Sez wrote:
Hi people,
I have some portlets with event "doSave". I want that some users, without
permission, cann't save data, and they can call event Save. I tried put in
security.xreg this entry...
<security-entry name="insert">
<meta-info>
<title>Permission To Insert</title>
</meta-info>
<access action="doSave">
<allow-if role="user"/>
</access>
<access action="dosave">
<allow-if role="user"/>
</access>
<access action="eventSubmit_doSave">
<allow-if role="user"/>
</access> <access action="eventsubmit_dosave">
<allow-if role="user"/>
</access>
<access action="view">
<allow-if role="guest"/>
</access>
<access action="view">
<allow-if role="user"/>
</access>
</security-entry>
But, a guest can call doSave... Any idea or I must use jetspeed API in the event dosave to check the permission???
Actions not being secured is a major missing piece in Jetspeed-1.
Make the check yourself in your doSave() method:
if (JetspeedSecurity.checkPermission(
(JetspeedUser) data.getUser(),
resource or entry or portlet, // see JetspeedSecurity api
"dosave")
or
String username = data.getUser().getUserName(); if (!JetspeedSecurity.hasRole(username, "dosave"))
-- David Sean Taylor Bluesunrise Software [EMAIL PROTECTED] [office] +01 707 773 4646 [mobile] +01 707 529 9194
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]