On Mon, 10 Mar 2008, Andreas Hartmann wrote:

 > Rainer Schöpf schrieb:
 > 
 > [...]
 > 
 > >  > > Another question: from the lenya startpage, I can create a new
 > > publication
 > >  > > without logging in. On the usecases page, only the role sitemanager is
 > >  > > listed for the usecase templating.createPublicationFromTemplate. I had
 > >  > > expected a login screen when I try to create a new publication via the
 > > web
 > >  > > gui.
 > >  >  > Usecase policies don't have an effect outside publications, that's
 > > why the
 > >  > usecase isn't protected when it is invoked on the Lenya start page. If
 > > you
 > >  > want this protection, you could for instance add a menu item "Create new
 > >  > publication" to your publication menu.
 > > 
 > > Yes, I understand, but how can I prevent anonymous execution of the
 > > usecase? Even if I remove the link on the welcome page, I can still execute
 > > it by adding
 > > 
 > >  ?lenya.usecase=templating.createPublicationFromTemplate
 > > 
 > > to the welcome page URL.
 > 
 > 
 > If you're using 2.0 and not the current SVN version, the most straightforward
 > way I see is to add a new usecase, create a subclass of the
 > CreatePublicationFromTemplate class and add a precondition check, e.g.
 > 
 >   URLInformation info = new URLInformation(getSourceUrl());
 >   String pubId = info.getPublicationId();
 >   DocumentFactory factory = getDocumentFactory();
 >   if (pubId == null || !factory.existsPublication(pubId)) {
 >       addErrorMessage("Can't invoke this usecase outside a pub.");
 >   }
 > 
 > If you're using the trunk and I find the time this evening, I could add a
 > configuration option to the usecase which allows to disable it outside
 > publications and you could use it after an SVN update.

At the moment, I'm using 2.0.

However, it just occured to me that - since I'm using apache and the ajp proxy 
to access tomcat from the outside - I can filter the URL from within apache.

So, I'm happy with the current state of affairs ;-)

 Thanks a lot
  Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to