You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Wai <bz...@gmail.com> on 2010/08/09 23:53:30 UTC
Role-based security is disabled
There is a section of code that is commented out in
ModelPermission.evalRoleMember(). The comment indicates that it is a
security risk.
Could someone tell what risk it presents.
As this code is masked out, role-based security is effectively disabled. In
addition, the code is looking for from/thru date which are not a part of the
PartyRole entity.
Could someone provide some insight.
Thanks,
Wai
--
View this message in context: http://ofbiz.135035.n4.nabble.com/Role-based-security-is-disabled-tp2319089p2319089.html
Sent from the OFBiz - Dev mailing list archive at Nabble.com.
Re: Role-based security is disabled
Posted by Wai <bz...@gmail.com>.
Thanks for the reply Scott.
Your reply makes a lot of sense.
https://cwiki.apache.org/confluence/display/OFBTECH/OFBiz+security gives a
brief description of role-based security. When looking at the suggested
code of OrderService.hasPermission() and
ProductEvents.checkStoreCustomerRole(). OrderService.OrderServices() makes
use of the role type and relationship related to PartyRoles and
PartyRelationships and ProductEvents.checkStoreCustomerRole() only
references the ProductStoreRole entity.
My conclusion is that a service defined below would make little sense since
the specified role is not qualified by a relationship. Unless it is
expanded to include a from-role-type, to-role-type, relationship-type or
something like it related to a party or a partygroup. I guess that is why
<check-role-member role-type=...> is never used anywhere in the code to
date.
<service name="someservice" ...>
<required-permissions join-type="OR">
<check-role-member role-type="SOMEPARTYROLE" />
</required-permissions>
</service>
Since ModelPermission.evalRoleMember() deals with role type checks of
PartyRoles, it might be a good idea to remove it to avoid future confusion.
Same would apply to <check-role-member role-type...> tag. Unless, I'm
missing some other uses for it.
Thanks,
Wai
--
View this message in context: http://ofbiz.135035.n4.nabble.com/Role-based-security-is-disabled-tp2319089p2323381.html
Sent from the OFBiz - Dev mailing list archive at Nabble.com.
Re: Role-based security is disabled
Posted by Scott Gray <sc...@hotwaxmedia.com>.
Probably because PartyRole records actually mean very little by themselves and typically require some sort of context before they're useful. For example it doesn't mean much to be an EMPLOYEE if we don't know what company you're employed by.
So you can't simply use PartyRole by itself as some sort of authorization mechanism. That's my take on it at least, I didn't comment the code so I can't say for a fact what the motivation was.
Regards
Scott
HotWax Media
http://www.hotwaxmedia.com
On 10/08/2010, at 9:53 AM, Wai wrote:
>
>
> There is a section of code that is commented out in
> ModelPermission.evalRoleMember(). The comment indicates that it is a
> security risk.
> Could someone tell what risk it presents.
>
> As this code is masked out, role-based security is effectively disabled. In
> addition, the code is looking for from/thru date which are not a part of the
> PartyRole entity.
>
> Could someone provide some insight.
>
> Thanks,
> Wai
>
>
> --
> View this message in context: http://ofbiz.135035.n4.nabble.com/Role-based-security-is-disabled-tp2319089p2319089.html
> Sent from the OFBiz - Dev mailing list archive at Nabble.com.
Re: Role-based security is disabled
Posted by Wai <bz...@gmail.com>.
Hello,
Any takers for this post?
Thanks
--
View this message in context: http://ofbiz.135035.n4.nabble.com/Role-based-security-is-disabled-tp2319089p2319912.html
Sent from the OFBiz - Dev mailing list archive at Nabble.com.