Foren

  1. Startseite
  2. Development
  3. After securing a portlet via control panel, how do you verify access?

After securing a portlet via control panel, how do you verify access?

jm mayer, geändert vor 12 Jahren.

After securing a portlet via control panel, how do you verify access?

New Member Beiträge: 23 Beitrittsdatum: 28.07.10 Neueste Beiträge
Stupid question really, but I'm having problems finding an answer. This is a liferay 5.2.3 question.

I log in as an omni admin. I go to the control panel. I go to Plugins Configuration. I select a portlet and add a Role to it in order to secure the portlet.

Now say I have the ThemeDisplay object, the User object, and the portlet Object. How would I check to see if that user has permission? The documentation for the PermissionChecker seems to be intentionally obfuscated.
http://docs.liferay.com/portal/5.2/javadocs/portal-service/com/liferay/portal/security/permission/PermissionChecker.html

Where would I get the primary Key?

What name? The name of the user? portlet.getPortletId()?

What groupId? The groupId pulled from the user or the groupId from portlet.getPluginPackage().getGroupId()?

Presumably the action I'm to use is ActionKeys.VIEW;

I'm assuming that I'm creating the permissionChecker correctly: PermissionChecker create = PermissionCheckerFactoryUtil.create(user, false);
thumbnail
David H Nebinger, geändert vor 12 Jahren.

RE: After securing a portlet via control panel, how do you verify access?

Liferay Legend Beiträge: 14919 Beitrittsdatum: 02.09.06 Neueste Beiträge
I would verify access by impersonating the user and seeing if they can access the resource.

Since you're talking code, though, it doesn't sound like you want to verify but rather interrogate whether the user has the given role?
jm mayer, geändert vor 12 Jahren.

RE: After securing a portlet via control panel, how do you verify access?

New Member Beiträge: 23 Beitrittsdatum: 28.07.10 Neueste Beiträge
That's correct, there's a complicated use case that I don't want to get into. I just need to verify through code that the user has access to the portlet.

portlet.hasAddPortletPermission(user.getUserId()) returns true even for portlets that are configured to roles that the user does not have (again, referring to the control panel rather than through <security-role-ref> configuration stuff in the portlet.xml)
jm mayer, geändert vor 12 Jahren.

RE: After securing a portlet via control panel, how do you verify access?

New Member Beiträge: 23 Beitrittsdatum: 28.07.10 Neueste Beiträge
Also, I want to clarify, I don't need to find out the User's roles, I need to verify if a user has access to a portlet when it's restricted via the control panel.

if it was simply a matter of iterating over the roles associated with the portlet in the Portlet table, I'd be happy to do that. However, it doesn't seem that the values in the roles column are reflected in the Portlet object obtained from PortletLocalServiceUtil.getPortlets().
jm mayer, geändert vor 12 Jahren.

RE: After securing a portlet via control panel, how do you verify access? (Antwort)

New Member Beiträge: 23 Beitrittsdatum: 28.07.10 Neueste Beiträge
I figured out the solution in case anyone comes a-googling.

The solution is to not use PortletLocalServiceUtil.getPortletById(portletId), but rather to use PortletLocalServiceUtil.getPortletById(user.getCompanyId(), portletId).

The two calls return different instances of Portlet objects, where one responds to portlet.hasAddPortletPermissions(user.getUserId()) correctly and the other does not.

Hopefully this helps anyone who're trying to navigate the awesome liferay PortletLocalServiceUtil documentation.
thumbnail
David H Nebinger, geändert vor 12 Jahren.

RE: After securing a portlet via control panel, how do you verify access?

Liferay Legend Beiträge: 14919 Beitrittsdatum: 02.09.06 Neueste Beiträge
As Liferay is an open source project, they would willingly accept changes that you submit that include documentation...

It's a typical development scenario - Liferay has limited resources, and they focus on delivering good code and fixing bugs. External users need documentation and, after not finding it, track through the code and figure out what they need, but since they have their own projects to focus on and limited resources, whatever they find doesn't get submitted back for inclusion.

It's nobody's fault, really, but we would all benefit from having the code documented. The issue is how to get there from where we're at now...
jm mayer, geändert vor 12 Jahren.

RE: After securing a portlet via control panel, how do you verify access?

New Member Beiträge: 23 Beitrittsdatum: 28.07.10 Neueste Beiträge
That makes sense. I mean when I read the spring and jquery documentation I find both of those pretty lacking.