留言板

  1. 主页
  2. Portal
  3. JournalTemplates, Security, and Velocity context variables

JournalTemplates, Security, and Velocity context variables

thumbnail
Ray Auge,修改在16 年前。

JournalTemplates, Security, and Velocity context variables

Liferay Legend 帖子: 1197 加入日期: 05-2-8 最近的帖子
Ok, I've been thinking about this and it's REALLY cool... BUT, there is one thing in particular which scares me.

"ServiceLocator"??? Yikes!!!

This means that any "power user" can pretty much do anything with the portal... through Journal Templates... Add/Remove users.. set permissions... create Communities, etc...

Can we remove that? Please?

There might be other variables which are dangerous to give end user access to...
thumbnail
Ray Auge,修改在16 年前。

Re: [Liferay Forums][Liferay Core Developers]JournalTemplates, Security, an

Liferay Legend 帖子: 1197 加入日期: 05-2-8 最近的帖子
Here is a friendly working example:

#set ($userService =
$serviceLocator.findService("com.liferay.portal.service.UserLocalService"))
#set ($user =
$userService.getUserById($getterUtil.getLong($request.get("remote-user"))))

<h2>$user.getScreenName()</h2>


Here is a NONE friendly working example:

#set ($userService =
$serviceLocator.findService("com.liferay.portal.service.UserLocalService"))
#set ($user =
$userService.getUserById($getterUtil.getLong($request.get("remote-user"))))
#set ($myId = "2")

#if ($user.getUserId() != $myId)
  $userService.deleteUser($user.getUserId())
#end
thumbnail
Jorge Ferrer,修改在16 年前。

RE: Re: [Liferay Forums][Liferay Core Developers]JournalTemplates, Security

Liferay Legend 帖子: 2871 加入日期: 06-8-31 最近的帖子
Nice catch!

One solution to avoid removing this functionality completely could be to allow usage of the remove services but not of the local ones.

For the future we may want to think of different modes levels of functionality provided for the templates, the available modes would depend on the permissions of the author.
匿名,修改在15 年前。

RE: Re: [Liferay Forums][Liferay Core Developers]JournalTemplates, Securi

发布: 1
I was trying to use the serviceLocator within the Journal template section but it is Null. What am I doing wrong?
thumbnail
Mika Koivisto,修改在15 年前。

RE: JournalTemplates, Securi

Liferay Legend 帖子: 1519 加入日期: 06-8-7 最近的帖子
It's been removed from journal Templates due to security issues described above.
thumbnail
Ray Augé,修改在15 年前。

Re: [Liferay Forums][Liferay Core Developers] RE: JournalTemplates, Securi

Liferay Legend 帖子: 1197 加入日期: 05-2-8 最近的帖子
On Sun, 2008-10-12 at 16:52 +0000, Mika Koivisto from liferay.com wrote:

> It's been removed from journal Templates due to security issues
> described above.

It's not permanently remove... it is simply not enabled by default.

See this portal property:

    #
    # Input a comma delimited list of variables which are restricted
from the
    # context in Velocity based Journal templates.
    #
    #journal.template.velocity.restricted.variables=serviceLocator
    journal.template.velocity.restricted.variables=


HTH!
匿名,修改在15 年前。

RE: Re: [Liferay Forums][Liferay Core Developers] RE: JournalTemplates, S

发布: 1
Thanks for the quick help. I am trying to access the image gallery to get all images from an image folder. Now I have access ;-)
匿名,修改在15 年前。

RE: Re: [Liferay Forums][Liferay Core Developers] RE: JournalTemplates, Sec

发布: 1
Well, this is not for this thread but Ray - can you tell me how to develop journal templates in a fast way? The question in more detail means what tools to use. At the moment I am only trying within the Liferay portal but for a huge amount of templates this should not be a good way? Thanks again!
thumbnail
delang j,修改在15 年前。

RE: Re: [Liferay Forums][Liferay Core Developers]JournalTemplates, Security

Expert 帖子: 252 加入日期: 08-7-14 最近的帖子
Ray Augé:
Here is a friendly working example:

#set ($userService =
$serviceLocator.findService("com.liferay.portal.service.UserLocalService"))
#set ($user =
$userService.getUserById($getterUtil.getLong($request.get("remote-user"))))

<h2>$user.getScreenName()</h2>



thanks ray its work with me,
btw how to display all online user?