3 Replies Latest reply on Dec 30, 2009 3:01 AM by damonchong

Granting based on user permission and roles

damonchong Dec 24, 2009 7:42 AM

Hi,

Firstly, thanks for all replies. I haved tried to google for a solution for this but I feel like I am just missing one small thing.

I have a xhtml file with the following permission check

<rich:dropDownMenu id="npcDropDownMenu" style="float: left;" rendered="#{s:hasPermission('compoundBrowser', 'view')}">

And in my permission database table i have inserted a record as follows:

insert into user_permission (action,discriminator,recipient,target) 
values ('view','user','demo','compoundBrowser');

Now if I logging as the userid 'demo', the drop down menu appears. However, I would like to enable userids with 'Admin' roles to be able to see this particular drop down menu as well. So I added this in my components.xml file

   <drools:rule-base name="securityRules">
      <drools:rule-files>
         <value>/security.drl</value>
         <value>/META-INF/npc.drl</value>
      </drools:rule-files>
   </drools:rule-base>

and in my npc.drl I have the following rules but it is not firing.

rule AdminCanViewEditAnything

     when
          browser: CompoundBrowser()
          check: PermissionCheck(target == browser)
          Role(name == "Admin")          
     then 
          check.grant();
          System.out.println("Admin view and edit enabled.");
end

Oh, my CompoundBrowser class is annotated with both @Identifier and @Name. Any help appreciated, thanks in advance!

Rgds,
Damon

1. Re: Granting based on user permission and roles

shane.bryzak Dec 24, 2009 8:41 AM (in response to damonchong)
You have two different permission checks, one (the persistent one) is for a target of literal string 'compoundBrowser', the other one (the rule-based one) is for a target of an instance of the CompoundBrowser class. You probably want to modify the rule to read as follows to bring them in line:

rule AdminCanViewEditAnything when check: PermissionCheck(target == 'compoundBrowser') Role(name == "Admin") then check.grant(); end
Actions
2. Re: Granting based on user permission and roles

damonchong Dec 24, 2009 6:35 PM (in response to damonchong)

Thanks for the advice Shane, but unfortunately I am still facing the same problem. Guess I have to try harder on this one. Anyway, merry X'mas! ;-)
Actions
3. Re: Granting based on user permission and roles

damonchong Dec 30, 2009 3:01 AM (in response to damonchong)
Hi Shane,

Happy new year to you. I figure out why it is not working. Apparently the package name for the different drl files must be the same. My default rule file, security.drl was using package com.abc.defaultPermissions; while the npc.drl was using com.abc.npcPermissions. I could not find any mention in the Seam documentation that this needs to be so. I guess it might be in the Drools documentation. Oh well, hope this helps anyone facing similar problems. Thanks alot!

Shane Bryzak wrote on Dec 24, 2009 08:41:

You have two different permission checks, one (the persistent one) is for a target of literal string 'compoundBrowser', the other one (the rule-based one) is for a target of an instance of the CompoundBrowser class. You probably want to modify the rule to read as follows to bring them in line:

rule AdminCanViewEditAnything when check: PermissionCheck(target == 'compoundBrowser') Role(name == "Admin") then check.grant(); end

Click HELP for text formatting instructions. Then edit this text and check the preview.
Actions

Go to original post