留言板

  1. 主页
  2. Development
  3. Permission - model level

Permission - model level

thumbnail
Eric COQUELIN,修改在9 年前。

Permission - model level

Expert 帖子: 254 加入日期: 13-11-3 最近的帖子
Dear developers,

There is something I do not understand regarding the permission system. There are excellent article about permission but there is no precision about what I refer to in this thread.

First of all, in order to define permissions, including custom actions, I need to:
<model-resource>
		<model-name>zango.track.model.Sim</model-name>
		<portlet-ref>
			<portlet-name>edit-sim-jsp</portlet-name>
		</portlet-ref>
		<weight>1</weight>
		<permissions>
			<supports>
				<action-key>VIEW</action-key>
				<action-key>ADD</action-key>
				<action-key>DELETE</action-key>
				<action-key>MODIFY</action-key>
				<action-key>AUDIT</action-key>
				<action-key>VIEW_DETAILS</action-key>
			</supports>
			<site-member-defaults />
			<guest-defaults />
			<guest-unsupported>
				<action-key>VIEW</action-key>
				<action-key>ADD</action-key>
				<action-key>DELETE</action-key>
				<action-key>MODIFY</action-key>
			</guest-unsupported>
		</permissions>
	</model-resource>


Fine, it works perfect. Custom action-key are added.

Now, as per the documentation, it says that model must refer to a portlet name and this is where I do not understand.

permissionChecker.hasPermission(scopeGroupId, "zango.track.model.Sim", scopeGroupId, "AUDIT")


I can call the above method from any portlet and if I wanted to refer the portlet name as a parameter, I can't. So what's the point of having to refer the portlet name if it is useless?

Tx for your clarification
thumbnail
Eric COQUELIN,修改在9 年前。

RE: Permission - model level

Expert 帖子: 254 加入日期: 13-11-3 最近的帖子
I continue to investigate and it appears that even if portlet-ref is required, it seems to be seriously useless.

I just modified my configuration to add a second portlet and see how it impacts the database

<portlet-ref>
			<portlet-name>edit-sim-jsp</portlet-name>
			<portlet-name>create-sim-jsp</portlet-name>
		</portlet-ref>


I was not able to find where the portlet-ref is being stored in database (resourcePermission and resourceAction do not refer it in case of a resource-model) but through the GUI, I noticed that when I update the rights for "edit-sim-jsp" for example, it propagates the same modification to the other portlet (ie "create-sim-jsp"). Thus, it is not possible de define a configuration per portlet.

I would appreciate some point of views as I may have missed something.

Thanks
thumbnail
Tomas Polesovsky,修改在9 年前。

RE: Permission - model level

Liferay Master 帖子: 676 加入日期: 09-2-13 最近的帖子
Hi Eric,

what I know the portlet-ref is used twice:
1, while initializing permissions - when portal registers the portlet it also checks if all belonging model-resources are consistent/initialized
2, when displaying permissions configuration UI in control panel - you can edit permissions by each portlet and the screen beside portlet permissions also renders the associated models' permissions

HTH.
thumbnail
Eric COQUELIN,修改在9 年前。

RE: Permission - model level

Expert 帖子: 254 加入日期: 13-11-3 最近的帖子
Tomas Polesovsky:
Hi Eric,

what I know the portlet-ref is used twice:
1, while initializing permissions - when portal registers the portlet it also checks if all belonging model-resources are consistent/initialized
2, when displaying permissions configuration UI in control panel - you can edit permissions by each portlet and the screen beside portlet permissions also renders the associated models' permissions

HTH.


Regarding your second point, as I wrote, updating the rights for one portlet propagates to the others to which the same resource is associated. Then, it looks useless.

Regarding the first point, I think there is no point of associating a model to a portlet as a model can be shared between portlets. In my point of view, a portlet is a bunch of features but these features can reuse or be based on existing models. I could for example define my own portlet which may update organization knowing that organization is also updated from the control panel. Unless, I would like to apply different rights from portlets. But in that case, I should be able to state that "VIEW_DETAILS" is allowed for portlet A but not for portlet B (for a given role of course). But this is not how it works as far as I noticed.
thumbnail
Tomas Polesovsky,修改在9 年前。

RE: Permission - model level

Liferay Master 帖子: 676 加入日期: 09-2-13 最近的帖子
Eric COQUELIN:
Regarding your second point, as I wrote, updating the rights for one portlet propagates to the others to which the same resource is associated. Then, it looks useless.


I don't think it's useless.

I guess the reason is to display together what is related - UX reason. You are right the model/resource is the same but can be updated from more different places.

Taking into account that users can have access to portlet A but may not have access to portlet B it makes another sense.

Eric COQUELIN:

Regarding the first point, I think there is no point of associating a model to a portlet as a model can be shared between portlets. In my point of view, a portlet is a bunch of features but these features can reuse or be based on existing models. I could for example define my own portlet which may update organization knowing that organization is also updated from the control panel. Unless, I would like to apply different rights from portlets. But in that case, I should be able to state that "VIEW_DETAILS" is allowed for portlet A but not for portlet B (for a given role of course). But this is not how it works as far as I noticed.


Exactly, this is not how it works. Permissions are assigned to roles, not portlets.

There is no "context" information from which we could say that "displaying model A from portlet 1 is allowed, but displaying model A from portlet 2 is not allowed". This "context" information is more a display strategy than actual permission model. When user has permission to display some entity/model, it has the permission everywhere, otherwise it could lead to false sense of security.