Friday, February 22, 2013

Liferay Permission System Detailed Concept


Define Permission System Detailed Concept

In the liferay we have permission system so that we can define permissions system for the role.
We already know how to define permission system from Admin screens in liferay.
In the permission system there is involved two tables
1.      Resource Action table
2.      Resource Permissions table

Resource Action table:
 In this table we are maintaining action for each resource. Actions are divided into two types
1.      Portlet Resource
2.      Model Resource
Portlet Resource:
Portlets resource action like what is the permission system defines for the portlet like VIEW, EDIT, CONFIGURATION and ADD TO PAGE.
Example  Entries for Prtlets Resource.


If we observe name column we can see the portletId, in the name column we can see relevant actions for portlet. Like this way portlets resource action are defined in the table.
Model Resource:
Model resource action is nothing but if we want do some functionality in the portlet then we will define actions for model resource.
Example:
If we take Organization portlet we have different action  like MANAGE TEAMS,MANAGE USERS like this . If the portlet inside having any functionality then we need to defined action for model resource.


Note:
Here model resource name model java class name. That is why we can observe model resource name for organization is com.liferay.portal.model.Organization.
How permission system working:
In the liferay 6.x they have introduced algorithm called Advanced Permission Algorithm 6.
When we use this algorithm then this entire functionality uses only two tables are Resource Action and Resource Permission.

This permission system working based on bitwise operator OR and bitwise value.
If we observe table resource action we can find column bitWiseValue for each action.
For each action we have bitwise value from this permission system is working.
Example:
If take any resource either model resource or portlet resource for each they have their own ActionIds
Example:
Assume Organization model resource called com.liferay.portal.model.Organization
We have different actions like MANGE_USERS, MANAGE_TEAM etc..
This bitwise value is  multiple of 2
APPROVE_PROPOSAL------2
ASSIGN_MEMBERS-------4
ASSIGN_REVIEWER------8
ASSIGN_USER_ROLES----16
If we add new action then the value id multiple of 2
Assume if we give permission for role on organization we have to calculate the total bitwise value.
So setting permissions is simply a matter of OR ing all the action masks together.

i.e.

Permissions = VIEW | ADD_MESSAGE | SUBSCRIBE;


For all you java programmers not up to speed with low level bitwise operations | is bitwise OR and & is bitwise AND.

Checking for VIEW permission is as simple as
if ((permissions & 1) == 1) {
      Has permission
 }


Checking for any permission is simply

1if ((permissions & ACTION) == ACTION) {
          Has permission
 }

Example:
Take one portlet  MyPortlet I want give ADD TO PAGE ,VIEW and CONFURATION permissions for this portlet on particular role
Then apply bitwise operator like this
VIEW                         --------------------1
CONFIGURATION ---------------------4
ADD TO PAGE    -----------------------2

1-------------      001             apply OR operation
2------------       010            apply OR operation
4---------           100             apply OR operation
                         111---------------7   is value
If want get ADD TO PAGE, VIEW AND CONFUGURATION role should have the value 7 then we will get all permissions.

Where we store all these details?
We have one table call Resource Permissions there we store all these information.

Here all the permissions stored with respect to role. And if observe last column actionIds there total bitwise value is stored.
Like in the above example we will store value 7.
We will see the each column in the resource permissions.
resourcePermissionId:  this is just a primary key.
CompanyId: this represent for which  liferay instance we are defining permission system.
Name: we already see this in resource action table name column this also same. This represents whether this is Model Resource or portlet Resource.
PrimyKey: this very important value this value vary bases on model resource and portlet resrce.
Scope: scope represent effect of this permission mean only for organization or community or individual resource.
PRIMKEY_DNE                                                             = -1;
SCOPE_INDIVIDUAL                                                     =4;
SCOPE_GROUP                                                               =2;
SCOPE_GROUP_TEMPLATE /OORGANIZATION = 3;
SCOPE_COMPANY                                                          =1;
actionIds:
 This is total bitwise value of all actions that is assigned to the role on resource.
How prime key change resource to resource?

CASE: 1 when we set permissions to layout:
Example if we set some permission to page means this page view by this role like that. Then entry following like this



Observe above primKey value. When we set permission to the page then primKey value is plid.
CASE: 2 when we set permission to the portlet and that  portlet in particular page.

Observe prime key this is combination string
plid_LAYOUT_PortletId
56 is web content display portlet name. This is instanciable portlet that’s why portlet id contain _INSTANCE_aec   like that.
Here scope is individual means we are setting permission for web content display portlet that is in particular page.
CASE: 3 Set permission system in the port let functionality or we can say for model resource.
Example we taka organization portlet we have many activities like manage users, manage teams and manage pages like this


Observe prime key this is 0. Means when we apply permissions for model resource then it will become 0.
Total bitwise for all action is 65535.
Here scope 3 means organizations level.
Important points:
When we use define permission system if define any permission there
The following are the entries
Regular Role:
Primekey=CompanyId,
Scope=1
Organization Role:
PrimKey=0
Scope=3
When we set permission system for individual portlets or articles
Regular Role:
PrimKey=layout_portletID
Scope=4
Organization Role:
PrimKey=layout_portletID
Scope=4
Journal articles
Regular Role/Organization Role:
PrimKey=Article Resource key (available in journalarticleresource table)
Scope=4
Set Permission system for Layouts/pages
Regular Role:
PrimKey= plid
Scope=4
Organization Role:
PrimKey=plid
Scope=4




Concept for Bitwise Permission System goes through the following link.
Implementing Custom permission system for our own portlets goes through the following link.

Popular Posts

Recent Posts

Recent Posts Widget