We have a function to allow a user to create a new organization in our portal. When this happens we are trying to set up the site pages using:
SitesUtil.updateLayoutSetPrototypesLinks(siteGroup, 0L, layoutSetPrototypeId, false, true);
This seems to work when the user is an admin, but when a non-admin user tries we get this error:
12:28:18,104 ERROR [http-bio-8080-exec-214][WorkflowEditorController:120] In check():
com.liferay.portal.security.auth.PrincipalException
at com.liferay.portal.service.permission.GroupPermissionImpl.check(GroupPermissionImpl.java:49)
at com.liferay.portal.service.permission.GroupPermissionUtil.check(GroupPermissionUtil.java:39)
at com.liferay.portal.service.impl.LayoutSetServiceImpl.updateLayoutSetPrototypeLinkEnabled(LayoutSetServiceImpl.java:61)
I assume the issue is with permissions. I am trying to find the correct permission to assign to the organization role given to the users who can create organizations, but I can't figure out which permission it is. I have tried adding pretty much all the site permissions through the control panels, and I have tried add Resourcepermissions programmatically using:
ResourcePermissionLocalServiceUtil.addResourcePermission(org.getCompanyId(), LayoutSetPrototype.class.getName(), ResourceConstants.SCOPE_GROUP_TEMPLATE, String.valueOf(layoutSetPrototypeId), role.getRoleId(), ActionKeys.UPDATE);
Nothing seems to make a difference. Does anyone know exactly which permission I need to be granting?
Related
So I have the users in a table and I know my login system works because I use it for other workspaces. However across all the applications in this particular workspace I am having an error where users roles are not being recognized in particular I can't even get the admin page to work for me and I am a developer. If anyone has any clue on how to fix this it would be greatly appreciated.
If that first image is the default Admin pages, then wouldn't that mean you have access since you can see that page?
(which by default, if you let APEX create it for you through New Page > Features > Access Control) has Administration Rights set as the Authorization scheme
You have two places to check to find the issue:
Shared Components > Security > Authorization Scheme
Go to or Click your Administation Rights, under Authorization Scheme, you need to make sure you are using Is in Role or Group IF that is the requirement and you are to use the created roles. Make sure the role, Administrator (if default roles exist) is listed.
if validation is once per session, and you're still in the same session. log out and log back in. The problem should go away
Shared Components > Security > Application Access Control
Check under Role Assignments if your username is there.
Click Administrator under Roles, and make sure Administration Rights under Associated Authorization Schemes has the Is in Role or Group as the scheme type
If there is a different Authorization scheme (not Is in Role or Group) or you have different roles, then I would suggest post a new question with more details on your setup.
I'm getting the below error when trying to create a new user in Splunk:
Encountered the following error while trying to save: In handler 'users': Could not get info for role that does not exist: alert_manager
Do I need to disable any apps or delete the files related to any apps from the Splunk directory? Kindly suggest.
Without knowing any further information about your problem or environment, it sounds like the issue is with your alert_manager role, rather than a global issue. Try to create a user with the user role (or another role) and see if that works; if it does, there is a problem with how your alert_manager role is configured (or that role doesn't exist).
To see how to modify or add roles, check out Add and edit roles with Splunk Web in the Splunk docs.
I guess this question basically boils down to some misunderstanding that I have about how the SonarQube LDAP plugin works in general. We have integrated the LDAP plugin and our users are authenticating against our corporate LDAP server. When we we want to create a new group and add users to that group for a new project, we have assumed that the users themselves must authenticate into SonarQube first so they get added as a user to SonarQube. After that, then we are able to put them into the appropriate groups that they belong to. This is a pain for our administrators since the people that need to be added are logging in at differing times or forgetting to log in at all. What we would like is something that Nexus provides where we can do a lookup of that user's account id, then add them and place them into the appropriate group(s). In that way, the user is not bothered by having to login first and then the administrator has to give the privileges and then the user logs out and logs back in. Is this a misunderstanding on my part? I ask because when I go to the users page and click on 'Create New User' it not only asks for the user's id but also the user's password which I obviously don't know so this is telling me that this will be a local account.
By default SonarQube's LDAP plugin works like you think it does. You can configure LDAP group mapping so that when the user enrolls, he/she is automatically added to the appropriate group.
In other words, create the group for the project in SonarQube, and then create the same group in LDAP and add users to it. Then when users login for the first time they will be in the appropriate group, and on each subsequent login any group changes will be reflected in SonarQube.
This, in my opinion, is infact better than adding users manually.
I apologise if the title is a little confusing, but I was a little stuck with the wording.
I'm currently working on a section of an application to allow users to grant developers access to their data through the application. This comes in a little 'Allow Some great app to access your account with the following permissions'. The application developer adds the required permissions, then when the user goes to authorize the application, these permissions are are displayed. If the user is happy to grant these permissions, the user shall press 'Grant'. This means that the user has agreed to every permission that has been displayed, and therefore this generates an API access token for the relevant application.
The issue now is that it has came to the attention that people may want to remove these permissions at a further date. At the moment, if the user would like to remove permissions, all permissions will be removed or disabled. The reasoning behind this is that if a single permission is removed from the application, the token that they authorized with is technically invalid as it does not have the permissions that were given to it when first creating the token.
Whilst this seems logical, there are also circumstances where the user would want to deny access for the third party application for a single feature (eg. The external application had a bug that was creating bad behaviour in a certain area, but was working fine in another area).
Would anybody be able to throw their two-cents in to this, as I'm having a hard time understanding if its best to allow modifications to a single permission in the event of problems, or to simply have to disable the application.
I'm working on a project to pull information from a SharePoint calendar and and post it into the atTask Time Off calendar. This should be pretty simple, but nothing in the AtTask API works the way I would expect. I've already asked about the "POST" action deleting existing records. Now I'm running into some strange rights issues.
I have administrator rights in our AtTask sandbox. I am able to access the Time Off records (RESVY) for all users on the system. I am able to delete them without issue. However, I am only able to create new records (POST) for myself. When attempting to create a new record for another user, I'm plugging in the sessionID from my login as the administrator and the other users userID.
The result is an error message: "You do not have sufficient access to edit this User".
It seems odd that the API would allow me to delete the RESVT records for another user, but no create new records.
We are using Active Directory for authentication into AtTask, so I don't have access to the passwords of the other users. This is really getting to be a headache.
Thanks in advance,
Mark
To update another users Time-Off the following 3 scenarios will allow you to mark time-off for another user. This is using the new access module.
You are a system admin
You have User Admin setting enabled in your access level settings (Located under the Fine Tuning option through the Edit Rights at the user level)
You have users who report to you (you are a manager) you will be able to edit users Time-off for users who report to you.