Understanding liferay's permission system

3
votes

I have already read all topics about liferay. I have read a lot of tutorials, but unfortunately i couldn't understand the concept of liferay permission.

I would be grateful if you could answer my questions.

Only i understand that liferay portlet has two types of permissions: model and portlet.

For Example:

<?xml version="1.0" encoding="UTF-8"?>

<resource-action-mapping>

    <portlet-resource>

        <portlet-name>testFCK</portlet-name>

        <permissions>

            <supports>

                <action-key>ADD_FOO</action-key>

                <action-key>VIEW</action-key>

                <action-key>DO_TRICS</action-key>

            </supports>

            <community-defaults>

                <action-key>VIEW</action-key>

                <action-key>ADD_FOO</action-key>

            </community-defaults>

            <guest-defaults>

                <action-key>VIEW</action-key>

            </guest-defaults>

            <guest-unsupported>

                <action-key>DO_TRICS</action-key>

            </guest-unsupported>

        </permissions>

    </portlet-resource>

    <model-resource>

        <model-name>me.pd.test.model.Foo</model-name>

        <portlet-ref>

            <portlet-name>testFCK</portlet-name>

        </portlet-ref>

        <permissions>

            <supports>

                <action-key>DELETE</action-key>

                <action-key>UPDATE</action-key>

                <action-key>VIEW</action-key>

            </supports>

            <community-defaults>

                <action-key>VIEW</action-key>

            </community-defaults>

            <guest-defaults>

                <action-key>VIEW</action-key>

            </guest-defaults>

            <guest-unsupported>

                <action-key>UPDATE</action-key>

                <action-key>DELETE</action-key>

            </guest-unsupported>

        </permissions>

    </model-resource>

</resource-action-mapping>

I can use:

<action-key>ADD_FOO</action-key>

<action-key>VIEW</action-key>

<action-key>DO_TRICS</action-key>

in my portlet class to check if user has permission to do something like:

try {

    PortletPermissionUtil.check(themeDisplay.getPermissionChecker(), plid,  PortalUtil.getPortletId(actionRequest), "ADD_FOO");

} catch(PrincipalException e){

    System.out.println("NO ADD_FOO ACTION");

}

Question 1:

What does 

<community-defaults>

     <action-key>VIEW</action-key>

     <action-key>ADD_FOO</action-key>

</community-defaults>

<guest-defaults>

    <action-key>VIEW</action-key>

</guest-defaults>

means? I create a community and add user(user1) to it and when i check user for permission he dosen't have it. Where should i use checking?

There are many example to use addResources before or after STORE enty to base:

resourceLocalService.addResources(foo.getCompanyId(),
                foo.getGroupId(), foo.getUserId(),
                Foo.class.getName(),
                foo.getPrimaryKey(), false,
                true, true);

Question 2:

Why should i use it and what do the following last 3 parameters mean? I can't understand which permission they give to Community or Guests?

ResourceLocalServiceUtil.addResources(
    entry.getCompanyId(), entry.getGroupId(), entry.getUserId(),BlogsEntry.class.getName(), entry.getPrimaryKey().toString(),
    false,
    addCommunityPermissions,
    addGuestPermissions);

How does addResources influence permissions on my entrys?

Question 3:

How i can use <model-resource>'s actions and when i should use it?

Thank you in advance.

Best regards

1
permissionsliferayportlet

1 Answers

0
votes

re: question 1

The fragment in question are the default permissions assigned to certain user types to perform certain actions on resources. The resources, as in ResourceLocalServiceUtil and such, are extensions to other real objects in the database (e.g. JournalArticle or, in your example, me.pd.test.model.Foo). So a resource is something that has it's permissions (i.e. permissions to execute actions on objects of resource type) managed by Liferay.

Although your object may have it's groupId or companyId, the resource related to it may have it's own values, and, unfortunately, it's programmer's role to keep these redundant resource values up-to-date.

The community-default (in recent Liferay versions renamed to site-member-defaults) are default permissions assigned to members of the community (i.e. site) to which a particular resource belongs. So in your example, if you create some Bar object of Foo type in Baz community, the members of the Baz community should by default be assigned permissions to ADD_FOO and VIEW the Bar object. That is, unless addCommunityPermissions in addResource method is false.

The guest-default permissions are analogous, just assigned to guest users by default (and again, unless addGuestPermissions is false when creating the resource).

re: question 2

So these last parameters are boolean portletActions, boolean addCommunityPermissions, boolean addGuestPermissions)

The last two should already be easy to understand -- if you pass false to them, you effectively disregard the default action permissions defined in your permissions XML.

The portletActions tell if you want to add permission resources related to the portlet itself (true) or to the portlet models (false).

Now I am not 100% sure, but I think you shouldn't ever need to pass portletActions as true, as it is Liferay itself which should manage the portlet permission resources.

re: question 3

Whenever your portlet manages some persisted objects (think the book-catalogue portlet which comes up in many portlet tutorials, where you manage books in database etc.) and you want permissions on these objects to be managed through Liferay's resource permissions framework (you may choose not to and have these permissions managed some other way).