Liferay 7.1.2: I can't modify the default permissions for the role User

RE: Liferay 7.1.2: I can't modify the default permissions for the role User

2019-05-14T11:50:56Z

Thanks, now I understand.

Yes, this was fixed in 7.1.3 CE GA4.

RE: Liferay 7.1.2: I can't modify the default permissions for the role User

2019-05-14T11:03:00Z

Hi Tomas:
I think the bug is in the class:

com.liferay.portal.service.impl.ResourcePermissionLocalServiceImpl

Method:

hasScopeResourcePermission

The method is looking for a ResourcePermission list without taking into account the roleId. It retrieves several rows from database related with N roles and if one of them has the permission to "true", always returns "true" no care about the role that you are updating....

public boolean hasScopeResourcePermission(
            long companyId, String name, int scope, long roleId,
            String actionId)
        throws PortalException {

        ResourceAction resourceAction =
            resourceActionLocalService.getResourceAction(name, actionId);

[color=#ff0000]        [b]List<resourcepermission> resourcePermissions =
            resourcePermissionPersistence.findByC_N_S(companyId, name, scope);[/b][/color]

        for (ResourcePermission resourcePermission : resourcePermissions) {
            if (resourcePermission.hasAction(resourceAction)) {
                return true;
            }
        }

        return false;
    }</resourcepermission>

I have checked that this code has been updated in github:

https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portal/service/impl/ResourcePermissionLocalServiceImpl.java

public boolean hasScopeResourcePermission(
    long companyId, String name, int scope, long roleId,
    String actionId)
    throws PortalException {

    ResourceAction resourceAction =
        resourceActionLocalService.getResourceAction(name, actionId);

[color=#006400][b]    List<resourcepermission> resourcePermissions =
        resourcePermissionPersistence.findByC_N_S_R(
            companyId, name, scope, roleId);[/b][/color]

    for (ResourcePermission resourcePermission : resourcePermissions) {
        if (resourcePermission.hasAction(resourceAction)) {
            return true;
        }
    }

    return false;
}</resourcepermission>

I don't know if it is included in the new versión 7.1.3 GA4... I'll deploy it this week.

Thanks,
Santiago

RE: Liferay 7.1.2: I can't modify the default permissions for the role User

2019-05-13T15:38:28Z

Hi Tomas:
Please, find attached the result file for the SQL.

Let me explain a little more aboute the problem I found.
As Administrator I try to change permissions for the "User" role. For instance, the permissions by default for "Website administration -> Applications -> Documents and Media" and resource "com.liferay.document.library.kernel.model.DLFolder" are shown in image 1.

I change the permissions just to "VIEW" and "ACCESS" (image 2). The database is updated and the field "ResourcePermissions.actionIds" with scope 1 has value 257 (VIEW = 1 + ACCESS = 256), but when the webpage is refreshed all the permissions are checked again (and the value in database remains 257!!!).

Where is it loading that checked permissions for the role User?? It seems like someway the permissions in database are overwritten with other permissions.... from where???

In addition, when the user logs in the web, the "permissionChecker" gets the permissions shown in image 1, not those in the database.

Thanks in advance!
Santiago

RE: Liferay 7.1.2: I can't modify the default permissions for the role User

2019-05-13T13:33:28Z

If you have MySQL this should return the important info:

SELECT 
  r.name roleName, 
  g.name groupName, 
  rp.*, 
  (SELECT group_concat(ra.actionId) from ResourceAction ra where ra.name = rp.name and ra.bitwiseValue &amp; rp.actionIds &gt; 0) actions
FROM ResourcePermission rp
  INNER JOIN Role_ r on r.roleId = rp.roleId
  LEFT JOIN Group_ g on g.groupId = rp.primKey

WHERE rp.name = 'com.liferay.document.library';

RE: Liferay 7.1.2: I can't modify the default permissions for the role User

2019-05-13T13:04:08Z

Hi Santiago,

By default, the role "User" has configured permissions for the "Documents and Multimedia" application, for instance: "Add a subfolder", "Add a document", "Update a document" and so on.

The default permissions are defined on Site Memeber role, not User role.
7.0.6: https://github.com/liferay/liferay-portal/blob/7.0.6-ga7/portal-impl/src/resource-actions/documentlibrary.xml#L27-L33
7.1.2: https://github.com/liferay/liferay-portal/blob/7.1.2-ga3/portal-impl/src/resource-actions/documentlibrary.xml#L27-L33

I'm guessing this comes from upgrade, probably something that was assigned directly to the User role.

Can you show content of ResourcePermission table where name = 'com.liferay.document.library'?

Thanks.

Liferay 7.1.2: I can't modify the default permissions for the role User

2019-05-10T11:53:01Z

Hi everyone:
I'm working with the version 7.1.2 CE upgraded from 7.0.6 CE.

By default, the role "User" has configured permissions for the "Documents and Multimedia" application, for instance: "Add a subfolder", "Add a document", "Update a document" and so on.

I don't want users to be able to upload/update/delete documents, so when I uncheck the appropiate permissions and save them the system displays a successfull message, but the permissions haven't be updated. Nothing has changed.

No errors are throwed in the log files...

Isn't it possible to change the default permissions for the role "User"? Is it a bug?

Thanks,
Santiago