Tribune

Home » Liferay Portal » English » 2. Using Liferay » General

Vista Combinata Vista Piatta Vista ad Albero
Discussioni [ Precedente | Successivo ]
toggle
Joerg Mueller
Hide user page from owner
7 maggio 2013 2.04
Risposta

Joerg Mueller

Punteggio: New Member

Messaggi: 5

Data di Iscrizione: 7 maggio 2013

Messaggi recenti

Hello,

I´m trying to find out, if it is possible to limit the access to a user page to a specific role and hide it from the user(owner) itself.

Setting:
User foobar should have a own page with some sub-pages:
  • messages - /group/foobar/messages or /web/foobar/messages - this page is only visible to foobar
  • admininfo - /group/foobar/admininfo or /web/foobar/admininfo - this page should only see a user with role admin


As a next step it should also be possible to assign admins to single users, so only a assigned admin can see the admininfo page of a user. Is there a chance to realize this via groups. E.g. there is a group usersOfAdminA and adminA can see the admininfo page of members of "his" group.

If there is no chance to solve this issue via the control center, is it possible to do a workaround directly via API or perhaps directly on DB?

Thanks in advance
Joerg Mueller
RE: Hide user page from owner
7 maggio 2013 8.49
Risposta

Joerg Mueller

Punteggio: New Member

Messaggi: 5

Data di Iscrizione: 7 maggio 2013

Messaggi recenti

Hi again,

after some rethinking there should be a solution for the second issue:

There is additionally to the role "admin" an own role for every admin, e.g. admin "john" gets a role "admin_john". The permissions on the user page are setted to this role to allow only "admin_john" to see the user page.

Should be working...
David H Nebinger
RE: Hide user page from owner
7 maggio 2013 9.38
Risposta

David H Nebinger

Community Moderator

Punteggio: Liferay Legend

Messaggi: 11511

Data di Iscrizione: 1 settembre 2006

Messaggi recenti

No, it's not going to be at all possible.

First, even if you could get it working for a straight admin access (which would involve a lot of hacking anyway), admins can still impersonate users. So the admin can impersonate foobar and can access their pages as though they are foobar (as the code sees the admin as foobar and displays their information accordingly).

Instead of trying to figure out how to block admin access, instead you should be limiting admin access to only trusted personnel. You want folks in a position of authority to be able to view the messages that foobar has been sending, for example, to see if he's sharing trade secrets or violating company policies in some way.

You shouldn't be giving admin out to just anyone, there are various other ways to give users access to things they need without giving them admin access...

It's just like Unix... Root can see everything, and there's nothing you can (or should even try to) do to keep root out of something. It's the nature of the beast...
Joerg Mueller
RE: Hide user page from owner
8 maggio 2013 1.08
Risposta

Joerg Mueller

Punteggio: New Member

Messaggi: 5

Data di Iscrizione: 7 maggio 2013

Messaggi recenti

Hi David,

thanks for your reply.

I guess my naming of the roles was a little bit confusing. The role I named "admin" was not really the liferay admin. For better understanding I should call it "support" and the user individual role "support_john". Therefore a user with role "support" has no real "root" access to the portal.
David H Nebinger
RE: Hide user page from owner
8 maggio 2013 5.50
Risposta

David H Nebinger

Community Moderator

Punteggio: Liferay Legend

Messaggi: 11511

Data di Iscrizione: 1 settembre 2006

Messaggi recenti

Well, roles by themselves are totally disconnected so one role will not have any access to another role.

The key, though, are the permissions granted to each of the custom roles. If the support role is given all of the same permissions as the liferay admin role, then the support role is elevated to admin status, and you're back to trying to understand why support can see things you don't want them to.