WidgetPart and LayerPart authorization checks do not supply contentitem


... Which means we can't check the contentitems themselves when implementing an AuthorizationEventHandler.


Piedone wrote Jul 11, 2013 at 10:10 PM

In WidgetFilter there is a check for permissions (ln 101) for widgets. Layers are really not authorized but you could use layer rules instead.

hkui wrote Jul 12, 2013 at 8:11 AM

This does not work for the admin.

We want to be able to configure layer "management access" for certain roles. So role A can only edit layer "Default", while other roles can only edit layer "Authorized". Or something. Well, this is a bad example, but our usecase is very specific.

However, your example is very nice for the client side. Haven't thought about that yet. :) Thanks!

hkui wrote Jul 12, 2013 at 8:14 AM

Can I ask by the way, what is the purpose of CurrentContentHandler?
It sets some stuff in the WorkContext, but what is it needed for? I don't see you use it in the RoleRuleProvider.

Piedone wrote Jul 12, 2013 at 12:08 PM

FYI that module was not created by me and what I've linked is my fork. I linked the fork only because it's updated to work with VS 2012 but I haven't taken time to review the module.

You're right that this only solves layer authorization for the frontend, so layer editor authorization should still happen.