Adding Permissions to Liferay Service Builder.md

A quick summary of https://portal.liferay.dev/docs/7-0/tutorials/-/knowledge_base/t/using-resources-and-permissions

Important

To see the security settings for the service you MUST have a portlet reference. If you don't have a portlet just yet try to refer to an existing one like com_liferay_blogs_web_portlet_BlogsPortlet

Define portlet.properties

Create a file portlet.properties in .../[project]-service/src/main/resources/ Add resource.actions.configs=META-INF/resource-actions/default.xml in the file.

Declare resources and their permissions in default.xml

Create a file default.xml in .../[project]-service/src/main/resources/META-INF/resource-actions/ This file will contain the resources and their permissions. Many examples can be found throughout Liferay's source.

...
<permissions>
  <supports>
        <action-key>DELETE</action-key>
        <action-key>PERMISSIONS</action-key>
        <action-key>UPDATE</action-key>
        <action-key>VIEW</action-key>
        <!--<action-key>ADD_DISCUSSION</action-key>-->
        <!--<action-key>UPDATE_DISCUSSION</action-key>-->
        <!--<action-key>DELETE_DISCUSSION</action-key>-->
    </supports>
    <site-member-defaults>
        <action-key>VIEW</action-key>
    </site-member-defaults>
    <guest-defaults>
        <action-key>VIEW</action-key>
    </guest-defaults>
    <guest-unsupported>
        <action-key>DELETE</action-key>
        <action-key>PERMISSIONS</action-key>
        <action-key>UPDATE</action-key>
    </guest-unsupported>
</permissions>
...

Manage resources in [Entity]LocalServiceImpl

The [Entity]LocalServiceImpl are in .../[project]-service/src/main/java/com/.../service/impl/[Entity]LocalServiceImpl.java If an entity is added or deleted you also need to add or delete the resources

// add permission resources
boolean portletActions = false;
boolean addGroupPermissions = true;
boolean addGuestPermissions = true;

resourceLocalService.addResources(
group.getCompanyId(), groupid, serviceContext.getUserId(),
Blog.class.getName(),	blog.getBlogId(), portletActions,
addGroupPermissions, addGuestPermissions);

// remove permission resources
resourceLocalService.deleteResource(blog, ResourceConstants.SCOPE_INDIVIDUAL);

Create EntryPermissionChecker interface that extends BaseModelPermissionChecker in API project

Located in .../[project]-api/src/main/java/.../service/permission/EntryPermissionChecker.java

package ...service.permission;

import com.liferay.portal.kernel.security.auth.AuthException;
import com.liferay.portal.kernel.security.permission.BaseModelPermissionChecker;
import com.liferay.portal.kernel.security.permission.PermissionChecker;

public interface EntryPermissionChecker extends BaseModelPermissionChecker {

    public void check(PermissionChecker permissionChecker, long groupId, long entryId, String actionId) throws AuthException;

    public void checkTopLevel(PermissionChecker permissionChecker, long groupId, String actionId) throws AuthException;

    public boolean contains(PermissionChecker permissionChecker, long groupId, long entryId, String actionId);

    public boolean containsTopLevel(PermissionChecker permissionChecker, long groupId, String actionId);

}

Implement EntryPermissionChecker in [Entity]PermissionChecker

Located in .../[project]-service/src/main/java/com/.../service/permission/impl/[Entity]PermissionChecker.java

package ...permission.impl;

import com.liferay.portal.kernel.exception.PortalException;
import com.liferay.portal.kernel.security.auth.AuthException;
import com.liferay.portal.kernel.security.permission.PermissionChecker;
import org.osgi.service.component.annotations.Component;

@Component (
        immediate = true,
        property = {
                "model.class.name=com...model.[Entity]"
        },
        service = [Entity]PermissionChecker.class
)
public class [Entity]PermissionChecker implements EntryPermissionChecker {

    public static final String TOP_LEVEL_RESOURCE = [Entity].class.getName().substring(0, [Entity].class.getName().lastIndexOf("."));

    @Override
    public void check(PermissionChecker permissionChecker, long groupId, long entryId, String actionId) throws AuthException {
        if (!contains(permissionChecker,groupId,entryId,actionId)) {
            throw new AuthException();
        }
    }

    @Override
    public void checkTopLevel(PermissionChecker permissionChecker, long groupId, String actionId) throws AuthException {
        if (!containsTopLevel(permissionChecker,groupId,actionId)) {
            throw new AuthException();
        }
    }

    @Override
    public boolean contains(PermissionChecker permissionChecker, long groupId, long entryId, String actionId) {
        return permissionChecker.hasPermission(groupId, Person.class.getName(),entryId,actionId);
    }

    @Override
    public boolean containsTopLevel(PermissionChecker permissionChecker, long groupId, String actionId) {
        return (permissionChecker.hasPermission(
                groupId, TOP_LEVEL_RESOURCE, groupId, actionId));
    }

    @Override
    public void checkBaseModel(PermissionChecker permissionChecker, long groupId, long primaryKey, String actionId) throws PortalException {

    }
}

Implement permission checker in [Entity]ServiceImpl

The [Entity]ServiceImpl are in .../[project]-service/src/main/java/com/.../service/impl/[Entity]ServiceImpl.java Remember to perform the check at the right moment. First check before delete/create/update/view/....

// check toplevel since it doesn't exist just yet
		_[enity]PermissionChecker.checkTopLevel(getPermissionChecker(),groupid, ActionKeys.ADD_ENTRY);

_[entity]PermissionChecker.check(
				getPermissionChecker(), [entity].getGroupId(),
				[entity].get[Entity]Id(), ActionKeys.[UPDATE|VIEW|DELETE]);