Can't set permission for user to View Task only

Hello,

I’m working on CAF project which uses BPM.
I have many tasks on my project,and I want to set the following behavior:
If the task is assigned to a role, the members of this role should be able to view the task and modify it.But the other users that are not assigned to this task should be able to view the task without being able to modify the task.

When I try to set the permissions to “View Task Data” & “View Task Info”, the task view is not diplayed and I get the following error:
Failed to evaluate binding expression: #{[view].[task].canUserViewTaskData}

But when I set the permission to “Task Administration”, the task view is displayed and unfortunately it’s possible to make modifications on the task, what is not required.

Can anyone help with this problem please?

I apreciate your help in advance.
Thanks.

Reda:

I think you cannot do that since its not possible to make a portlet task read only by assigning permissions. Instead you may try to assign the task to two roles and programmatically change the portlet to make read only the required parts or sections.

Hope this help.

Best regards.
Norberto.

Hello Norberto,

Thank you for your relpy.

I see your point. The task porlet view should be viewed by a role and viewed and modified by other.
And this concerns all the sections of the view.

Can you please provide me with more details about how can this be programatically done, since as you said this can’t be done with permission management.

Thanks in advance.

Appreciate your help.

Hi Reda,

One alternative is to implement in your BasePortletPageBean a method that verifies if the current user is part of a role.

Then you can enable/disable controls based on this condition.


protected Boolean isReadOnlyRole() {
    return (Boolean) resolveExpression("#{securityRoles[\"MyReadOnlyRole\"]}");
}

br,
Vlad

Hello Vlad,

Thanks for your reply.

So if I inderstood well, I’ll use this boolean vaiable in the ‘Disabled’ property of all updatebale components of the view.

Is it the best way to do so, because I’ ve got many roles that are involved in a task.
Is it necessary to have as many variables as many roles or only one variable for all? (supposing of course that I cannot assign the roles in one role)

If only one variable is required, how can I modify the example you provided to manage many roles?

Thanks in advance.

Appreciate your help.

Hi Rada,

The actual implementation depends on your requirements.
For example, if all the users would have read-only access to the task, then what would you choose:

  • all editable fields disabled
  • use a Disableable Panel CAF component that contains the other components
  • all editable fields read-only (there is also this property)
  • only the Save-like buttons to be disabled (the user can change fields, but can not actually invoke applyChanges())
  • the user can click Save, but he will receive an error message. Task not updated

The #{securityRoles[…]} expression can be used also directly on the CAF components.

Regarding role organization, I would have a technical parent role that contains all the “read-only” roles.
It is easier to manage and you do not have to change the code if one of the sub-roles is removed/added/renamed.

br,
Vlad

Hello Vlad,

Thanks a lot for the clarifications. They are very usefull.

The problem I’ve got is that I want to apply this behavior for all the tasks of my process.

And for every task, the assigned role should be able to view and modify, and the other assigned roles for the other tasks should be able to view noly this task.

It means I cannot regroup all the roles in one, since the read only roles are not the same for all the tasks, they change from a task to another.

In this case I’ll need to have a read-only role for every task. And I’ll end with as many read-only roles as many tasks and I’ve got too many tasks in my processes :smiley: . Is that the only way?

Another question is that since the method you proposed returns a boolean and not a string I’m not able to visualise it in the binding view. So how will I do to bind it to the “Disabled” property? Should I insert it manually or use the #{securityRoles[…]} expression?
If the expression should be used, what does it return?

Appreciate you help.

Thanks in advance.

Hello Vlad,

Thanks a lot for the clarifications. They are very usefull.

The problem I’ve got is that I want to apply this behavior for all the tasks of my process.

And for every task, the assigned role should be able to view and modify, and the other assigned roles for the other tasks should be able to view noly this task.

It means I cannot regroup all the roles in one, since the read only roles are not the same for all the tasks, they change from a task to another.

In this case I’ll need to have a read-only role for every task. And I’ll end with as many read-only roles as many tasks and I’ve got too many tasks in my processes :smiley: . Is that the only way?

Another question is that since the method you proposed returns a boolean and not a string I’m not able to visualise it in the binding view. So how will I do to bind it to the “Disabled” property? Should I insert it manually or use the #{securityRoles[…]} expression?
If the expression should be used, what does it return?

Appreciate you help.

Thanks in advance.

Hello Vlad,

Your clarifications were very helpful. But I’m still facing some issues when trying to implement this solution for one of my tasks.

  1. I’ve created the read-only role in MWS.
  2. I’ve created the associated security role for the task portlet I’m working with.
  3. I’ve binded the Read-Only and Disabled properties to the expression #{portletSecurityRoles[“MyReadOnlyRole”]} one by one and made some tests witha user from “MyReadOnlyRole” role.
  4. The resulted behavior is the folowing:
  • Read-Only: no impact, nothing has changed
  • Disabled: The component is disabled but not for the required user only but for all of them.

Can you help me please. Am I doing something wrong?

I’m also confused about which privilege to set when creating the security role for task portlet (Role link property).

Appreciate your help.

Thanks.

Kind regards.

Hello Vlad,

I’ve investigated to discover what is wrong, and I’ve found in MWS log that the expression #{portletSecurityRoles[“MyReadOnlyRole”]} always returns true.

Even if I use the method you provided, it’s the same result, the value returned is always true as well.

Can you please help me on this?

Thanks in advance.

Hello Vlad,

I’ve investigated to discover what is wrong, and I’ve found in MWS log that the expression #{portletSecurityRoles[“MyReadOnlyRole”]} always returns true.

Even if I use the method you provided, it’s the same result, the value returned is always true as well.

Can you please help me on this?

Thanks in advance.

Reda:

The people who see the task in the inbox can view and modify the task, this is by design, that’s why you can’t restrict the task and need to change the controls.

Another approach is for view and query purposes you may build a custom query portlet, give access who you need and display the info what you need.

Hope this help.

Best regards.
Norberto.

Hello Norberto,

Thanks for your reply.

I’m interested with the first point that you mentioned that is “The people who see the task in the inbox can view and modify the task, this is by design, that’s why you can’t restrict the task and need to change the controls”.

The users that see the task in the inbox are the assignees for the task.The role that I want to grant read-only rights are not assigned to the task.

So what I did is to use expression #{portletSecurityRoles[“MyReadOnlyRole”]} and bind it to Disabled property of the controls in the view. The role “MyReadOnlyRole” is not assigned to the task.

But what I don’t understand is why does this expression always returns true for all the roles the assigned one and the MyReadOnlyRole role.

Appreciate you help.

Thanks in advance.

Hello Norberto,

Thanks for your reply.

I’m interested with the first point that you mentioned that is “The people who see the task in the inbox can view and modify the task, this is by design, that’s why you can’t restrict the task and need to change the controls”.

The users that see the task in the inbox are the assignees for the task.The role that I want to grant read-only rights are not assigned to the task.

So what I did is to use expression #{portletSecurityRoles[“MyReadOnlyRole”]} and bind it to Disabled property of the controls in the view. The role “MyReadOnlyRole” is not assigned to the task.

But what I don’t understand is why does this expression always returns true for all the roles the assigned one and the MyReadOnlyRole role.

Appreciate you help.

Thanks in advance.

I meant it returned true for all the users the ones from the assigned role and the ones from MyReadOnlyRole.
And as a result, the controls are disabled for all.

Thanks a lot for your help.

I meant it returned true for all the users the ones from the assigned role and the ones from MyReadOnlyRole.
And as a result, the controls are disabled for all.

Thanks a lot for your help.

Reda:

Regarding

Is the user a member of “MyReadOnlyRole”?

I see Vlad response and he wrote #{securityRoles, why you used #{portletSecurityRoles?

Regards.

And I’ve got one other question:

What’s the effect of setting the Read Only property to true on a radio button group?
Because I’m not seeing any difference between both values true and false.

Thanks.

Appreciate your help.

And I’ve got one other question:

What’s the effect of setting the Read Only property to true on a radio button group?
Because I’m not seeing any difference between both values true and false.

Thanks.

Appreciate your help.

And I’ve got one other question:

What’s the effect of setting the Read Only property to true on a radio button group?
Because I’m not seeing any difference between both values true and false.

Thanks.

Appreciate your help.