Define the role "user" permissions in the admin interface - leave only "view" checked.
Portlets for a user (the user has role "user" only) still have minimize, maximize, close, configure icons. When VelocityPortletContril.buildActionList() checks permissions: StateFullPortletWrapper.allowCustomize() PortletWrapper.checkPermission() JetspeedSecurity.checkPermission() JetspeedDBSecurity.checkPermission() (line 222) JetspeedDBSecurity.checkPermission() (line 234) Here it check's the RegistryEntry for the portlet for security, and seing none, calls "checkDefaultPermission()". If it had seen a role for the Entry, and the user's acl has the role, it goes on to call "checkPermission()". * Why the two different calls? Further tracking reveals... In checkDefaultPermissions(), we get the set of permissions for the "CONFIG_DEFAULT_PERMISSION_LOGGEDIN"., which is "*". The "*" matches the permission and it is granted. WRONG! * Why are we going for default permissions, when I have a logged in user with an ACL? * * * Proposal: This code: public boolean checkPermission(RunData runData, String permission, RegistryEntry entry) In JetspeedDBSecurityService is wrong. It's the only place that checkDefaultPermission() is called, and I believe it should not be doing so. checkPermission(rundata, premission) seems the proper call. Just because an Entry has no specific role, doesn't mean that we should *ignore* the user's role derived ACL, right? I'll fix this - but if anyone has another opinion, please speak up! **************************************** Another thing - When BasePortletSet.allowCustommize() is called, why does it check for "PERMISSION_INFO" permission? Does anyone know what "info" means? Why is this not "PERMISSION_CUSTOMIZE"? Thanks. - Glenn -------------------------------------------- Glenn R. Golden, Systems Research Programmer University of Michigan School of Information [EMAIL PROTECTED] 734-615-1419 -------------------------------------------- -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>