1
Vote

WidgetPart and LayerPart authorization checks do not supply contentitem

description

... Which means we can't check the contentitems themselves when implementing an AuthorizationEventHandler.

comments

Piedone wrote Jul 11, 2013 at 10:10 PM

In WidgetFilter there is a check for permissions (ln 101) for widgets. Layers are really not authorized but you could use layer rules instead.

hkui wrote Jul 12, 2013 at 8:11 AM

This does not work for the admin.

We want to be able to configure layer "management access" for certain roles. So role A can only edit layer "Default", while other roles can only edit layer "Authorized". Or something. Well, this is a bad example, but our usecase is very specific.

However, your example is very nice for the client side. Haven't thought about that yet. :) Thanks!

hkui wrote Jul 12, 2013 at 8:14 AM

Can I ask by the way, what is the purpose of CurrentContentHandler?
It sets some stuff in the WorkContext, but what is it needed for? I don't see you use it in the RoleRuleProvider.

Piedone wrote Jul 12, 2013 at 12:08 PM

FYI that module was not created by me and what I've linked is my fork. I linked the fork only because it's updated to work with VS 2012 but I haven't taken time to review the module.

You're right that this only solves layer authorization for the frontend, so layer editor authorization should still happen.