Restrict access to local services from velocity templates

Foros de discusión

Aritz Galdos, modificado hace 8 años.

Restrict access to local services from velocity templates

Expert Mensajes: 416 Fecha de incorporación: 15/05/07 Mensajes recientes

Hi community.

I would like to provide my customers the ability to create advances web content templates. I have granted access to liferay services by clearing this portal property "velocity.engine.restricted.variables" so the templates can use the serviceLocator to access liferay's service classes.

AFAIK, there are two types o services. Local and remote. One of the differences is that local services do not check who is the logged user and what are his permissions, while remote services check if the user is allowed to do so.

I would like my customers to be able to create this advanced templates but restricting access to remote services. Is there any simple way to reach this requirement?

Regards!

Olaf Kock, modificado hace 8 años.

RE: Restrict access to local services from velocity templates

Liferay Legend Mensajes: 6403 Fecha de incorporación: 23/09/08 Mensajes recientes

Not really (esp. no waterproof ways). You'll have to know that templates mean that you're inherently executing server side code. Even without service locator, people might find their ways around the restrictions of the templating language. By granting "edit template" permissions, you're implicitly trusting them to write code that's executed server side.