6 Replies Latest reply on Jul 19, 2007 12:04 PM by theute

    security constraint template/dashboard

      hi,

      the template portal is set with 4 pages.
      one of them has a security constraint for the role Admin.

      but, when the user without the role Admin go to his dashboard (loaded from the template portal), he can see the admin page/tab.

      i take a look at tabs.jsp, and it seems that tabs are loaded without any notion of security.

      in JBP_OBJECT_NODE_** i can see that template.adminPage node is well secured.
      but, dashboard.anyUser.adminPage are not.


      thanks for help

      regards.



        • 1. Re: security constraint template/dashboard
          theute

          If you secure a page it won't appear in the tabs.

          What happens when you click on the tab ? Does it go to the page or display an error ?

          • 2. Re: security constraint template/dashboard

            i can go to the page like it was not secured

            i think that the security is not inherit from Template portal to Dashboard.


            • 3. Re: security constraint template/dashboard
              theute

              Ok that's just for dashboard.

              Template was done for all the users but your use case can be valid. I guess we should also copy the security settings (and it would make sense since you can apply security settings on the template)

              Could you open a Jira task and schedule this for 2.6.2 please ?

              • 4. Re: security constraint template/dashboard

                ok, thank you.

                that raises a second point in my uses cases.
                the fact that the template portal could be updated with new portlets.

                in that case, the user has to pull the portlet in his dashboard with the dashboardConfiguratorPortlet.
                I need a way to give to administrators the possibility to push the new portlet(s) in the dashboard of an user, a group of users or every users.

                anyway, i will remake the DashboardConfiguratorPortlet for my specific needs and i think i'll include this stuff, when an admin update the portal Template, give him the possibility to push the updates to users dashboards.

                and also
                - disable page adding
                - disable theme changing
                - title of portlet instead of instance name and group the portlets in a treeview thanks to keywords(<portlet-info>) to help users to find the right portlet to add
                - name of the page in the resource bundle and not the logic name

                • 5. Re: security constraint template/dashboard
                  • 6. Re: security constraint template/dashboard
                    theute

                    Thanks.

                    Yes we need to add metadata on instances also to have localized display names. And probably a new security action on top of view and personalize to allow the portlet instance to be used on the dashboard