Details

      Description

      I believe there is an issue in the PortalNode API when building the map of children for a given node. The issue lies in the strategy for checking the permissions on a Page (PortalObjectPermission - configured in *-object.xml) vs. Window (InstancePermission - configured in portlet-instances.xml).

      The current implementation: PortalNodeImpl.NodeList.buildChildMap(PortalNodeImpl objectNode) checks permissions for each child node as follows:

      ...
      if (!visible)
      {
      visible = portalAuthorizationManager.checkPermission(new PortalObjectPermission(childObject.getId(), PortalObjectPermission.VIEW_MASK));
      }
      ...

      The problem here is that when building the child map for a page, the children may be either other Pages or portlet Windows; the current code only correctly checks permissions for child Pages.

      I think the above code should check the permissions as follows:

      ...
      if (!visible)
      {
      if (childObject.getType() == PortalObject.TYPE_WINDOW)

      { visible = objectNode.portalAuthorizationManager.checkPermission(new InstancePermission(((WindowImpl) childObject).getURI(), InstancePermission.VIEW_ACTION)); }

      else

      { visible = objectNode.portalAuthorizationManager.checkPermission(new PortalObjectPermission(childObject.getId(), PortalObjectPermission.VIEW_MASK)); }

      }
      ...

      This issue may be less apparent because the implementation first checks the 'viewrecursive' permission on pages and if it exists, doesn't check the window permissions at all. One way to reproduce the issue is to ensure a given page is secured with 'view' permission only and then use the PortalNode API to create a link from one portlet to another on the same page (as suggested in section 13.9.3 of the reference guide: 'Link to other pages' http://docs.jboss.com/jbportal/v2.7.1/referenceGuide/html_single/#d0e7436).

      I've checked that this issue exists in JBP 2.6 and 2.7; I've attached a patch that I've tested against 2.6.5.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                apemberton Andy Pemberton
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: