フィードバックを送信
legacy-knowledge-base
公開されました Sep. 10, 2025

Object entry reviewer to have access only to currently reviewed object, not to all entries

written-by

Sorin Pop

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

legacy-article

learn-legacy-article-disclaimer-text

Issue

  • Issue description:
    I have enabled a review workflow for an object and noticed that if I want the reviewer to be able to edit the submitted object entry during the review task, I need to add the "Access in Control Panel" permission to the reviewer's role. But that is too much, because this means that this reviewer user will also be able to view and edit all other entries of that object, while I would like him to be able to do this only for that specific entry, during the review task.

    Steps to demonstrate the matter:
    1. Create a company-scoped object Car with a Text field name.
    2. Create a new regular role "Car Reviewer" with the permissions in the attached screenshot (so basically you provide update and view permissions for cars)
    3. Update the built-in Single Approver workflow and add to the review task the assigment to the role above as well.
    4. Create a new user A and assign him to the Car Reviewer role.
    5. Enable Single Approver workflow for car.
    6. Add a new car entry,
    7. As user A, go to My Workflow tasks, assign the review task to yourself and then click on the Edit button.
    Result: you get an error that you do not have the required permissions to access this portlet (something like that)
    8. Go back to editing the Car Reviewer role and add “Access In Control Panel” permission (for cars)
    9. Go to that review task again and click the Edit button.
    Result: Now the edit form is loaded and you can change the name of the car (and then approve the entry)
    But the problem is that, as user A, now you can also go to Control Panel/Cars and see there all the cars (and do whatever you want there).

Environment

  • 2025.q1

Resolution

  • If you assign only the Update and Access in Control Panel permissions to the role, and then grant View permission at the entry level (only for the specific entry), it works: the user will be able to edit the entry and only see what they've been explicitly granted permission to view.
     
    Working along the example steps provided above: the car creator will need to do an additional operation every time after creating a new car → assigning the View permission for that new car to the Car Reviewer role; actually, at first I wasn’t even sure if this is possible, assuming that of course, the car creators will not be portal admins (as in the simplified steps above). But I managed to create now a Car Creator regular role with just enough permissions to create a car and change its permissions, so actually this might work. Or, alternatively, you could also think of assigning that View permission for that new car to the Car Reviewer role programmatically, automatically with a script embedded in the workflow itself (like, the workflow starts by assigning this individual View permission to the car that is just about to be reviewed)
     
    Please find below an updated version of the steps of how an example use case would look like (starting from the previous steps):
     
    Steps to demonstrate the matter:
    0. Log in as admin.
    1. Create a company-scoped object Car with a Text field name.
    2. Create a new regular role "Car Reviewer" with the permissions in the previous attached screenshot (so basically you provide Update and Access in Control Panel permissions for cars)
    3. Create a new regular role "Car Creator" and add to it the permissions in the attached screenshot (basically to add cars and to set their permissions)
    4. Update the built-in Single Approver workflow and add to the review task the assignment to the role above as well.
    5. Create a new user A and assign him to the Car Reviewer role.
    6. Create a new user B and assign him to the Car Creator role. Also add this user to the default  site, to be a site member.
    7. Enable Single Approver workflow for car.
    8. Create a new Content Page in the default site and put the cars widget on it.
    9. Log in as B (the car creator) and go to that page.
    10. Add a new car entry (type its name erroneously, e.g. Volv), After you added it, choose Actions/Permissions and tick the View permission for the Car Reviewer role.
    11. As user A (the car reviewer), go to My Workflow tasks, assign the review task to yourself and then click on the Edit button.
    Result: you can correct the name of the car (Volv --> Volvo), then you can approve 
    And at this point, if the reviewer will go to the cars application in Control Panel, will see of course this car, but will see all the other cars created (and possibly reviewed by other reviewers….maybe you would not like that, I don't know…maybe then you can insert an additional step: as soon as the car has been approved, its creator removes the View permission for the Car Reviewer role… (or yet again this could be embedded automatically in the workflow)

 

did-this-article-resolve-your-issue
legacy-knowledge-base
did-this-article-resolve-your-issue