Question on roles and permissions and resources

[bbergquist]

It seems that the inegration of roles, permissions, and resources is not quite complete.

 

For example, I can create a new folder resource "/output" and give the role ROLE_USER permission to Administer this resource. It seems like the idea is that now a user with ROLE_USER should be able to create a folder "/output/pdf" for example since he can Administer the "/output" folder.

 

The problem is, if I log in as a user with ROLE_USER role, the "Managed Repository" menu is not even there.

 

So I decided to fix this. I modified "applicationContext-security.xml" to allow ROLE_USER to get to the "Manage Repository" menu.

 

This worked okay but then I found all of the resources listed had the "Assign" link available where I could change the permissions for a resource, unfortunately even for those resources that the logged in user does not have "Administer" permission set. So I decided to fix this.

 

I modified "RepoAdminAction.java" to set a hashmap called "adminResources" in the RequestContext request scope with an entry for each resource the the current user has "Administer" permission for. This looks at all of the roles assigned to the user as well as the permissions explicitly assigned to the user. I borrowed most of this code from "ObjectPermissionAction.java" because this had the code that would walk up the folders to find any inherited "Administer" permission. It seems that this would be better put into "RepositoryServiceSecurityChecker.java" and the effective permission lookup in "ObjectPermissionServiceImpl.java" but this this appeared to be the quickest and best understood by me, so I implemented it in "RepoAdminAction.java".

 

I then modified jsp/repoAdmin/defaultView.jsp" so the "Assign" link was rendered as just plain text if the current user does not have "Administer" permission for the resource. I also modified the "Assign Permissions" link with the current folder on this page to operate the same.

 

With these changes it is possible to give a certain role or use Administer permissions on a portion of the repository without having to give the user ROLE_ADMINISTRATOR and allowing the user to do everything.

 

If this is something that seems worthwhile, I can provide the changes that I did back to the community.

[swood]

Cool! Someone is digging into the APIs!

 

 

As you discovered, we do not have integration between the permissions and the options available on the screen. We should extend the RepositoryServiceSecurityChecker up into the UI.

 

 

Sherman

JasperSoft

[alex.chan]

bbergquist

 

We are working on a new repository manager in the next release of both OS and Pro.

 

The new repository manager UI is available to all users under View->Repository. (Manage->repository will be gone)

Now depends on your role (and hence permissions), you will see certain functions available or missing. In the example mentioned here, the role_user can create new folder under a folder if s/he has the permission. However, role_user can only creating resources type: Folders, adhoc(Pro Only), and dashboard(Pro Only). Other resource types are still only available to ROLE_ADMIN (same UI, the creation functionality is available only to role_admin though).

 

Hope this helps.

[tranjasper]

Hi, bbergquist I am very interested in the work you have done. Can you post your changes?

Post Edited by brian tran at 12/12/08 12:28

[anandharaj]

Hi bbergquist,

 

I would suggest you to post your "changes" in this forum so that all our folk here can get benefits of that. :-)