In Liferay when a page is added to the Site it by default gives VIEW permission to the Guest role.
Is there any way (either through configuration or through hook or other) to disable this so that by default VIEW permission is disabled for Guest role when a new page is added to the Site?
Well, while page [Layout-in Liferay low level context] is added as Public page, Liferay assigns default permissions to GUEST role defined in sites.xml for Layout model.
Basically there are two ways to avoid it through ext development:
remove guest default permissions from sites.xml
change code in LayoutLocalServiceImpl in ext by over-riding addLayout method by having addGroupPermissions boolean value as false.
There are ways (through liferay Configuration and Ext) with which you can restrict VIEW of Site public pages for those Users who don't explicitly have that permission.
1st Approach
So this can be achieved by setting this property to false in portal-ext.properties:
permissions.check.guest.enabled=false
But by setting this property what will happen is that Guest role would make sense only for Users who have not logged-in, once the User logs-in even if there is a VIEW permission on Guest for a page or asset the User won't be able to view it unless the User has that permission.
So Guest role would be rendered completely useless even if you give all the permissions to Guest role.
For users who have not logged-in, you can send them to login page with some logic.
2nd approach
1) Updating site.xml in EXT-plugin to disable default VIEW permissions for guest while adding Site pages.
By doing so when site page is added, by default Guest role's view permission is unchecked.
Related
The first answer in this question: Session is lost and created as new in every servlet request is valid, however users in an intranet are very familiar no to type the whole domain in the URL. It will be very useful to configure the browser so they accept the URL without the domain and still keep the session.
According to this article: Cookie attributes- Domain and Path, you can know that the Domain attribute defines the scope of the cookie. It lets the browser know which website the cookie belongs to. If the server does not specify the domain of the cookie, it will default to the domain of the requested resource.
Therefore, I think your requirement cannot be implemented.
The decision was not to the browser, but to the Web.config file in the ASP.NET application. For a different issue we had to add the text cookieSameSite="None" to the SessionState tab in Web.config file on May 2020. Time came and apparently a new update of the browsers caused the application lost the session because it did not create the cookie with SessionID as ASP.NET need, unless we specify the whole domain in the URL.
That said we have 2 solutions: Remove the cookieSameSite="None" from Web.Config file or Type the whole domain in the address of the application.
From the 2 solutions the first one was not possible in our case, because the ASP.NET app is inside an iframe tab and without cookieSameSite="None" it does not keep the session, so we included the whole domain name inside the html page using iframe as src="myServer.MyDomain/MyApp/"
I have got multiple wikis. They all use the same server, assets and domain. They use separate databases and subdomains like so:
de.[myPage].org
en.[myPage].org
es.[myPage].org
Somehow the Login information does not travel with the user, when subdomain is changed.
For Example: Whenever i am logged in as "Max" and change from
de.[myPage].org
to
en.[myPage].org
i get logged out/am not logged in anymore.
How do i fix this? It may be, that databases differ.
Login is done via cookies which contain a user token; if the token matches the one stored in the database, the system accepts you as logged-in. So, you need to share the user table by enabling $wgSharedDB, and you need to share the cookie (which by default your browser limits by domain name) by setting $wgCookieDomain to .[myPage].org.
If this is not an option (e.g. you already have established users in different databases which cannot be merged due to conflicts, or you have different second-level domains) the CentralAuth extension can provide more sophisticated single sign-on, but it's a bit of a pain to administer (as the big bold warning on the extension page suggests).
I am building my personal website using Jekyll and hosting it at github-pages. I would like to have a password protected area (just password protected directory, not the whole website). I have tried a few options and tricks to get htaccess to work but failed.
I would like to know if someone managed to use htaccess, or any other method, to protect a directory on github-pages.
Listing solutions which did not work for me (or I failed to get them to work):
*Flohei.
*Jeremy Ricketts.
GitHubPages (like Bitbucket Pages and GitLab Pages) only serve static pages, so the only solution is something client side (Javascript).
A solution could be, instead of using real authentication, just to share only a secret (password) with all the authorized persons and implement one of the following scheme:
put all the private files in a (not listed) subdirectory and name that with the hash of the chosen password. The index page asks you (with Javascript) for the password and build the correct start link calculating the hash.
See for example: https://github.com/matteobrusa/Password-protection-for-static-pages
PRO:
Very simple approach protecting a whole subdirectory tree
CONS:
possible attack: sniffing the following requests to obtain the name of the subdirectory
the admins on the hosting site have access to the full contents
crypt the page with password and decrypt on the fly with javascript
see for example: https://github.com/robinmoisson/staticrypt
PRO: no plaintext page code around (decrypting happens on the client side)
CONS:
just a single page, and need to reinsert the password on every refresh
an admin could change your Javascript code to obtain the password when you insert it
One option is to use Cloudflare Access to control access at the DNS level.
After setting up a custom domain for your Git pages using Cloudflare for DNS, you can use their Access rules policy to require authentication at the specified url path.
This could still be bypassed if someone is familiar with bypassing DNS blocks.
https://www.cloudflare.com/products/cloudflare-access/
You can give a try to Jekyll Auth and if you run into troubles, this issue can be useful.
You can use Render to deploy your static Web app. It has a npm package that encrypted your html files and user can not see it in browser. So you can use frontend password validation.
I have a (Bootstrap) site with top-level htaccess/htpasswd protection. This works fine, but I'd now like to add a new menu item, which requires a different (administrator) password.
My plan A is to have the new administrator menu show a single 'login' item. When you click on the login item, a page from the admin directory is loaded. The admin directory contains a second .htaccess, which currently contains
<Limit GET>
require user admin
</Limit>
However, this doesn't work, for at least 2 reasons:
(1) If the user originally logged in as foo, for example, and then clicks the login menu item, Apache doesn't offer to let the user log in again as admin - the error log simply says
access to /foo/admin/admin.html failed, reason: user 'foo' does not meet 'require'ments for user/valid-user to be allowed access
Is there some way to force the password dialog to appear?
(2) My top-level index.html currently does a virtual include of the admin page:
<div id="siteAdminDiv" class="container" style="display:none">
<!--#include virtual="admin/admin.html" -->
</div>
this doesn't work (unsurprisingly), since Apache tries to load the page on the initial site load, and the load fails because the user has just entered a user-level rather than an admin password. Any idea how I load this page only when it's required, in such a way that it doesn't redirect, for example, and fits into the existing Bootstrap structure?
Thanks.
When a new user is added to liferay a public page can be created automatically for him.
Where should I look in the source of Liferay to implement such a functionnality ?
Or maybe it's already possible by configuration? If it is so how could I do it?
Thanks
Technically this is done in UserLocalServiceImpl.addUserWithWorkflow(...), but depending on what you really need, you can do part of what you ask for through configuration:
When you create a UserGroup, you can edit the "pages" (or site template) for a usergroup. These pages will be copied/linked to a user's personal site if the user is member of that usergroup. In ControlPanel/Portal/PortalSettings you can choose this usergroup to be the default user group for all newly created users, so that they all get those pages.
Now this doesn't assign a subdomain (like a virtual host) that you mention in the title of this question. If you want to assign a virtual host to the site (called "group" in technical terms when you dig into java code), you'll have to override the method given above (e.g. through a hook that overrides UserLocalService) and configures the user's site/group with a virtual host. However, the UI does not allow to configure virtual hosts for user's sites, but you might be able to do this through the API, e.g. programmatically
If it's enough for you, you can also just implement a blank redirection from http://username.example.com (wildcard on 'username') to http://www.example.com/web/username - e.g. use Apache's mod_rewrite
Finally, i must follow that: http://www.liferay.com/community/forums/-/message_boards/message/10268877.
I just want to user UI, so i must custom portlet to solve that :|