
JBPORTAL-2155 - Any CMS user can access secured cms items through preview function - (only a patch for the customer). This code should not go into 2.6 and 2.7 codebase. A much cleaner approach to be used for 2.6 and 2.7
Modified: branches/JBoss_Portal_2_6_6_JBPORTAL-2109/cms/src/main/org/jboss/portal/cms/workflow/ApprovePublishImpl.java
===================================================================
--- branches/JBoss_Portal_2_6_6_JBPORTAL-2109/cms/src/main/org/jboss/portal/cms/workflow/ApprovePublishImpl.java 2008-09-17 22:20:20 UTC (rev 11926)
+++ branches/JBoss_Portal_2_6_6_JBPORTAL-2109/cms/src/main/org/jboss/portal/cms/workflow/ApprovePublishImpl.java 2008-09-18 04:12:53 UTC (rev 11927)
@@ -159,7 +159,7 @@
this.managerSet = new HashSet();
for (int i = 0; i < managers.length; i++)
{
- this.managers[i] = st.nextToken();
+ this.managers[i] = st.nextToken().trim();
this.managerSet.add(this.managers[i]);
}
Modified: branches/JBoss_Portal_2_6_6_JBPORTAL-2109/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
===================================================================
--- branches/JBoss_Portal_2_6_6_JBPORTAL-2109/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2008-09-17 22:20:20 UTC (rev 11926)
+++ branches/JBoss_Portal_2_6_6_JBPORTAL-2109/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2008-09-18 04:12:53 UTC (rev 11927)
@@ -158,7 +158,7 @@
//check and make sure the CMSAdminPortlet is accessible to the current user
if (!this.isPortletAccessible(rReq))
{
- this.showAccessDeniedScreen(rRes);
+ this.showAccessDeniedScreen(rReq, rRes);
return;
}
@@ -168,7 +168,7 @@
{
if (!this.isSecurityConsoleAccessible(rReq))
{
- this.showAccessDeniedScreen(rRes);
+ this.showAccessDeniedScreen(rReq, rRes);
return;
}
}
@@ -177,7 +177,7 @@
{
if (rReq.getParameter("accessDenied") != null)
{
- this.showAccessDeniedScreen(rRes);
+ this.showAccessDeniedScreen(rReq, rRes);
}
else
{
@@ -188,7 +188,7 @@
{
if (e.toString().indexOf("Access to this resource is denied") != -1)
{
- this.showAccessDeniedScreen(rRes);
+ this.showAccessDeniedScreen(rReq, rRes);
}
else
{
@@ -202,23 +202,24 @@
* @param renderResponse
* @throws IOException
*/
- private void showAccessDeniedScreen(JBossRenderResponse renderResponse) throws IOException
+ private void showAccessDeniedScreen(JBossRenderRequest rReq, JBossRenderResponse rRes) throws IOException, PortletException
{
- renderResponse.setContentType("text/html");
- PrintWriter writer = null;
- try
- {
- writer = renderResponse.getWriter();
- String sHTML = "<h2>Access Denied</h2>";
- writer.write(sHTML);
- }
- finally
- {
- if(writer != null)
+ try
{
- writer.close();
+ String sPath = rReq.getParameter("path");
+ String sOp = rReq.getParameter("returnOp");
+
+
+ rRes.setContentType("text/html");
+ rReq.setAttribute("path", sPath);
+ rReq.setAttribute("returnOp", sOp);
+ javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/accessdenied.jsp");
+ prd.include(rReq, rRes);
}
- }
+ catch(Exception e)
+ {
+ throw new PortletException(e);
+ }
}
private void internalDoView(JBossRenderRequest rReq, JBossRenderResponse rRes)
@@ -732,6 +733,13 @@
}
else if (CMSAdminConstants.OP_VIEWPENDING.equals(op))
{
+ boolean isWorkflowManagementAccessible = this.isWorkflowManagementAccessible(rReq);
+ if(!isWorkflowManagementAccessible)
+ {
+ this.showAccessDeniedScreen(rReq, rRes);
+ return;
+ }
+
String sPath = rReq.getParameter("path");
if (this.getApprovePublish() != null)
@@ -759,6 +767,20 @@
String path = rReq.getParameter("path");
String contentPath = rReq.getParameter("contentPath");
+ boolean isWorkflowManagementAccessible = this.isWorkflowManagementAccessible(rReq);
+ if(!isWorkflowManagementAccessible)
+ {
+ this.showAccessDeniedScreen(rReq, rRes);
+ return;
+ }
+
+ boolean hasWriteAccess = this.hasWriteAccess(rReq, path);
+ if(!hasWriteAccess)
+ {
+ this.showAccessDeniedScreen(rReq, rRes);
+ return;
+ }
+
if (this.getApprovePublish() != null)
{
try
@@ -1370,6 +1392,12 @@
}
else if (CMSAdminConstants.OP_APPROVE.equals(op))
{
+ boolean hasWriteAccess = this.hasWriteAccess(aReq, aReq.getParameter("path"));
+ if(!hasWriteAccess)
+ {
+ throw new CMSException("Access to this resource is denied");
+ }
+
String sManager = aReq.getUser().getUserName();
String sPID = aReq.getParameter("pid");
try
@@ -1398,6 +1426,12 @@
}
else if (CMSAdminConstants.OP_DENY.equals(op))
{
+ boolean hasWriteAccess = this.hasWriteAccess(aReq, aReq.getParameter("path"));
+ if(!hasWriteAccess)
+ {
+ throw new CMSException("Access to this resource is denied");
+ }
+
String sManager = aReq.getUser().getUserName();
String sPID = aReq.getParameter("pid");
try
@@ -1449,6 +1483,12 @@
}
else if(CMSAdminConstants.OP_MODIFYANDAPPROVE.equals(op))
{
+ boolean hasWriteAccess = this.hasWriteAccess(aReq, aReq.getParameter("path"));
+ if(!hasWriteAccess)
+ {
+ throw new CMSException("Access to this resource is denied");
+ }
+
String modifiedContent = aReq.getParameter("elm1");
String processId = aReq.getParameter("pid");
String path = aReq.getParameter("path");
@@ -1838,4 +1878,38 @@
{
}
+
+ private boolean hasWriteAccess(PortletRequest request, String path)
+ {
+ boolean hasAccess = false;
+
+ User user = null;
+ if(request instanceof JBossRenderRequest)
+ {
+ user = ((JBossRenderRequest)request).getUser();
+ }
+ else if(request instanceof JBossActionRequest)
+ {
+ user = ((JBossActionRequest)request).getUser();
+ }
+
+ try
+ {
+ user = userModule.findUserById(user.getId());
+ }
+ catch (Exception e)
+ {
+ return false;
+ }
+
+ PortalCMSSecurityContext securityContext = new PortalCMSSecurityContext(user);
+ File file = new FileImpl();
+ file.setBasePath(path);
+ securityContext.setAttribute("command", CMSService.getCommandFactory().createFileUpdateCommand(file));
+
+ PortalPermission cmsPermission = new CMSPermission(securityContext);
+ hasAccess = this.authorizationManager.checkPermission(cmsPermission);
+
+ return hasAccess;
+ }
}
\ No newline at end of file
Modified: branches/JBoss_Portal_2_6_6_JBPORTAL-2109/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource.properties
===================================================================
--- branches/JBoss_Portal_2_6_6_JBPORTAL-2109/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource.properties 2008-09-17 22:20:20 UTC (rev 11926)
+++ branches/JBoss_Portal_2_6_6_JBPORTAL-2109/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource.properties 2008-09-18 04:12:53 UTC (rev 11927)
@@ -131,3 +131,7 @@
CMS_ADMIN_SELECT_ROLES=Select Roles that have access to this node.
CMS_ADMIN_SELECT_USERS=Select Users that have access to this node.
CMS_ADMIN_YOU_CAN_SELECT_CTRL_ROLES=You may select multiple roles by using CTRL+click on the role names.
+
+CMS_ACCESS_DENIED=Access Denied
+CMS_ACCESS_DENIED_DESCRIPTION=You are not allowed to access this resource
+CMS_ACCESS_DENIED_DESCRIPTION_PATH=You are not allowed to access the resource
Added: branches/JBoss_Portal_2_6_6_JBPORTAL-2109/core-cms/src/resources/portal-cms-war/WEB-INF/jsp/cms/admin/accessdenied.jsp
===================================================================
--- branches/JBoss_Portal_2_6_6_JBPORTAL-2109/core-cms/src/resources/portal-cms-war/WEB-INF/jsp/cms/admin/accessdenied.jsp (rev 0)
+++ branches/JBoss_Portal_2_6_6_JBPORTAL-2109/core-cms/src/resources/portal-cms-war/WEB-INF/jsp/cms/admin/accessdenied.jsp 2008-09-18 04:12:53 UTC (rev 11927)
@@ -0,0 +1,47 @@
+<%@ page import="org.jboss.portal.core.cms.ui.admin.CMSAdminConstants" %>
+<%@ page language="java" extends="org.jboss.portal.core.servlet.jsp.PortalJsp" %>
+<%@ taglib uri="http://java.sun.com/portlet" prefix="portlet" %>
+<%@ taglib uri="/WEB-INF/portal-lib.tld" prefix="n" %>
+<%@ page isELIgnored="false" %>
+
+<portlet:defineObjects/>
+<%
+ String OP = (String)request.getAttribute("returnOp");
+ String sBackPath = null;
+ if(OP != null)
+ {
+ sBackPath = (String)request.getAttribute("path");
+ }
+ else
+ {
+ OP = CMSAdminConstants.OP_MAIN;
+ sBackPath = "/";
+ }
+%>
+<link rel="stylesheet" type="text/css" href="/portal-admin/css/style.css" media="screen"/>
+<div class="admin-ui">
+ <br/>
+ <h3 class="sectionTitle-blue">${n:i18n("TITLE_SECURECONFIRM")}</h3>
+ <div class=" cms-tab-container">
+ <table width="100%">
+
+ <tr>
+ <td class="portlet-section-body" align="center">
+ <h2>${n:i18n("CMS_ACCESS_DENIED")}</h2>
+ </td>
+ </tr>
+ <%if(sBackPath != null){%>
+ <tr>
+ <td class="portlet-section-body" align="center">
+ <form name="accessdeniedform" method="post">
+ <input class="portlet-form-button" type="button" value="${n:i18n("CMS_BACKTOBROWSER")}"
+ name="back"
+ onclick="window.location='<portlet:renderURL><portlet:param name="op" value="<%= CMSAdminConstants.OP_MAIN %>"/><portlet:param name="path" value="<%= sBackPath %>"/></portlet:renderURL>'"/>
+ </form>
+ </td>
+ </tr>
+ <%}%>
+ </table>
+ <br/><br/>
+ </div>
+</div>
\ No newline at end of file
More information about the portal-commits
mailing list