[
http://jira.nuxeo.org/browse/NXP-2631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=41547#action_41547
]
Marc-Aurèle Darche commented on NXP-2631:
-----------------------------------------
It seems that it is only possible to check permissions on documents at the
moment with Nuxeo. So the only possible check is on the user membership to the
"administrators" group.
Here is below the modification that I propose:
org/nuxeo/theme/jsf/editor/managers/UiManager.java
public String startEditor() {
UserManager userManager = Framework.getService(UserManager.class);
NuxeoPrincipal principal = getUserManager().getPrincipal(username);
if (!principal.isAdministrator()) {
log.error("User " + principal + " is not an admninistrator and thus is
not allowed to start the Theme Editor");
return null;
}
...
}
This introduce a new dependency to org.nuxeo.ecm.platform.core on the Theme
Editor. Is it OK?
> Access to the Nuxeo Theme Editor should be enforced
> ---------------------------------------------------
>
> Key: NXP-2631
> URL: http://jira.nuxeo.org/browse/NXP-2631
> Project: Nuxeo Enterprise Platform
> Issue Type: Bug
> Reporter: Marc-Aurèle Darche
> Assignee: Jean-Marc Orliaguet
> Priority: Major
>
> At the moment, weither there is a link to the NX Theme Editor or not, it's
> possible to enter in it through the accesskeys.
> What should be done is to enforce all the calls to the Theme Editor according
> to roles or permission. A first possible solution would be to simply give
> access only to the Administrator user.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.nuxeo.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
ECM-tickets mailing list
ECM-tickets@lists.nuxeo.com
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets
