Restrict Access in Menu of SiteMap

41 views
Skip to first unread message

andrea

unread,
Nov 5, 2010, 11:49:52 AM11/5/10
to Lift
Hi All!!

I have a menu which shows different options based on the permissions
of a specific profile. the moment you enter a user options are
displayed correctly, but if I put a hand a url (in the browser) to the
current user can not access the application can enter anyway. I
thought that with the option of LocParams IF ,it could be restricted,
but is currently broken. Any suggestions please?

This is my code:

The menu:


val menuComprobanteList = Menu(Loc("ComprobanteList",
List("oper", "comprobante", "list"),
"Mantenimiento"),
validateIngreso(getOpcionId("ComprobanteList") ) )

val menuComprobantePendientes =
Menu(Loc("ComprobanteListPendientes",
List("oper", "comprobante",
"pendientes"),
"Pendientes"),
validateIngreso(getOpcionId("ComprobanteList") ) )

val menuComprobanteAutorizados =
Menu(Loc("ComprobanteListAutorizados",
List("oper", "comprobante",
"autorizados"),
"Autorizados"),
validateIngreso(getOpcionId("ComprobanteList") ))

val menuComprobanteAdd = Menu(Loc("ComprobanteCreate",
List("oper", "comprobante", "create"),
"Agregar "),
validateIngreso(getOpcionId("ComprobanteList") ))

val submenusComprobante = List(menuComprobanteList,
menuComprobantePendientes, menuComprobanteAutorizados)

val menuComprobante = Menu(Loc("Comprobante",
List("oper", "comprobante") -> true,
"Comprobantes",

validateIngreso(getOpcionId("ComprobanteList") )),
submenusComprobante:_*)


val listMenu = List(menuComprobante)


def appendRewriteRules = LiftRules.rewrite.append {

case RewriteRequest(
ParsePath(List("oper", "comprobante", "view", id),_,_,_),_,_) =>
RewriteResponse("oper" :: "comprobante" :: "view" :: Nil,
Map("id" -> id))
case RewriteRequest(
ParsePath(List("oper", "comprobante", "viewapproved",
id),_,_,_),_,_) =>
RewriteResponse("oper" :: "comprobante" :: "viewapproved" ::
Nil, Map("id" -> id))
case RewriteRequest(
ParsePath(List("oper", "comprobante", "autorizar",
id),_,_,_),_,_) =>
RewriteResponse("oper" :: "comprobante" :: "autorizar" :: Nil,
Map("id" -> id))
case RewriteRequest(
ParsePath(List("oper", "comprobante", "create"),_,_,_),_,_) =>
RewriteResponse("oper" :: "comprobante" :: "edit" :: Nil,
Map("op" -> "create"))
case RewriteRequest(
ParsePath(List("oper", "comprobante", "edit", id),_,_,_),_,_) =>
RewriteResponse("oper" :: "comprobante" :: "edit" :: Nil,
Map("id" -> id))
case RewriteRequest(
ParsePath(List("oper", "comprobante", "delete", id),_,_,_),_,_)
=>
RewriteResponse("oper" :: "comprobante" :: "delete" :: Nil,
Map("id" -> id))
}


The function of validation for the access:
------------------------------------------------------------

def validateIngreso(opcionId:Long) = If (() => { validateLoggin &&
validateSession &&
validatePassword &&
validatePerfil(opcionId)
}
,
() => RedirectResponse("/index"))


def validateLoggin = Usuario.loggedIn_?

def validatePassword =
if (Usuario.currentUserId.isDefined)
{ !
(Usuario.findByKey(Usuario.currentUserId.get.toLong).get.password.match_?
(DefaultPassword.getDefaultPassword)) } else true


// Read if the current User has permissions for the actual menu option
int the current application and with the current Profile
def validatePerfil(opcionId:Long) =
if (validateSession) { val perfilId = UsuarioAplicacionPerfil.findAll(

By(UsuarioAplicacionPerfil.usuario_Id,Usuario.currentUserId.get.toLong),

By(UsuarioAplicacionPerfil.aplicacion_Id,
Aplicacion.currentApplicationId.get.toLong),

MaxRows(1)).headOption match {

case None => 0

case Some(uap) => uap.perfil_Id.toLong
}


My menu in the Boot
---------------------------------------

val entries = Menu(Loc("Home", "index" :: Nil , ?("Home"))) ::
OperMenu.listMenu

LiftRules.setSiteMap(SiteMap(entries:_*))

OperMenu.appendRewriteRules


Now:
--------------------------------------------------------
In the database I has a user: pe...@asdf.com
this user only has permission for the menu options: "Comprobante" and
"Mantenimiento", the sitemap show the correct options, BUT if I write
in the browser the url of the option "Autorizados", This user can
access when it should not do it because it has no permissions.

Any suggestions??


Andrea Moruno

David Pollak

unread,
Nov 5, 2010, 12:56:15 PM11/5/10
to lif...@googlegroups.com

Please create a reproducible example and post it as a project on GitHub so we can try it out and fix the example for you.
 


Andrea Moruno

--
You received this message because you are subscribed to the Google Groups "Lift" group.
To post to this group, send email to lif...@googlegroups.com.
To unsubscribe from this group, send email to liftweb+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.




--
Lift, the simply functional web framework http://liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890
Follow me: http://twitter.com/dpp
Blog: http://goodstuff.im
Surf the harmonics

andrea

unread,
Nov 7, 2010, 8:26:35 PM11/7/10
to Lift
Hi everyone,

I have finally replicated my problem in a shorter example, as
mentioned before, the sitemap is generated correctly, but when you
type a path in the browser the current user has no access permission,
can access the path


This is the project:

https://github.com/andreamoruno/heuresis

SSH: g...@github.com:andreamoruno/heuresis.git


The database is called heuresis in postgresql 8.3

I hope you can suggest some strategies to avoid this problem

Thanks!!!

Andrea Moruno


On 5 nov, 12:56, David Pollak <feeder.of.the.be...@gmail.com> wrote:
> > In the database I has a user: p...@asdf.com
> > this user only has permission for the menu options: "Comprobante" and
> > "Mantenimiento", the sitemap show the correct options, BUT if I write
> > in the browser the url of the option "Autorizados", This user can
> > access when it should not do it because it has no permissions.
>
> > Any suggestions??
>
> Please create a reproducible example and post it as a project on GitHub so
> we can try it out and fix the example for you.
>
>
>
> > Andrea Moruno
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Lift" group.
> > To post to this group, send email to lif...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > liftweb+u...@googlegroups.com<liftweb%2Bunsu...@googlegroups.com>
> > .
> > For more options, visit this group at
> >http://groups.google.com/group/liftweb?hl=en.
>
> --
> Lift, the simply functional web frameworkhttp://liftweb.net
> Beginning Scalahttp://www.apress.com/book/view/1430219890

David Pollak

unread,
Nov 7, 2010, 9:24:24 PM11/7/10
to lif...@googlegroups.com
When I run the sample, I get:

/compile/slf4j-log4j12-1.5.11.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
org.postgresql.util.PSQLException: FATAL: password authentication failed for user "postgres"
    at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:276)
    at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:95)
    at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:66)
    at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:124)
    at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:30)
    at org.postgresql.jdbc3.Jdbc3Connection.<init>(Jdbc3Connection.java:24)


In order to have a reproducible example, I need something self-contained that I can reproduce on my machine.  You can either make it work with H2/Derby or alternatively strip out all the database calls by putting stub logic into your application.

I do want to help you, but one of us is going to have to do the above to get the app to run on a machine without your database already installed.

Thanks,

David

To unsubscribe from this group, send email to liftweb+u...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.




--
Lift, the simply functional web framework http://liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890
Reply all
Reply to author
Forward
0 new messages