Implementing Permissions
Step 4 of 4
User interface components can be wrapped in permission checks pretty easily. In this step, you’ll learn how.
First go to the init.jsp
in your guestbook-web
project. Add the following
imports to the file:
<%@ page import="com.liferay.docs.guestbook.service.permission.GuestbookModelPermission" %>
<%@ page import="com.liferay.docs.guestbook.service.permission.GuestbookPermission" %>
<%@ page import="com.liferay.docs.guestbook.service.permission.EntryPermission" %>
<%@ page import="com.liferay.portal.kernel.util.WebKeys" %>
<%@ page import="com.liferay.portal.kernel.security.permission.ActionKeys" %>
The first three are the permissions helper classes you just created. Now it’s time to implement permission checks.
Checking Permissions in the UI
Recall that you want to restrict access to three areas in your application:
- The guestbook tabs across the top of your application
- The Add Guestbook button
- The Add Entry button
First, you’ll create the guestbook tabs and check permissions for them. Follow these steps to do so:
-
Open
/guestbookwebportlet/view.jsp
and find the scriptlet that gets theguestbookId
from the request. Just below this, add the following code:<aui:nav cssClass="nav-tabs"> <% List<Guestbook> guestbooks = GuestbookLocalServiceUtil.getGuestbooks(scopeGroupId); for (int i = 0; i < guestbooks.size(); i++) { Guestbook curGuestbook = (Guestbook) guestbooks.get(i); String cssClass = StringPool.BLANK; if (curGuestbook.getGuestbookId() == guestbookId) { cssClass = "active"; } if (GuestbookPermission.contains( permissionChecker, curGuestbook.getGuestbookId(), "VIEW")) { %> <portlet:renderURL var="viewPageURL"> <portlet:param name="mvcPath" value="/guestbookwebportlet/view.jsp" /> <portlet:param name="guestbookId" value="<%=String.valueOf(curGuestbook.getGuestbookId())%>" /> </portlet:renderURL> <aui:nav-item cssClass="<%=cssClass%>" href="<%=viewPageURL%>" label="<%=HtmlUtil.escape(curGuestbook.getName())%>" /> <% } } %> </aui:nav>
This code gets a list of guestbooks from the database, iterates through them, checks the permission for each against the current user’s roles, and adds the guestbooks the user can access to a list of tabs.
You’ve now implemented your first permission check. As you can see, it’s relatively straightforward thanks to the static methods in your helper classes. The code above shows the tab only if the current user has the
VIEW
permission for the guestbook.Next, you’ll add permission checks to the Add Entry button.
-
Scroll down to the line that reads
<aui:button-row cssClass="guestbook-buttons">
. Just below this line, add the following line of code to check for theADD_ENTRY
permission:<c:if test='<%= GuestbookPermission.contains(permissionChecker, guestbookId, "ADD_ENTRY") %>'>
-
After this is the code that creates the
addEntryURL
and the Add Entry button. After theaui:button
tag and above the</aui:button-row>
tag, add the closing tag for the<c:if>
statement:</c:if>
You’ve now implemented your permission check for the Add Entry button by using JSTL tags.
Next, you’ll implement an entry_actions.jsp
that’s much like the one in the
Guestbook Admin portlet. This will determine what options appear for logged in
users who can see the actions menu in the portlet. Just like before, you’ll wrap
each renderURL
in a if
statement that checks the permissions against
available actions. To do this, follow these steps:
-
In
src/main/resources/META-INF/resources/guestbookwebportlet
, create a file calledentry_actions.jsp
. -
In this file, add the following code:
<%@include file="../init.jsp"%> <% String mvcPath = ParamUtil.getString(request, "mvcPath"); ResultRow row = (ResultRow)request.getAttribute(WebKeys.SEARCH_CONTAINER_RESULT_ROW); Entry entry = (Entry)row.getObject(); %> <liferay-ui:icon-menu> <portlet:renderURL var="viewEntryURL"> <portlet:param name="entryId" value="<%= String.valueOf(entry.getEntryId()) %>" /> <portlet:param name="mvcPath" value="/guestbookwebportlet/view_entry.jsp" /> </portlet:renderURL> <liferay-ui:icon message="View" url="<%= viewEntryURL.toString() %>" /> <c:if test="<%= EntryPermission.contains(permissionChecker, entry.getEntryId(), ActionKeys.UPDATE) %>"> <portlet:renderURL var="editURL"> <portlet:param name="entryId" value="<%= String.valueOf(entry.getEntryId()) %>" /> <portlet:param name="mvcPath" value="/guestbookwebportlet/edit_entry.jsp" /> </portlet:renderURL> <liferay-ui:icon image="edit" message="Edit" url="<%=editURL.toString() %>" /> </c:if> <c:if test="<%=EntryPermission.contains(permissionChecker, entry.getEntryId(), ActionKeys.PERMISSIONS) %>"> <liferay-security:permissionsURL modelResource="<%= Entry.class.getName() %>" modelResourceDescription="<%= entry.getMessage() %>" resourcePrimKey="<%= String.valueOf(entry.getEntryId()) %>" var="permissionsURL" /> <liferay-ui:icon image="permissions" url="<%= permissionsURL %>" /> </c:if> <c:if test="<%=EntryPermission.contains(permissionChecker, entry.getEntryId(), ActionKeys.DELETE) %>"> <portlet:actionURL name="deleteEntry" var="deleteURL"> <portlet:param name="entryId" value="<%= String.valueOf(entry.getEntryId()) %>" /> <portlet:param name="guestbookId" value="<%= String.valueOf(entry.getGuestbookId()) %>" /> </portlet:actionURL> <liferay-ui:icon-delete url="<%=deleteURL.toString() %>" /> </c:if> </liferay-ui:icon-menu>
This code defines several action buttons for viewing, updating, setting permissions on, and deleting entities. Each button is protected by a permissions check. If the current user can’t perform the given action, the action doesn’t appear.
-
Finally, in
view.jsp
, you must add theentry_actions.jsp
as the last column in the Search Container. Find the line defining the Search Container row. It looks like this:<liferay-ui:search-container-row className="com.liferay.docs.guestbook.model.Entry" modelVar="entry">
Below that line are two columns. After the second column, add a third:
<liferay-ui:search-container-column-jsp path="/guestbookwebportlet/entry_actions.jsp" align="right" />
-
Save all JSP files.
Excellent! You’ve now implemented all the permissions checks for the Guestbook portlet.
When testing the application, remember that any guestbook entries you created without resources won’t work with permissions. Add new guestbooks and entries to test your application with different users. Administrative users see all the buttons, regular users see the Add Entry button, and guests see no buttons at all (but can navigate).
Now see if you can do the same for the Guestbook Admin portlet. Don’t worry if you can’t: at the end of this Learning Path is a link to the completed project for you to examine.
Great! You’re all done with permissions. The next step is to integrate search and indexing into your application. This is a prerequisite for the much more powerful stuff to come.