留言板
Permission - model level
Dear developers,
There is something I do not understand regarding the permission system. There are excellent article about permission but there is no precision about what I refer to in this thread.
First of all, in order to define permissions, including custom actions, I need to:
Fine, it works perfect. Custom action-key are added.
Now, as per the documentation, it says that model must refer to a portlet name and this is where I do not understand.
I can call the above method from any portlet and if I wanted to refer the portlet name as a parameter, I can't. So what's the point of having to refer the portlet name if it is useless?
Tx for your clarification
There is something I do not understand regarding the permission system. There are excellent article about permission but there is no precision about what I refer to in this thread.
First of all, in order to define permissions, including custom actions, I need to:
<model-resource>
<model-name>zango.track.model.Sim</model-name>
<portlet-ref>
<portlet-name>edit-sim-jsp</portlet-name>
</portlet-ref>
<weight>1</weight>
<permissions>
<supports>
<action-key>VIEW</action-key>
<action-key>ADD</action-key>
<action-key>DELETE</action-key>
<action-key>MODIFY</action-key>
<action-key>AUDIT</action-key>
<action-key>VIEW_DETAILS</action-key>
</supports>
<site-member-defaults />
<guest-defaults />
<guest-unsupported>
<action-key>VIEW</action-key>
<action-key>ADD</action-key>
<action-key>DELETE</action-key>
<action-key>MODIFY</action-key>
</guest-unsupported>
</permissions>
</model-resource>
Fine, it works perfect. Custom action-key are added.
Now, as per the documentation, it says that model must refer to a portlet name and this is where I do not understand.
permissionChecker.hasPermission(scopeGroupId, "zango.track.model.Sim", scopeGroupId, "AUDIT")
I can call the above method from any portlet and if I wanted to refer the portlet name as a parameter, I can't. So what's the point of having to refer the portlet name if it is useless?
Tx for your clarification
I continue to investigate and it appears that even if portlet-ref is required, it seems to be seriously useless.
I just modified my configuration to add a second portlet and see how it impacts the database
I was not able to find where the portlet-ref is being stored in database (resourcePermission and resourceAction do not refer it in case of a resource-model) but through the GUI, I noticed that when I update the rights for "edit-sim-jsp" for example, it propagates the same modification to the other portlet (ie "create-sim-jsp"). Thus, it is not possible de define a configuration per portlet.
I would appreciate some point of views as I may have missed something.
Thanks
I just modified my configuration to add a second portlet and see how it impacts the database
<portlet-ref>
<portlet-name>edit-sim-jsp</portlet-name>
<portlet-name>create-sim-jsp</portlet-name>
</portlet-ref>
I was not able to find where the portlet-ref is being stored in database (resourcePermission and resourceAction do not refer it in case of a resource-model) but through the GUI, I noticed that when I update the rights for "edit-sim-jsp" for example, it propagates the same modification to the other portlet (ie "create-sim-jsp"). Thus, it is not possible de define a configuration per portlet.
I would appreciate some point of views as I may have missed something.
Thanks
Hi Eric,
what I know the portlet-ref is used twice:
1, while initializing permissions - when portal registers the portlet it also checks if all belonging model-resources are consistent/initialized
2, when displaying permissions configuration UI in control panel - you can edit permissions by each portlet and the screen beside portlet permissions also renders the associated models' permissions
HTH.
what I know the portlet-ref is used twice:
1, while initializing permissions - when portal registers the portlet it also checks if all belonging model-resources are consistent/initialized
2, when displaying permissions configuration UI in control panel - you can edit permissions by each portlet and the screen beside portlet permissions also renders the associated models' permissions
HTH.
Tomas Polesovsky:
Hi Eric,
what I know the portlet-ref is used twice:
1, while initializing permissions - when portal registers the portlet it also checks if all belonging model-resources are consistent/initialized
2, when displaying permissions configuration UI in control panel - you can edit permissions by each portlet and the screen beside portlet permissions also renders the associated models' permissions
HTH.
Regarding your second point, as I wrote, updating the rights for one portlet propagates to the others to which the same resource is associated. Then, it looks useless.
Regarding the first point, I think there is no point of associating a model to a portlet as a model can be shared between portlets. In my point of view, a portlet is a bunch of features but these features can reuse or be based on existing models. I could for example define my own portlet which may update organization knowing that organization is also updated from the control panel. Unless, I would like to apply different rights from portlets. But in that case, I should be able to state that "VIEW_DETAILS" is allowed for portlet A but not for portlet B (for a given role of course). But this is not how it works as far as I noticed.
Eric COQUELIN:
Regarding your second point, as I wrote, updating the rights for one portlet propagates to the others to which the same resource is associated. Then, it looks useless.
I don't think it's useless.
I guess the reason is to display together what is related - UX reason. You are right the model/resource is the same but can be updated from more different places.
Taking into account that users can have access to portlet A but may not have access to portlet B it makes another sense.
Eric COQUELIN:
Regarding the first point, I think there is no point of associating a model to a portlet as a model can be shared between portlets. In my point of view, a portlet is a bunch of features but these features can reuse or be based on existing models. I could for example define my own portlet which may update organization knowing that organization is also updated from the control panel. Unless, I would like to apply different rights from portlets. But in that case, I should be able to state that "VIEW_DETAILS" is allowed for portlet A but not for portlet B (for a given role of course). But this is not how it works as far as I noticed.
Exactly, this is not how it works. Permissions are assigned to roles, not portlets.
There is no "context" information from which we could say that "displaying model A from portlet 1 is allowed, but displaying model A from portlet 2 is not allowed". This "context" information is more a display strategy than actual permission model. When user has permission to display some entity/model, it has the permission everywhere, otherwise it could lead to false sense of security.