bbergquist Posted February 6, 2008 Share Posted February 6, 2008 It seems that the inegration of roles, permissions, and resources is not quite complete. For example, I can create a new folder resource "/output" and give the role ROLE_USER permission to Administer this resource. It seems like the idea is that now a user with ROLE_USER should be able to create a folder "/output/pdf" for example since he can Administer the "/output" folder. The problem is, if I log in as a user with ROLE_USER role, the "Managed Repository" menu is not even there. So I decided to fix this. I modified "applicationContext-security.xml" to allow ROLE_USER to get to the "Manage Repository" menu. This worked okay but then I found all of the resources listed had the "Assign" link available where I could change the permissions for a resource, unfortunately even for those resources that the logged in user does not have "Administer" permission set. So I decided to fix this. I modified "RepoAdminAction.java" to set a hashmap called "adminResources" in the RequestContext request scope with an entry for each resource the the current user has "Administer" permission for. This looks at all of the roles assigned to the user as well as the permissions explicitly assigned to the user. I borrowed most of this code from "ObjectPermissionAction.java" because this had the code that would walk up the folders to find any inherited "Administer" permission. It seems that this would be better put into "RepositoryServiceSecurityChecker.java" and the effective permission lookup in "ObjectPermissionServiceImpl.java" but this this appeared to be the quickest and best understood by me, so I implemented it in "RepoAdminAction.java". I then modified jsp/repoAdmin/defaultView.jsp" so the "Assign" link was rendered as just plain text if the current user does not have "Administer" permission for the resource. I also modified the "Assign Permissions" link with the current folder on this page to operate the same. With these changes it is possible to give a certain role or use Administer permissions on a portion of the repository without having to give the user ROLE_ADMINISTRATOR and allowing the user to do everything. If this is something that seems worthwhile, I can provide the changes that I did back to the community. Link to comment Share on other sites More sharing options...
swood Posted February 11, 2008 Share Posted February 11, 2008 Cool! Someone is digging into the APIs! As you discovered, we do not have integration between the permissions and the options available on the screen. We should extend the RepositoryServiceSecurityChecker up into the UI. ShermanJasperSoft Link to comment Share on other sites More sharing options...
alex.chan Posted February 12, 2008 Share Posted February 12, 2008 bbergquist We are working on a new repository manager in the next release of both OS and Pro. The new repository manager UI is available to all users under View->Repository. (Manage->repository will be gone)Now depends on your role (and hence permissions), you will see certain functions available or missing. In the example mentioned here, the role_user can create new folder under a folder if s/he has the permission. However, role_user can only creating resources type: Folders, adhoc(Pro Only), and dashboard(Pro Only). Other resource types are still only available to ROLE_ADMIN (same UI, the creation functionality is available only to role_admin though). Hope this helps. Link to comment Share on other sites More sharing options...
tranjasper Posted December 10, 2008 Share Posted December 10, 2008 Hi, bbergquist I am very interested in the work you have done. Can you post your changes? Post Edited by brian tran at 12/12/08 12:28 Link to comment Share on other sites More sharing options...
anandharaj Posted December 11, 2008 Share Posted December 11, 2008 Hi bbergquist, I would suggest you to post your "changes" in this forum so that all our folk here can get benefits of that. :-) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now