This article documents some of the more complex use cases when granting permissions to a site.
- Who can be site members?
- I am having trouble adding user groups to a site; the user groups are not displaying.
- I don't want site Members to have permissions to add content to a page. How can I revoke specific permissions?
- Which permissions do I need to grant for a user to be able to add portlets to a page?
- I granted role permissions for a regular role on a site then exported it to a LAR file, but when I import it into a new environment with the same site, the same regular role permissions are not present. Is this intended?
- How do I remove permissions to add documents in the Documents and Media portlet?
- I don't want Site Members to delete documents after they have been uploaded. How can I restrict such permissions?
- How do I prevent users from being able to add JavaScript to a page in the Configure Page's Advanced menu?
- How do I prevent even Guests from viewing content on an unauthenticated site?
- After upgrading to DXP 7.1+, guests cannot view some web contents?
- If I do want Guests to be able to view content, what settings do I need?
- How do I restrict people from viewing other Web Content folders other than the one(s) they do have permission to view?
- How do permissions rules affect assets displayed in the Asset Publisher?
- Can I select which items to be available in the Item Selector based on which user or user role?
Resolution
1. Who can be site members?
Users, organizations, and user groups can be members of a site. That means site administrators do not have to manually add individuals to a site, but any user who is also a member of a particular organization or user group can be added simply by adding the whole organization.
2. I am having trouble adding user groups to a site; the user groups are not displaying.
Usually, this is not a problem for omni-admins but appears only if a role has less than full administrator privileges.
Figure 1. User groups are missing from the Site Membership screen.
To Reproduce: create a role called Site Configurer with the following permissions:
- Navigate to Control Panel → Users → Roles
- Click the ellipsis icon → Define Permissions
- Under Control Panel → General Permissions, select all permissions
- Click Save
- Click Control Panel → Sites → Sites
- Select all permissions
- Click Save
- Click Site Administration → Members → Site Memberships
- Select all permissions
- Click Save
One might think that this set of permissions is enough. However, this role is missing the View permission for User Groups. At the very least, this Site Configurer role needs this additional permission. (Otherwise, they will encounter the error displayed above.)
- Click Control Panel → Users → User Groups
- Under Resource Permissions, check the box for View
- Click Save
3. I don't want site Members to have permissions to add content to a page. How can I revoke specific permissions?
In Liferay Portal 6.2, it was possible for a regular user with Site Member permissions to have access to all the portlets and add content on their customizable page. This was intended behavior in Liferay Portal 6.2 because that customizable page was visible only to them.
However, in Liferay DXP 7.0, use the following steps to revoke a Site Member's permissions to add content:
- Navigate to Control Panel → Content -→ Document and Media → Options (top right corner three dots) → Home Folder Permissions
- Uncheck the Add Document checkbox from the Site Member
- Repeat these steps for every site
4. Which permissions do I need to grant for a user to be able to add portlets to a page?
For all portlets:
It depends. Site administrators can define the permissions for all portlets in general or just specific applications.
- Navigate to Control Panel → Users → Roles
- Click the ellipsis icon → Define Permissions
- Click Site Administration → Navigation to expand the menu
- Click Site Pages
- Scroll down to the Page section. At the very least, grant Update and View permissions so that this particular role can add portlets to a page.
- Click the Save button to update the settings.
If user role should be restricted to specific portlets:
- Click Site Administration → Applications instead.
- Grant permissions for each specific application. For example, let's say this user role has the ability to schedule Calendar events. Click Calendar.
- Click the Add to Page and View checkboxes.
- Click the Save button to update the settings.
5. I granted role permissions for a regular role on a site then exported it to a LAR file, but when I import it into a new environment with the same site, the same regular role permissions are not present. Is this intended?
This is happening because the same regular roles do not exist on the target environment. Because the Site Export/Import process is limited in handling data at the Site level, it will not be able to carry over regular roles, as regular roles exist on the Portal level.
If you would like to create a specific role that only has permissions for a site, you can create a Site Role, which can be carried over between the two environments. However, if the role that you wish to include for the site must be a regular role, it must be recreated in the new environment prior to the site import.
6. How do I remove permissions to add documents in the Documents and Media portlet?
By default, any user with the Site Member role can add a document to their respective site. This permission overrides all other Site Roles with lesser permissions. This means, even if a site role is created with permissions only to view the Control Panel Site Administration, the user can still add the document.
To remove a user's ability to add a document to a site:
- Navigate to the Control Panel → Your Site → Content → Documents and Media
- Click the 3-dot icon (top right of page) → Home Folder Permissions
- Under the Site Member, uncheck the following checkboxes:
- Add Document
- Add Folder
- Add Shortcut
- Update
- Click the Save button
At this point, the only permissions allowed for Site Members is to View. This can be verified by signing in with any user with only Site Member Roles assigned. The plus button is not visible. Users can still view whatever documents have been uploaded.
7. I don't want Site Members to delete documents after they have been uploaded. How can I restrict such permissions?
By default, Liferay DXP 7.0 permissions grants each user ownership over their own documents as part of their Regular role. The Regular role cannot be modified at all, not even by omni-administrators. There is no way to remove or modify all permissions for all documents in the Documents and Media Home folder. However, administrators can change the document owner's permission for just one document so that the document owner cannot delete or make changes to the document.
To Demonstrate:
- Assume there is a user with less than full administrator rights. Let's call him, Joe Writer. Ensure that Joe Writer has the ability to add documents to the Documents and Media portlet. This user will always have the Owner role in the Documents and Media portlet.
- While signed in as Joe Writer, upload a document—in this case, an image called Leaving-Feast.png.
- Either sign out as Joe Writer, or open another browser, and then sign in as the administrator.
- Navigate to the Control Panel → Content → Documents and Media to the site where Joe Writer uploaded the image Leaving-Feast.png.
- Click the 3-dot icon → Permissions for Leaving-Feast.png.
- For the Owner role, uncheck the following checkboxes:
- Delete
- Delete Discussion
- Permissions
- Update
- Click the Save button.
- Close the Permissions window.
- Sign back in as Joe Writer or refresh the browser where Joe Writer is already signed in.
- Click the 3-dots icon for Leaving-Feast.png. Joe Writer no longer has the permissions to modify or delete the image but does retain the permission to download.
Although there is no ability to mass edit all the documents in the folder, the advantage is that this offers content managers more granular controls for each document.
8. How do I prevent users from being able to add JavaScript to a page in the Configure Page's Advanced menu?"
By default, the ability to add JavaScript is part of the larger Manage Pages permissions that can be assigned to a Role. Beginning with DXP 7.0 Fix Pack 60 and DXP 7.1 Fix Pack 3, it is possible to disable this functionality.
- Shut down the application server.
- Install DXP 7.0 Fix Pack 60 or higher, or DXP 7.1 Fix Pack 3.
- In the
portal-ext.properties
file, enter the following:field.enable.com.liferay.portal.kernel.model.Layout.javascript=false
field.enable.com.liferay.portal.kernel.model.LayoutSet.javascript=false
- Save the file.
- Start the application server.
At this point, the JavaScript tab does not display and this feature has been disabled.
9. How do I prevent even Guests from viewing content on an unauthenticated site?
By default, Guests (anyone without credentials) can view even Web Content whose individual article permissions do not allow Guests to view. There are two ways to ensure that not even Guests can view Web Content. The first is to configure the Web Content Display portlet where the article is displayed (sometimes abbreviated WCD in short form). The second is to configure the System Settings to check whether any user has the VIEW permission on an article when its content is rendered.
- Configuring the WCD Portlet:
- On the page where the Web Content is displayed, click the 3-dots icon in the Web Content Display portlet's title bar (it is just above the article title so do not confuse the two).
- Click Permissions.
- Uncheck the View checkbox for Guest.
- Click the Save button.
- Close the Permissions window.
- Sign out of the administrator.
- Navigate to the page where the article is normally displayed.
There should be a warning message that the article is not available:
Figure 8 indicates the article is not even displayed for users as Guests. This is true even if Guest View is enabled at the article level.
Note 1: This does not mean that all articles are not retrievable; anyone with access to the JSON web services API can still view the articles.
Note 2: LPS-82999 implements a change where customers can access the WCD portlet actions through either the Single Menu or Two Ellipsis Menu. This was made available in Liferay DXP 7.0 Fix Pack 54; see Important Fix Pack Changes.
- Configuring the System Wide Settings:
What if checking the permissions for every single WCD portlet is too time consuming? There is a way for the system to check.
- Sign in as the administrator.
- Navigate to the Control Panel → Configuration → System Settings.
- On the Web Experience tab, click Web Content.
- Check the Article view permissions check enabled check box.
- Click the Update button.
The system will check whether each article has the View permission granted for Guest. If the article does not have Guest View permissions enabled, then it will not be displayed. This allows content administrators to manage each article separately but still control which articles are displayed on an unauthenticated site.
Note: For customers using Liferay DXP 7.1, this setting is enabled by default.
10. After upgrading to DXP 7.1+, guest users cannot view some web contents?
Default behavior of older Liferay versions (Portal 6.0, 6.1, 6.2 and DXP 7.0) is to not check web content "view
" permissions, so by default any guest user can view all web content
Starting with DXP 7.1, default behavior was changed to always check "view
" permissions.
After upgrading to DXP 7.1+, if you have users that cannot see some web contents anymore, you have two options:
- Option 1: Manually change web content or role permissions, granting "
view
" permissions as necessary - Option 2: Open view permissions for all web content articles by going to System Settings => Web Experience => Web Content and deselect Article view permissions check enabled.
Please see:
11. If I do want Guests to be able to view content, what settings do I need?
In situations where guests are permitted to view assets, it is necessary to check the following levels of permissions; listed from the most general to the most specific.
- Page level
- Portlet level
- Folder level (e.g. Documents and Media and Web Content)
- Asset level
The reason is that the lowest level of granularity takes precedence of permissioning, so even if the page, WCD portlet, and even the folder have Guest permissions enabled, Web Content articles are not displayed unless the article has also been granted Guest View. The same cannot be said for the reverse. An article with Guest View permissions is not accessible if a higher-level does not possess said permissions when trying to view through those mediums. This means that if "Page A" does not have guest view permissions, guests will not be able to see the page, but if "Page B" does have guest view permissions, guests will be able to view content so long as said content has guest view permissions also.
Simply put, be sure to check each level of permissions if an asset is not displayed.
11. How do I restrict people from viewing other Web Content folders other than the one(s) they do have permission to view?
Creating Web Content folders allows administrators to organize web content articles into the appropriate buckets. There is an additional benefit in that sensitive or confidential content can be hidden and managed through permissions granted to different roles. In Liferay DXP, users with permissions to see one folder will see all the sub-folders. To prevent users from accessing other folders, implement the following set of permissions:
- Signed in as an administrator. Click Control Panel → Users → Roles.
- Click the plus sign to create a role. For demonstration purposes, use a Regular Role.
- Create a Regular Role whose name is Test Role 1. Once the role has been created, click the 3 dot icon → Define Permissions next to it.
- Under Control Panel → Sites, check the checkbox for View Site Administration Menu then click Save.
- Under Site Administration → Content → Web Content, check the checkboxes for:
- Access in Site Administration
- View under Resource Permissions → Web Content
- View under Resource Permissions → Web Content Article
- Click Save.
- There should be only four permissions granted:
- Next, assign a user with less than administrator rights to Test Role 1. The advantage of using a Regular Role is that after clicking on Test Role 1 in the Roles page, it is easy to add assignees to the role. Click the Add Assignee button (the (+) button) to choose a user.
Now comes the key part:
- Navigate to the Control Panel → Content → Web Content.
- Regardless of which role a person has, everyone can see the Home folder and its contents.
- Create a folder called Folder 1. There is no need to create actual content.
- Next to Folder 1, click the 3 dot icon → Permissions.
- Uncheck the checkbox for Guest View. This is important because there should be no other permissions other than Owner and Test Role 1.
- Remove all other permissions as well then click Save.
- Sign out of the administrator and then sign in with any user with Test Role 1.
- Navigate to the Control Panel → Content → Web Content again.
The user should not be able to see Folder 1. This user can see the folder again if the administrator checks the View permission for Test Role 1.
12. How do permissions rules affect assets displayed in the Asset Publisher?
In some of the previous examples, the questions discussed Web Content Articles that are usually displayed through the Web Content Display portlet. However, in some cases, the assets are displayed through the Asset Publisher portlet and users might wonder if the rules are different. As noted above, the lowest level of granularity takes precedence of permissioning. If the Asset Publisher portlet is granted Guest view permissions but the asset is not, then the asset is not displayed in the portlet. In short, the same permissions rules for Web Content Display portlets are the same in the Asset Publisher portlets.
Finally, one feature in the Asset Publisher portlet is that it allows administrators to change the asset's permission inside the portlet. Click the 3-dot icon inside the portlet then click Permissions. This opens the Permissions menu.
13. Can I select which assets to be made available in the Item Selector based on which user or user role?
It depends. In DXP 7.x, the ability to change permissions to view an item is found only on the Documents and Media portlet. If that item is made available to that user's assigned role (whether site or regular), then that item is always available as an option to be embedded in a WC Article or a Blog entry for that user or other users with the same role or permissions. Otherwise, there is no other way to change the permissions in the Web Content or Blogs portlets, or any other asset creating portlet.
Note that DXP and legacy Portal 6.x have always set asset permissions for user roles. DXP 7.x cannot be configured to display different assets for different users (e.g. John Smith). Otherwise the risk is in making the permissions too granular and thus very hard to manage. For example, if there are over 50,000 users in the system, it would take a long time to configure the platform so that certain users are able to see those x group of images, but not y group of images. Rather, it is easier to manage which role can see a particular asset and then assign users to that role.
Additional Information
For more information regarding roles and permissions, as well as managing sites, please see the documentation linked in the Related Articles section at the top of this page.