Liferay 7.4 | How to Check File Entry Permissions in a Servlet?

Question

I'm working on a servlet within a Liferay portal environment and need to check user permissions to determine if a user has access to view a specific file. However, I'm encountering difficulties accessing the necessary context and objects to perform these permission checks.

Servlet code snippet to get permissionchecker object but it returns null

import com.liferay.portal.kernel.security.permission.PermissionChecker;
import com.liferay.portal.kernel.security.permission.PermissionThreadLocal;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class MyServlet extends HttpServlet {

    protected void doGet(HttpServletRequest request, HttpServletResponse response) {

        PermissionChecker permissionChecker = PermissionThreadLocal.getPermissionChecker();

        
    }
}

What are the steps should I follow to get this permission check object. My aim is to check whether the user which hitting the servlet URL have access to view the file or not.

Answer 1

I would follow the approach to get credentials from what you provided so far, the request in that case, and according to the answers, authorize or associate exceptions to response codes

import com.liferay.portal.kernel.security.auth.PrincipalException;
import com.liferay.portal.kernel.security.permission.PermissionChecker;
import com.liferay.portal.kernel.security.permission.PermissionThreadLocal;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class MyServlet extends HttpServlet {

    protected void doGet(HttpServletRequest request, HttpServletResponse response) {

        String userIdString = request.getParameter("userId");

        // Check if user ID exists
        if (userIdString == null || userIdString.isEmpty()) {
            response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
            return;
        }

        long userId = Long.parseLong(userIdString);
        long fileId = Long.parseLong(request.getParameter("fileId"));

        try {
            DLFileEntry fileEntry = DLFileEntryLocalServiceUtil.getFileEntry(fileId);

            // Check if the user has permission to view the file
            boolean hasViewPermission = hasViewPermission(userId, fileEntry);

            if (hasViewPermission) {
                // authorized logic
            } else {
                // User doesn't have permission
                response.setStatus(HttpServletResponse.SC_FORBIDDEN);
                return;
            }
        } catch (PortalException e) {
            // file not found
            response.setStatus(HttpServletResponse.SC_NOT_FOUND);
            return;
        }
    }

    private boolean hasViewPermission(long userId, DLFileEntry fileEntry) {
        // Get the PermissionChecker associated with the user ID
        PermissionChecker permissionChecker = PermissionThreadLocal.getPermissionChecker();

        try {
            // Check if the user has view permission for the file entry
            return permissionChecker.hasPermission(fileEntry.getGroupId(),
                    DLFileEntry.class.getName(), fileEntry.getFileEntryId(), ActionKeys.VIEW);
        } catch (PortalException e) {
            // Handle exception and state not permitted
            return false;
        }
    }
}