用户界面组件可以很容易纳入权限检查。在这一步中,您将学习如何实现。
First go to the init.jsp
in your guestbook-web
project. Add the following imports to the file:
<%@ page import="com.liferay.docs.guestbook.service.permission.GuestbookModelPermission" %>
<%@ page import="com.liferay.docs.guestbook.service.permission.GuestbookPermission" %>
<%@ page import="com.liferay.docs.guestbook.service.permission.EntryPermission" %>
<%@ page import="com.liferay.portal.kernel.util.WebKeys" %>
<%@ page import="com.liferay.portal.kernel.security.permission.ActionKeys" %>
前三个是刚刚创建的权限Helper类。现在是实施权限检查的时候了。
在UI中检查权限
回想一下,你想实现访问控制的三个区域:
- 应用程序顶部的guestbook选项卡
- 添加留言按钮
- 添加条目按钮
首先,您将创建guestbook选项卡并检查它们的权限。按照以下步骤做:
- Open
/guestbookwebportlet/view.jsp
and find the scriptlet that gets theguestbookId
from the request. Just below this, add the following code:<aui:nav cssClass="nav-tabs"> <% List<Guestbook> guestbooks = GuestbookLocalServiceUtil.getGuestbooks(scopeGroupId); for (int i = 0; i < guestbooks.size(); i++) { Guestbook curGuestbook = (Guestbook) guestbooks.get(i); String cssClass = StringPool.BLANK; if (curGuestbook.getGuestbookId() == guestbookId) { cssClass = "active"; } if (GuestbookPermission.contains( permissionChecker, curGuestbook.getGuestbookId(), "VIEW")) { %> <portlet:renderURL var="viewPageURL"> <portlet:param name="mvcPath" value="/guestbookwebportlet/view.jsp" /> <portlet:param name="guestbookId" value="<%=String.valueOf(curGuestbook.getGuestbookId())%>" /> </portlet:renderURL> <aui:nav-item cssClass="<%=cssClass%>" href="<%=viewPageURL%>" label="<%=HtmlUtil.escape(curGuestbook.getName())%>" /> <% } } %> </aui:nav>
这段代码从数据库中获取一些guestbooks的列表,遍历它们,检查每个用户的权限,并添加用户可以访问标签列表的guestbooks。
现在已经实现了第一个权限检查。正如您所看到的,由于helper类中的静态方法,它相对简单。上面的代码仅在当前用户拥有guestbook的视图权限时才显示该选项卡。
接下来,将添加权限检查到添加项目按钮。
- Scroll down to the line that reads
<aui:button-row cssClass="guestbook-buttons">
. Just below this line, add the following line of code to check for theADD_ENTRY
permission:<c:if test='<%= GuestbookPermission.contains(permissionChecker, guestbookId, "ADD_ENTRY") %>'>
- After this is the code that creates the
addEntryURL
and the Add Entry button. After theaui:button
tag and above the</aui:button-row>
tag, add the closing tag for the<c:if>
statement:</c:if>
现在已经通过使用JSTL标签实现了对添加条目按钮的权限检查。
接下来,将实现一个entry_actions.jsp
,非常类似于Guestbook Admin portlet中的那个。这将确定登录用户可以看到哪些选项,谁可以看到portlet中的操作菜单。就像以前一样,将每个renderURL
放在一个if
声明中,以检查可用操作的权限。请按照下列步骤操作:
- In
src/main/resources/META-INF/resources/guestbookwebportlet
, create a file calledentry_actions.jsp
. - In this file, add the following code:
<%@include file="../init.jsp"%> <% String mvcPath = ParamUtil.getString(request, "mvcPath"); ResultRow row = (ResultRow)request.getAttribute(WebKeys.SEARCH_CONTAINER_RESULT_ROW); Entry entry = (Entry)row.getObject(); %> <liferay-ui:icon-menu> <portlet:renderURL var="viewEntryURL"> <portlet:param name="entryId" value="<%= String.valueOf(entry.getEntryId()) %>" /> <portlet:param name="mvcPath" value="/guestbookwebportlet/view_entry.jsp" /> </portlet:renderURL> <liferay-ui:icon message="View" url="<%= viewEntryURL.toString() %>" /> <c:if test="<%= EntryPermission.contains(permissionChecker, entry.getEntryId(), ActionKeys.UPDATE) %>"> <portlet:renderURL var="editURL"> <portlet:param name="entryId" value="<%= String.valueOf(entry.getEntryId()) %>" /> <portlet:param name="mvcPath" value="/guestbookwebportlet/edit_entry.jsp" /> </portlet:renderURL> <liferay-ui:icon image="edit" message="Edit" url="<%=editURL.toString() %>" /> </c:if> <c:if test="<%=EntryPermission.contains(permissionChecker, entry.getEntryId(), ActionKeys.PERMISSIONS) %>"> <liferay-security:permissionsURL modelResource="<%= Entry.class.getName() %>" modelResourceDescription="<%= entry.getMessage() %>" resourcePrimKey="<%= String.valueOf(entry.getEntryId()) %>" var="permissionsURL" /> <liferay-ui:icon image="permissions" url="<%= permissionsURL %>" /> </c:if> <c:if test="<%=EntryPermission.contains(permissionChecker, entry.getEntryId(), ActionKeys.DELETE) %>"> <portlet:actionURL name="deleteEntry" var="deleteURL"> <portlet:param name="entryId" value="<%= String.valueOf(entry.getEntryId()) %>" /> <portlet:param name="guestbookId" value="<%= String.valueOf(entry.getGuestbookId()) %>" /> </portlet:actionURL> <liferay-ui:icon-delete url="<%=deleteURL.toString() %>" /> </c:if> </liferay-ui:icon-menu>
此代码定义了用于查看,更新,设置权限和删除实体的几个操作按钮。每个按钮都受到权限检查的保护。如果当前用户无法执行给定操作,则操作不会显示。
- Finally, in
view.jsp
, you must add theentry_actions.jsp
as the last column in the Search Container. Find the line defining the Search Container row. It looks like this:<liferay-ui:search-container-row className="com.liferay.docs.guestbook.model.Entry" modelVar="entry">
Below that line are two columns. After the second column, add a third:
<liferay-ui:search-container-column-jsp path="/guestbookwebportlet/entry_actions.jsp" align="right" />
- Save all JSP files.
现在已经实现了Guestbook portlet的所有权限检查。
在测试应用程序时,请记住,任何没有Resource的留言簿条目都无法使用权限。用不同用户添加留言簿和条目以测试应用程序。管理员用户可以看到所有按钮,普通用户可以看到“添加条目”按钮,而访客根本看不到任何按钮(但可以导航)。