Expert Insights Hub

Overview:

Custom permissions in Liferay 7.4 empower developers to create advanced access control mechanisms that go beyond the platform's default settings. Using Liferay’s robust permission framework, developers can define specific rules and actions for portlets, model instances, or other resources. This capability ensures that permissions align precisely with business workflows, enhancing security and enabling granular, role-based access control for users. By tailoring permissions to suit unique application requirements, Liferay 7.4 provides a scalable and flexible solution for managing access to sensitive data and features. 

Prerequisite:

• JDK 11 
• Liferay Server: liferay-dxp-tomcat-7.4.13.u92 
• Liferay Developer Studio:  3.9.7.202207131011-ga8

How Custom Permissions Work

Liferay's permission system operates on the principle of actions and resources: 

1. Actions: These represent operations that can be performed, such as VIEW, UPDATE, DELETE, or custom-defined actions like ADD_COMMENT or EXPORT_DATA. 

2. Resources: These can be:

• Portlet Resources: Access to the portlet itself and its associated features. 
• Model Resources: Access to specific entities, such as a blog entry, user profile, or custom object. 
• File or Data Resources: Access to files, documents, or other forms of data. By combining these elements, developers can define who (roles/users) can do what (actions) on a specific resource.

Features of Custom Permissions

1. Role-Based Control

• Permissions can be assigned to roles such as Administrator, Guest, Power User, or custom-defined roles. This ensures that access aligns with user responsibilities.

2. Granular Access Levels

• Developers can define permissions not only at a high level (e.g., portlet-level) but also at the entity or field level within a model. 

3. Dynamic Management

• Permissions can be adjusted dynamically through the Liferay Control Panel or programmatically using APIs. 

4. Integration with Workflow

• Custom permissions integrate seamlessly with Liferay’s workflow system, enabling conditional access based on the state of a resource.

5. Guest and User Differentiation

• Actions available to guests (unauthenticated users) and authenticated users can be defined separately, providing an additional layer of control.

Steps to Implement Custom Permissions in Liferay:

1. Start the Liferay Developer Studio:

• Open Liferay Developer Studio. 
• Start the Liferay server by navigating to the Servers tab and clicking on the Start button.   

2. Create a Workspace Project:

• Open Liferay Developer Studio and start the server.
• Navigate to File → New → Liferay Workspace Project.
• Provide a project name (e.g., global-workspace) and click Finish.

3. Create a Service Builder

• Go to File → New → Liferay Module Project.
• Choose the Service Builder template, provide the project name (e.g., customer-service), and click Finish.
• Enter the class and package name.
• Modify the service.xml file to define an entity (e.g. Customer) with attributes. Set the remote-service attribute to true.
  
  

4. Build the ServiceBuilder Module

• Open Gradle Task Executor in Liferay Developer Studio.
• In the Gradle Task Executor, navigate to Modules.
• Go to the customer Service module.
• Under the customer Service module, go to the Build section.
• Click on Build Service to execute the build task.
• Refresh the Gradle project to generate necessary packages and classes.

5. Define Custom Resource Actions in a Service Builder Module

• Create a resource-actions folder under src/main/resources/META-INF/ in your module. 
• After creating the resource-actions folder, create the default.xml file within it.

6. Configuring Resource Actions 

• Specify the resource.actions.configs property in portal.properties to map your custom resource actions.

7. Enforce Permissions in the Service Layer 

• Use the Permission Checker API in your service methods to enforce permissions. 
• Add Customer:

• Delete Customer:

8. Create a Portlet:

• Navigate to File → New → Liferay Module Project. 
• Provide a project name (e.g., customer-portlet) and click Finish. 
• Enter the class and package name.

9. Integrate Service Builder with the Portlet

10 .Define Custom Resource Actions in the portlet module:

• Create a resource-actions folder under src/main/resources/META-INF/ in your module.
• After creating the resource-actions folder, create the default.xml file within it.
  
  

11. Configuring Resource Actions in the portlet 

To define custom permissions for your Liferay module, you need to map the resource actions to their corresponding configurations. This is achieved by specifying the resource.actions.configs property in the portal.properties file.



12. Implement add, delete, and get Methods in the MVC Portlet:

13. Creating Views with JSP and Adding Permissions 

• Init.jsp:  init.jsp file is a JSP file that initializes the portlet. It defines some taglibs and retrieves the mainRequire attribute set in the Java code.
  
  
  
  
   
• View.jsp: The view.jsp file is used to display the data to the user.

• Add Customer:
  
  

14. Deploy the portlet (Customer-portlet):

• Deploy the portlet module using the Gradle Task Executor. 
• Add the portlet to a page.

15. Assign Permissions via Control Panel
After implementing custom permissions and permission checks in your portlet, you need to assign these permissions to specific roles (e.g., power-user, administrator) or individual users in Liferay. This can easily be done through the Control Panel. 

a. Creating a User and Assigning a Role.

• Navigate to the Control Panel and click on Users and Organizations.

• Click on the (+) icon and add the necessary user information.

• ​​​​Click on Save and assign the custom permission role to the user you created.
  
  

b. Set the permission:

• Now, go to Control Panel > Roles > Regular Roles and navigate to your role (e.g., 'Customer Custom Permission').
  
  
   

• Go to Define Permissions and search for your application (e.g., 'Customer'). 
• Set the application and resource permissions. 
• Then, go to Assignees and assign the permissions to the user.

c. Test Your custom permission:

• Log in as your user (Test1 user). 
• First, set the application permissions: action.ADD_CUSTOMER, view customer, and delete customer." 

• Now, go to the page of the site where your portlet is available 
• Here, you should be able to view the customer, add a customer, and delete a customer.

• Here, I changed the permissions to only allow viewing and adding a customer.
  
  

• Now, I modified the permissions to only allow viewing and adding a customer. As a result, the delete button is no longer visible because I did not grant the delete permission in the application permissions.
  
  
   

• Next, set the resource permission to allow only view permissions.
  

• Now, I can only view the customer and cannot delete the customer. If I try to click the delete button, an error will be shown stating that the user does not have permission to delete the customer.
  
  ​​​​​​