Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Making possible to edit content within the Edit Page, regardless of the portlets you have assigned. #26447

Merged
merged 7 commits into from Oct 26, 2023
Merged

Making possible to edit content within the Edit Page, regardless of the portlets you have assigned. #26447

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
0e55dfe
dotCMS/core#22698 adding fix
AndreyDotcms Oct 16, 2023
9c05478
dotCMS/core#22698 adding test
AndreyDotcms Oct 16, 2023
a389d70
dotCMS/core#22698 improving code readability
AndreyDotcms Oct 17, 2023
3d8b5f6
dotCMS/core#22698 gh feedback
AndreyDotcms Oct 17, 2023
108e28a
dotCMS/core#22698 improving code
AndreyDotcms Oct 23, 2023
6737bdb
Merge branch 'master' into issue-22698
erickgonzalez Oct 23, 2023
a94d456
dotCMS/core#22698 refactoring code
AndreyDotcms Oct 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
53 changes: 53 additions & 0 deletions dotCMS/src/integration-test/java/com/dotmarketing/business/LayoutAPITest.java
View file
Open in desktop
Expand Up @@ -7,18 +7,25 @@
import com.dotcms.mock.request.MockHttpRequestIntegrationTest;
import com.dotcms.mock.request.MockParameterRequest;
import com.dotcms.util.IntegrationTestInitService;
import com.dotmarketing.beans.Host;
import com.dotmarketing.business.ajax.RoleAjax;
import com.dotmarketing.exception.DotDataException;
import com.dotmarketing.exception.DotSecurityException;
import com.dotmarketing.util.UUIDGenerator;
import com.dotmarketing.util.UtilMethods;
import com.google.common.collect.ImmutableMap;
import com.liferay.portal.PortalException;
import com.liferay.portal.SystemException;
import com.liferay.portal.model.User;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;

import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;

import org.junit.Assert;
Expand Down Expand Up @@ -143,6 +150,52 @@ public void test_doesUserHaveAccessToPortlet() throws DotDataException {

}

/**
* Method to test: {@link LayoutAPI#doesUserHaveAccessToPortlet(String, User)}
* Given Scenario: You should be able to edit content within the Edit Page, regardless of the portlets you have assigned.
* ExpectedResult: If the user has. edit permissions, they should be given access to the portlet.
*
*/
@Test
public void test_doesUserHaveAccessToPortlet_editPagePortletShouldBeAccessedIfValidPermission() throws DotDataException, DotSecurityException, SystemException, PortalException {
final RoleAPI roleAPI = APILocator.getRoleAPI();
//limited user
final User newUser = new UserDataGen().roles(TestUserUtils.getBackendRole()).nextPersisted();
final User systemUser = APILocator.systemUser();

//create a host
Host host = new Host();
host.setHostname("testHost"+System.currentTimeMillis());
host = APILocator.getHostAPI().save(host, systemUser, false);

//create a role
final String roleName = "testRole"+System.currentTimeMillis();
Role nrole = new Role();
nrole.setName(roleName);
nrole.setRoleKey(roleName);
nrole.setEditUsers(true);
nrole.setEditPermissions(true);
nrole.setEditLayouts(true);
nrole.setDescription(roleName);
nrole = APILocator.getRoleAPI().save(nrole);

//validate that user does not have access to the portlet until the permissions are assigned
assertFalse("The user should not have access to the portlet" , layoutAPI.doesUserHaveAccessToPortlet("edit-page", newUser));

//assign the role to the user
roleAPI.addRoleToUser(nrole, newUser);

//assign the permissions to the role
Map<String,String> permList=new HashMap<>();
permList.put("pages", Integer.toString(PermissionAPI.PERMISSION_READ | PermissionAPI.PERMISSION_EDIT));
permList.put("content", Integer.toString(PermissionAPI.PERMISSION_READ | PermissionAPI.PERMISSION_EDIT));
RoleAjax roleAjax = new RoleAjax();
roleAjax.saveRolePermission(nrole.getId(), host.getIdentifier(), permList, false);

//validate that user does have access to the portlet
assertTrue("The user should have access to the portlet", layoutAPI.doesUserHaveAccessToPortlet("edit-page", newUser));
}

/**
* Method to test: {@link LayoutAPI#findGettingStartedLayout()}
* Given Scenario: Try to get the Getting Started Layout, if exists remove it. And call the
Expand Down
44 changes: 34 additions & 10 deletions dotCMS/src/main/java/com/dotmarketing/business/LayoutAPIImpl.java
View file
Open in desktop
Expand Up @@ -4,14 +4,12 @@
package com.dotmarketing.business;

import com.dotcms.util.CollectionsUtils;
import com.dotmarketing.beans.Permission;
import com.dotmarketing.portlets.contentlet.model.Contentlet;
import com.dotmarketing.portlets.htmlpageasset.model.IHTMLPage;
import com.dotmarketing.util.Logger;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashSet;
import java.util.List;
import java.util.Optional;
import java.util.Set;

import java.util.*;

import javax.servlet.http.HttpServletRequest;
import com.dotcms.api.system.event.Payload;
Expand Down Expand Up @@ -171,14 +169,40 @@ public int compare(Layout l1, Layout l2) {
return layouts;
}

/* this method is used to check if the user has access to edit the page portlet
* all the users should have access to Edit Page, regardless of the assigned portlets.
*/
private boolean editPagePortletAccess(final User user) throws DotDataException {
final RoleAPI roleAPI = APILocator.getRoleAPI();
//verify the roles of the user
final List<Role> foundRoles = roleAPI.loadRolesForUser( user.getUserId(), false );
final PermissionAPI permAPI = APILocator.getPermissionAPI();

for (final Role role: foundRoles){
//get the permissions for the role
final List<Permission> perms = permAPI.getPermissionsByRole(role, true, true);
//determine if the user can edit the page
for(final Permission perm : perms){
if((perm.getType().equals(IHTMLPage.class.getCanonicalName()) || perm.getType().equals(Contentlet.class.getCanonicalName()))
&& (perm.getPermission() == PermissionAPI.PERMISSION_EDIT || perm.getPermission() == 3)){
AndreyDotcms marked this conversation as resolved.
Show resolved Hide resolved
return true;
}
}
}
return APILocator.getRoleAPI().doesUserHaveRole(user, APILocator.getRoleAPI().loadCMSAdminRole());
}

@Override
public boolean doesUserHaveAccessToPortlet(final String portletId, final User user) throws DotDataException {
if(portletId==null || user==null || !user.isBackendUser()) {
return false;
}
if(portletId==null || user==null || !user.isBackendUser()) {
return false;
}
if(loadLayoutsForUser(user).stream(). anyMatch(layout -> layout.getPortletIds().contains(portletId))){
return true;
}
if(portletId.equals("edit-page") ){
AndreyDotcms marked this conversation as resolved.
Show resolved Hide resolved
return editPagePortletAccess(user);
}
return APILocator.getRoleAPI().doesUserHaveRole(user, APILocator.getRoleAPI().loadCMSAdminRole());
}

Expand Down