Security for Portlet State (customize, maximize, minimize, close) not working

Wed, 22 May 2002 06:58:53 -0700 

Define the role "user" permissions in the admin interface - leave only
"view" checked.

Portlets for a user (the user has role "user" only) still have minimize,
maximize, close, configure icons.

When VelocityPortletContril.buildActionList() checks permissions:

StateFullPortletWrapper.allowCustomize()
PortletWrapper.checkPermission()
JetspeedSecurity.checkPermission()
JetspeedDBSecurity.checkPermission() (line 222)
JetspeedDBSecurity.checkPermission() (line 234)

Here it check's the RegistryEntry for the portlet for security, and seing
none, calls "checkDefaultPermission()".

If it had seen a role for the Entry, and the user's acl has the role, it
goes on to call "checkPermission()".

* Why the two different calls?

Further tracking reveals... In checkDefaultPermissions(), we get the set of
permissions for the "CONFIG_DEFAULT_PERMISSION_LOGGEDIN"., which is "*".
The "*" matches the permission and it is granted.  WRONG!

* Why are we going for default permissions, when I have a logged in user
with an ACL?

* * *

Proposal: This code:

    public boolean checkPermission(RunData runData, String permission,
RegistryEntry entry)

In JetspeedDBSecurityService is wrong.  It's the only place that
checkDefaultPermission() is called, and I believe it should not be doing so.
checkPermission(rundata, premission) seems the proper call.  Just because an
Entry has no specific role, doesn't mean that we should *ignore* the user's
role derived ACL, right?

I'll fix this - but if anyone has another opinion, please speak up!

****************************************

Another thing - When BasePortletSet.allowCustommize() is called, why does it
check for "PERMISSION_INFO" permission?  Does anyone know what "info" means?
Why is this not "PERMISSION_CUSTOMIZE"?

Thanks.

- Glenn
 
--------------------------------------------
Glenn R. Golden, Systems Research Programmer
University of Michigan School of Information
[EMAIL PROTECTED]               734-615-1419
--------------------------------------------


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to