You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Vikas Mayur (JIRA)" <ji...@apache.org> on 2010/04/01 14:20:27 UTC
[jira] Created: (OFBIZ-3632) Extending the service model to specify
more complex permissions using permission service
Extending the service model to specify more complex permissions using permission service
----------------------------------------------------------------------------------------
Key: OFBIZ-3632
URL: https://issues.apache.org/jira/browse/OFBIZ-3632
Project: OFBiz
Issue Type: Improvement
Components: framework, product
Reporter: Vikas Mayur
Priority: Minor
Fix For: SVN trunk
At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
For instance the following code in service definition
{code}
<required-permissions join-type="AND">
<permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
<permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
</required-permissions>
{code}
will replace the following code in service implementation.
{code}
<check-permission permission="FACILITY" action="_CREATE">
<fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
</check-permission>
<check-permission permission="FACILITY" action="_UPDATE">
<fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
</check-permission>
{code}
Similarly the code
{code}
<required-permissions join-type="OR">
<permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
<permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
</required-permissions>
{code}
will replace
{code}
<check-permission permission="FACILITY" action="_CREATE">
<alt-permission permission="FACILITY" action="_UPDATE"/>
<fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
</check-permission>
<check-errors/>
The patch also contains additional changes where the permission service is defined in the service definition.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3632) Extending the service model to
specify more complex permissions using permission service
Posted by "David E. Jones (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12852466#action_12852466 ]
David E. Jones commented on OFBIZ-3632:
---------------------------------------
Yet another reason to use simple-methods instead of Java as much as possible.
> Extending the service model to specify more complex permissions using permission service
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-3632
> URL: https://issues.apache.org/jira/browse/OFBIZ-3632
> Project: OFBiz
> Issue Type: Improvement
> Components: framework, product
> Reporter: Vikas Mayur
> Priority: Minor
> Fix For: SVN trunk
>
> Attachments: permission.patch
>
>
> At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
> For instance the following code in service definition
> {code}
> <required-permissions join-type="AND">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace the following code in service implementation.
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-permission permission="FACILITY" action="_UPDATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> {code}
> Similarly the code
> {code}
> <required-permissions join-type="OR">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <alt-permission permission="FACILITY" action="_UPDATE"/>
> <fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-errors/>
> {code}
> The patch also contains additional changes where the permission service is defined in the service definition.
> EDITS: Added missing ending \{code\} tag for the last code snippet
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3632) Extending the service model to
specify more complex permissions using permission service
Posted by "Vikas Mayur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12852449#action_12852449 ]
Vikas Mayur commented on OFBIZ-3632:
------------------------------------
Hi Adrian,
Sorry, I did not closely followed the commits to this branch on new security design.
Is there any alternative way (or better way) to achieve the same solution as proposed in the patch?
The reason I am asking this because (assuming this is implemented in far better way in new security implementation) I have no idea when this branch will be merged
with trunk and the code is usable as well as this solution is required in one of my project where a user can run certain processes without necessarily having the
component specific permission by using the eca's rule to override the component specific permission (similar to implementation in assetmaint component.)
The eca's rule solution works fine until there is only one permission service included in the service def. With the submitted patch it will be possible to override
permission checking for a given number of permission services.
> Extending the service model to specify more complex permissions using permission service
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-3632
> URL: https://issues.apache.org/jira/browse/OFBIZ-3632
> Project: OFBiz
> Issue Type: Improvement
> Components: framework, product
> Reporter: Vikas Mayur
> Priority: Minor
> Fix For: SVN trunk
>
> Attachments: permission.patch
>
>
> At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
> For instance the following code in service definition
> {code}
> <required-permissions join-type="AND">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace the following code in service implementation.
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-permission permission="FACILITY" action="_UPDATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> {code}
> Similarly the code
> {code}
> <required-permissions join-type="OR">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <alt-permission permission="FACILITY" action="_UPDATE"/>
> <fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-errors/>
> {code}
> The patch also contains additional changes where the permission service is defined in the service definition.
> EDITS: Added missing ending \{code\} tag for the last code snippet
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3632) Extending the service model to
specify more complex permissions using permission service
Posted by "Vikas Mayur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12852727#action_12852727 ]
Vikas Mayur commented on OFBIZ-3632:
------------------------------------
I am fine with either way whether we define the custom permissions since they would be very few (as mentioned by David) or use a declarative syntax (as mentioned by Adam.)
If the patch is fine, please let me know if this can be committed. If not I will now work on defining two custom permission services _createORupdate facilty permission_ and
_createANDupdate faciliy permission_.
> Extending the service model to specify more complex permissions using permission service
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-3632
> URL: https://issues.apache.org/jira/browse/OFBIZ-3632
> Project: OFBiz
> Issue Type: Improvement
> Components: framework, product
> Reporter: Vikas Mayur
> Priority: Minor
> Fix For: SVN trunk
>
> Attachments: permission.patch, permission.patch
>
>
> At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
> For instance the following code in service definition
> {code}
> <required-permissions join-type="AND">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace the following code in service implementation.
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-permission permission="FACILITY" action="_UPDATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> {code}
> Similarly the code
> {code}
> <required-permissions join-type="OR">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <alt-permission permission="FACILITY" action="_UPDATE"/>
> <fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-errors/>
> {code}
> The patch also contains additional changes where the permission service is defined in the service definition.
> EDITS: Added missing ending \{code\} tag for the last code snippet
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-3632) Extending the service model to specify
more complex permissions using permission service
Posted by "Gavin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gavin updated OFBIZ-3632:
-------------------------
Patch Info: [Patch Available]
> Extending the service model to specify more complex permissions using permission service
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-3632
> URL: https://issues.apache.org/jira/browse/OFBIZ-3632
> Project: OFBiz
> Issue Type: Improvement
> Components: framework, product
> Reporter: Vikas Mayur
> Priority: Minor
> Fix For: SVN trunk
>
> Attachments: permission.patch
>
>
> At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
> For instance the following code in service definition
> {code}
> <required-permissions join-type="AND">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace the following code in service implementation.
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-permission permission="FACILITY" action="_UPDATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> {code}
> Similarly the code
> {code}
> <required-permissions join-type="OR">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <alt-permission permission="FACILITY" action="_UPDATE"/>
> <fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-errors/>
> {code}
> The patch also contains additional changes where the permission service is defined in the service definition.
> EDITS: Added missing ending \{code\} tag for the last code snippet
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3632) Extending the service model to
specify more complex permissions using permission service
Posted by "Adrian Crum (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12852453#action_12852453 ]
Adrian Crum commented on OFBIZ-3632:
------------------------------------
I mentioned it mostly as a reminder that there is a solution to your problem already - it just needs to get tested and committed. The timeline depends on the rest of the community - the sooner others spend time with it, the sooner it will get committed.
> Extending the service model to specify more complex permissions using permission service
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-3632
> URL: https://issues.apache.org/jira/browse/OFBIZ-3632
> Project: OFBiz
> Issue Type: Improvement
> Components: framework, product
> Reporter: Vikas Mayur
> Priority: Minor
> Fix For: SVN trunk
>
> Attachments: permission.patch
>
>
> At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
> For instance the following code in service definition
> {code}
> <required-permissions join-type="AND">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace the following code in service implementation.
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-permission permission="FACILITY" action="_UPDATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> {code}
> Similarly the code
> {code}
> <required-permissions join-type="OR">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <alt-permission permission="FACILITY" action="_UPDATE"/>
> <fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-errors/>
> {code}
> The patch also contains additional changes where the permission service is defined in the service definition.
> EDITS: Added missing ending \{code\} tag for the last code snippet
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-3632) Extending the service model to specify
more complex permissions using permission service
Posted by "Vikas Mayur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vikas Mayur updated OFBIZ-3632:
-------------------------------
Attachment: (was: permission.patch)
> Extending the service model to specify more complex permissions using permission service
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-3632
> URL: https://issues.apache.org/jira/browse/OFBIZ-3632
> Project: OFBiz
> Issue Type: Improvement
> Components: framework, product
> Reporter: Vikas Mayur
> Priority: Minor
> Fix For: SVN trunk
>
>
> At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
> For instance the following code in service definition
> {code}
> <required-permissions join-type="AND">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace the following code in service implementation.
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-permission permission="FACILITY" action="_UPDATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> {code}
> Similarly the code
> {code}
> <required-permissions join-type="OR">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <alt-permission permission="FACILITY" action="_UPDATE"/>
> <fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-errors/>
> {code}
> The patch also contains additional changes where the permission service is defined in the service definition.
> EDITS: Added missing ending \{code\} tag for the last code snippet
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3632) Extending the service model to
specify more complex permissions using permission service
Posted by "Ashish Vijaywargiya (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12852362#action_12852362 ]
Ashish Vijaywargiya commented on OFBIZ-3632:
--------------------------------------------
Looks good!
--
Ashish Vijaywargiya
> Extending the service model to specify more complex permissions using permission service
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-3632
> URL: https://issues.apache.org/jira/browse/OFBIZ-3632
> Project: OFBiz
> Issue Type: Improvement
> Components: framework, product
> Reporter: Vikas Mayur
> Priority: Minor
> Fix For: SVN trunk
>
> Attachments: permission.patch
>
>
> At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
> For instance the following code in service definition
> {code}
> <required-permissions join-type="AND">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace the following code in service implementation.
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-permission permission="FACILITY" action="_UPDATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> {code}
> Similarly the code
> {code}
> <required-permissions join-type="OR">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <alt-permission permission="FACILITY" action="_UPDATE"/>
> <fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-errors/>
> {code}
> The patch also contains additional changes where the permission service is defined in the service definition.
> EDITS: Added missing ending \{code\} tag for the last code snippet
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-3632) Extending the service model to specify
more complex permissions using permission service
Posted by "Vikas Mayur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vikas Mayur updated OFBIZ-3632:
-------------------------------
Attachment: permission.patch
Slightly modified patch to consider the failMessage returned by the permission service.
> Extending the service model to specify more complex permissions using permission service
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-3632
> URL: https://issues.apache.org/jira/browse/OFBIZ-3632
> Project: OFBiz
> Issue Type: Improvement
> Components: framework, product
> Reporter: Vikas Mayur
> Priority: Minor
> Fix For: SVN trunk
>
> Attachments: permission.patch, permission.patch
>
>
> At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
> For instance the following code in service definition
> {code}
> <required-permissions join-type="AND">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace the following code in service implementation.
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-permission permission="FACILITY" action="_UPDATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> {code}
> Similarly the code
> {code}
> <required-permissions join-type="OR">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <alt-permission permission="FACILITY" action="_UPDATE"/>
> <fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-errors/>
> {code}
> The patch also contains additional changes where the permission service is defined in the service definition.
> EDITS: Added missing ending \{code\} tag for the last code snippet
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3632) Extending the service model to
specify more complex permissions using permission service
Posted by "Vikas Mayur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12852357#action_12852357 ]
Vikas Mayur commented on OFBIZ-3632:
------------------------------------
Patch attached for the improvement described above.
> Extending the service model to specify more complex permissions using permission service
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-3632
> URL: https://issues.apache.org/jira/browse/OFBIZ-3632
> Project: OFBiz
> Issue Type: Improvement
> Components: framework, product
> Reporter: Vikas Mayur
> Priority: Minor
> Fix For: SVN trunk
>
> Attachments: permission.patch
>
>
> At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
> For instance the following code in service definition
> {code}
> <required-permissions join-type="AND">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace the following code in service implementation.
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-permission permission="FACILITY" action="_UPDATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> {code}
> Similarly the code
> {code}
> <required-permissions join-type="OR">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <alt-permission permission="FACILITY" action="_UPDATE"/>
> <fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-errors/>
> {code}
> The patch also contains additional changes where the permission service is defined in the service definition.
> EDITS: Added missing ending \{code\} tag for the last code snippet
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3632) Extending the service model to
specify more complex permissions using permission service
Posted by "David E. Jones (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12852456#action_12852456 ]
David E. Jones commented on OFBIZ-3632:
---------------------------------------
A better solution to this right now would be to use the permission-service tag and implement it in a simple-method or Java. Either way, we've been trying to move away from definitions tied too closely to service definitions and implementations both. Having a separate permission service helps a little with this, but the external declarative permissions are the real way to go (just not easy to implement, especially the way OFBiz is currently architected, and even tougher since discussions about it haven't been very productive, it seems like it's hard for some people to understand the point of things like run-time call chain inheritance of permissions as opposed to location based inheritance of permissions).
If the point is to try to save a couple of lines of code... I guess that would make sense only if this is something you'll be doing dozens or hundreds of times.
> Extending the service model to specify more complex permissions using permission service
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-3632
> URL: https://issues.apache.org/jira/browse/OFBIZ-3632
> Project: OFBiz
> Issue Type: Improvement
> Components: framework, product
> Reporter: Vikas Mayur
> Priority: Minor
> Fix For: SVN trunk
>
> Attachments: permission.patch
>
>
> At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
> For instance the following code in service definition
> {code}
> <required-permissions join-type="AND">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace the following code in service implementation.
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-permission permission="FACILITY" action="_UPDATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> {code}
> Similarly the code
> {code}
> <required-permissions join-type="OR">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <alt-permission permission="FACILITY" action="_UPDATE"/>
> <fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-errors/>
> {code}
> The patch also contains additional changes where the permission service is defined in the service definition.
> EDITS: Added missing ending \{code\} tag for the last code snippet
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3632) Extending the service model to
specify more complex permissions using permission service
Posted by "Adam Heath (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12852464#action_12852464 ]
Adam Heath commented on OFBIZ-3632:
-----------------------------------
Adding lots and lots of permission servicese, will increase the amount of bytecode in the system. Unless all these new method are placed into their very own separate classes, and existing classes are split up to reduce coupling, then the permgen issue will get worse and worse.
So, having a declarative syntax available, so that a custom permission service doesn't need to exist, it a feature worth having.
> Extending the service model to specify more complex permissions using permission service
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-3632
> URL: https://issues.apache.org/jira/browse/OFBIZ-3632
> Project: OFBiz
> Issue Type: Improvement
> Components: framework, product
> Reporter: Vikas Mayur
> Priority: Minor
> Fix For: SVN trunk
>
> Attachments: permission.patch
>
>
> At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
> For instance the following code in service definition
> {code}
> <required-permissions join-type="AND">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace the following code in service implementation.
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-permission permission="FACILITY" action="_UPDATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> {code}
> Similarly the code
> {code}
> <required-permissions join-type="OR">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <alt-permission permission="FACILITY" action="_UPDATE"/>
> <fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-errors/>
> {code}
> The patch also contains additional changes where the permission service is defined in the service definition.
> EDITS: Added missing ending \{code\} tag for the last code snippet
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-3632) Extending the service model to specify
more complex permissions using permission service
Posted by "Vikas Mayur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vikas Mayur updated OFBIZ-3632:
-------------------------------
Description:
At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
For instance the following code in service definition
{code}
<required-permissions join-type="AND">
<permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
<permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
</required-permissions>
{code}
will replace the following code in service implementation.
{code}
<check-permission permission="FACILITY" action="_CREATE">
<fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
</check-permission>
<check-permission permission="FACILITY" action="_UPDATE">
<fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
</check-permission>
{code}
Similarly the code
{code}
<required-permissions join-type="OR">
<permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
<permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
</required-permissions>
{code}
will replace
{code}
<check-permission permission="FACILITY" action="_CREATE">
<alt-permission permission="FACILITY" action="_UPDATE"/>
<fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
</check-permission>
<check-errors/>
{code}
The patch also contains additional changes where the permission service is defined in the service definition.
EDITS: Added missing ending \{code\} tag for the last code snippet
was:
At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
For instance the following code in service definition
{code}
<required-permissions join-type="AND">
<permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
<permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
</required-permissions>
{code}
will replace the following code in service implementation.
{code}
<check-permission permission="FACILITY" action="_CREATE">
<fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
</check-permission>
<check-permission permission="FACILITY" action="_UPDATE">
<fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
</check-permission>
{code}
Similarly the code
{code}
<required-permissions join-type="OR">
<permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
<permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
</required-permissions>
{code}
will replace
{code}
<check-permission permission="FACILITY" action="_CREATE">
<alt-permission permission="FACILITY" action="_UPDATE"/>
<fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
</check-permission>
<check-errors/>
The patch also contains additional changes where the permission service is defined in the service definition.
> Extending the service model to specify more complex permissions using permission service
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-3632
> URL: https://issues.apache.org/jira/browse/OFBIZ-3632
> Project: OFBiz
> Issue Type: Improvement
> Components: framework, product
> Reporter: Vikas Mayur
> Priority: Minor
> Fix For: SVN trunk
>
> Attachments: permission.patch
>
>
> At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
> For instance the following code in service definition
> {code}
> <required-permissions join-type="AND">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace the following code in service implementation.
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-permission permission="FACILITY" action="_UPDATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> {code}
> Similarly the code
> {code}
> <required-permissions join-type="OR">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <alt-permission permission="FACILITY" action="_UPDATE"/>
> <fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-errors/>
> {code}
> The patch also contains additional changes where the permission service is defined in the service definition.
> EDITS: Added missing ending \{code\} tag for the last code snippet
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3632) Extending the service model to
specify more complex permissions using permission service
Posted by "Jeroen van der Wal (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12852364#action_12852364 ]
Jeroen van der Wal commented on OFBIZ-3632:
-------------------------------------------
What happened to the fail-messages?
> Extending the service model to specify more complex permissions using permission service
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-3632
> URL: https://issues.apache.org/jira/browse/OFBIZ-3632
> Project: OFBiz
> Issue Type: Improvement
> Components: framework, product
> Reporter: Vikas Mayur
> Priority: Minor
> Fix For: SVN trunk
>
> Attachments: permission.patch
>
>
> At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
> For instance the following code in service definition
> {code}
> <required-permissions join-type="AND">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace the following code in service implementation.
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-permission permission="FACILITY" action="_UPDATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> {code}
> Similarly the code
> {code}
> <required-permissions join-type="OR">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <alt-permission permission="FACILITY" action="_UPDATE"/>
> <fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-errors/>
> {code}
> The patch also contains additional changes where the permission service is defined in the service definition.
> EDITS: Added missing ending \{code\} tag for the last code snippet
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-3632) Extending the service model to specify
more complex permissions using permission service
Posted by "Vikas Mayur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vikas Mayur updated OFBIZ-3632:
-------------------------------
Attachment: permission.patch
> Extending the service model to specify more complex permissions using permission service
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-3632
> URL: https://issues.apache.org/jira/browse/OFBIZ-3632
> Project: OFBiz
> Issue Type: Improvement
> Components: framework, product
> Reporter: Vikas Mayur
> Priority: Minor
> Fix For: SVN trunk
>
> Attachments: permission.patch
>
>
> At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
> For instance the following code in service definition
> {code}
> <required-permissions join-type="AND">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace the following code in service implementation.
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-permission permission="FACILITY" action="_UPDATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> {code}
> Similarly the code
> {code}
> <required-permissions join-type="OR">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <alt-permission permission="FACILITY" action="_UPDATE"/>
> <fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-errors/>
> {code}
> The patch also contains additional changes where the permission service is defined in the service definition.
> EDITS: Added missing ending \{code\} tag for the last code snippet
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3632) Extending the service model to
specify more complex permissions using permission service
Posted by "Adrian Crum (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12852384#action_12852384 ]
Adrian Crum commented on OFBIZ-3632:
------------------------------------
Have you looked at the new security design in https://svn.apache.org/repos/asf/ofbiz/branches/executioncontext20091231?
> Extending the service model to specify more complex permissions using permission service
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-3632
> URL: https://issues.apache.org/jira/browse/OFBIZ-3632
> Project: OFBiz
> Issue Type: Improvement
> Components: framework, product
> Reporter: Vikas Mayur
> Priority: Minor
> Fix For: SVN trunk
>
> Attachments: permission.patch
>
>
> At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
> For instance the following code in service definition
> {code}
> <required-permissions join-type="AND">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace the following code in service implementation.
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-permission permission="FACILITY" action="_UPDATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> {code}
> Similarly the code
> {code}
> <required-permissions join-type="OR">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <alt-permission permission="FACILITY" action="_UPDATE"/>
> <fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-errors/>
> {code}
> The patch also contains additional changes where the permission service is defined in the service definition.
> EDITS: Added missing ending \{code\} tag for the last code snippet
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (OFBIZ-3632) Extending the service model to
specify more complex permissions using permission service
Posted by "Vikas Mayur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vikas Mayur reassigned OFBIZ-3632:
----------------------------------
Assignee: Vikas Mayur
> Extending the service model to specify more complex permissions using permission service
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-3632
> URL: https://issues.apache.org/jira/browse/OFBIZ-3632
> Project: OFBiz
> Issue Type: Improvement
> Components: framework, product
> Reporter: Vikas Mayur
> Assignee: Vikas Mayur
> Priority: Minor
> Fix For: SVN trunk
>
> Attachments: permission.patch, permission.patch
>
>
> At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
> For instance the following code in service definition
> {code}
> <required-permissions join-type="AND">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace the following code in service implementation.
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-permission permission="FACILITY" action="_UPDATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> {code}
> Similarly the code
> {code}
> <required-permissions join-type="OR">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <alt-permission permission="FACILITY" action="_UPDATE"/>
> <fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-errors/>
> {code}
> The patch also contains additional changes where the permission service is defined in the service definition.
> EDITS: Added missing ending \{code\} tag for the last code snippet
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-3632) Extending the service model to specify
more complex permissions using permission service
Posted by "Vikas Mayur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vikas Mayur updated OFBIZ-3632:
-------------------------------
Attachment: permission.patch
> Extending the service model to specify more complex permissions using permission service
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-3632
> URL: https://issues.apache.org/jira/browse/OFBIZ-3632
> Project: OFBiz
> Issue Type: Improvement
> Components: framework, product
> Reporter: Vikas Mayur
> Priority: Minor
> Fix For: SVN trunk
>
> Attachments: permission.patch
>
>
> At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
> For instance the following code in service definition
> {code}
> <required-permissions join-type="AND">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace the following code in service implementation.
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-permission permission="FACILITY" action="_UPDATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> {code}
> Similarly the code
> {code}
> <required-permissions join-type="OR">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <alt-permission permission="FACILITY" action="_UPDATE"/>
> <fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-errors/>
> {code}
> The patch also contains additional changes where the permission service is defined in the service definition.
> EDITS: Added missing ending \{code\} tag for the last code snippet
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (OFBIZ-3632) Extending the service model to specify
more complex permissions using permission service
Posted by "Vikas Mayur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vikas Mayur closed OFBIZ-3632.
------------------------------
Resolution: Fixed
Committed the patch in two parts, framework only changes are in trunk rev. 930536 and applications only changes in trunk rev. 930537
> Extending the service model to specify more complex permissions using permission service
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-3632
> URL: https://issues.apache.org/jira/browse/OFBIZ-3632
> Project: OFBiz
> Issue Type: Improvement
> Components: framework, product
> Reporter: Vikas Mayur
> Assignee: Vikas Mayur
> Priority: Minor
> Fix For: SVN trunk
>
> Attachments: permission.patch, permission.patch
>
>
> At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
> For instance the following code in service definition
> {code}
> <required-permissions join-type="AND">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace the following code in service implementation.
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-permission permission="FACILITY" action="_UPDATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> {code}
> Similarly the code
> {code}
> <required-permissions join-type="OR">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <alt-permission permission="FACILITY" action="_UPDATE"/>
> <fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-errors/>
> {code}
> The patch also contains additional changes where the permission service is defined in the service definition.
> EDITS: Added missing ending \{code\} tag for the last code snippet
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3632) Extending the service model to
specify more complex permissions using permission service
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12853240#action_12853240 ]
Jacques Le Roux commented on OFBIZ-3632:
----------------------------------------
Another phase could have been to i18n/l10n messages in permission services since they are a lot less now (ie using <fail-property instead of <fail-message)
> Extending the service model to specify more complex permissions using permission service
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-3632
> URL: https://issues.apache.org/jira/browse/OFBIZ-3632
> Project: OFBiz
> Issue Type: Improvement
> Components: framework, product
> Reporter: Vikas Mayur
> Assignee: Vikas Mayur
> Priority: Minor
> Fix For: SVN trunk
>
> Attachments: permission.patch, permission.patch
>
>
> At present <permission-service> in the service definition allows only one permission service. I have extended the <required-permissions> tag to specify more then one permission services by doing an AND/OR operation.
> For instance the following code in service definition
> {code}
> <required-permissions join-type="AND">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace the following code in service implementation.
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-permission permission="FACILITY" action="_UPDATE">
> <fail-message message="Security Error: to run setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> {code}
> Similarly the code
> {code}
> <required-permissions join-type="OR">
> <permission-service service-name="facilityGenericPermission" main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission" main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <alt-permission permission="FACILITY" action="_UPDATE"/>
> <fail-message message="Security Error: to run createShipmentItem you must have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-errors/>
> {code}
> The patch also contains additional changes where the permission service is defined in the service definition.
> EDITS: Added missing ending \{code\} tag for the last code snippet
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.