You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by ni...@gmail.com, ni...@gmail.com on 2018/07/09 17:43:57 UTC

Add permission and conditions to request-map

Currently, we can define request-map which invokes Java method, like following example:
<request-map uri="searchAddToCategory">
        <security https="true" auth="true"/>
        <event type="java" path="org.ofbiz.product.product.ProductSearchEvents" invoke="searchAddToCategory"/>
        <response name="success" type="view" value="keywordsearch"/>
        <response name="error" type="view" value="keywordsearch"/>
 </request-map>

Security element just checks, if user is Signed in or not. If you want to add permission check, you will have to keep adding code inside java method. And if developer forgets, it opens up security whole. 

We can do security check on Views, but that is too late, in the sense code is already executed inside the method.

In our code we have already added following additional attributes, which checks permissions before it executes the code.
<request-map uri="searchAddToCategory">
        <security https="true" auth="true" >
           <condition>
       			<if-has-permission permission="XYZ" action="_CREATE"/>
            </condition>
        </security>
        <event type="java" path="org.ofbiz.product.product.ProductSearchEvents" invoke="searchAddToCategory"/>
        <response name="success" type="view" value="keywordsearch"/>
        <response name="error" type="view" value="keywordsearch"/>
 </request-map>


I have patch for this, I am wondering if we like to add as part of feature or does anyone have better idea to handle.

Re: Add permission and conditions to request-map

Posted by Jacques Le Roux <ja...@les7arts.com>.

Hi,

Your message has been moderated. Please subscribe to the dev ML for next exchanges

http://ofbiz.apache.org/mailing-lists.html

Thanks

Jacques


Le 09/07/2018 à 19:43, nigade@gmail.com a écrit :
> Currently, we can define request-map which invokes Java method, like following example:
> <request-map uri="searchAddToCategory">
>          <security https="true" auth="true"/>
>          <event type="java" path="org.ofbiz.product.product.ProductSearchEvents" invoke="searchAddToCategory"/>
>          <response name="success" type="view" value="keywordsearch"/>
>          <response name="error" type="view" value="keywordsearch"/>
>   </request-map>
>
> Security element just checks, if user is Signed in or not. If you want to add permission check, you will have to keep adding code inside java method. And if developer forgets, it opens up security whole.
>
> We can do security check on Views, but that is too late, in the sense code is already executed inside the method.
>
> In our code we have already added following additional attributes, which checks permissions before it executes the code.
> <request-map uri="searchAddToCategory">
>          <security https="true" auth="true" >
>             <condition>
>         			<if-has-permission permission="XYZ" action="_CREATE"/>
>              </condition>
>          </security>
>          <event type="java" path="org.ofbiz.product.product.ProductSearchEvents" invoke="searchAddToCategory"/>
>          <response name="success" type="view" value="keywordsearch"/>
>          <response name="error" type="view" value="keywordsearch"/>
>   </request-map>
>
>
> I have patch for this, I am wondering if we like to add as part of feature or does anyone have better idea to handle.
>
>
>
>

Re: Add permission and conditions to request-map

Posted by Jacques Le Roux <ja...@les7arts.com>.

Le 09/07/2018 à 19:43, nigade@gmail.com a écrit :
> Currently, we can define request-map which invokes Java method, like following example:
> <request-map uri="searchAddToCategory">
>          <security https="true" auth="true"/>
>          <event type="java" path="org.ofbiz.product.product.ProductSearchEvents" invoke="searchAddToCategory"/>
>          <response name="success" type="view" value="keywordsearch"/>
>          <response name="error" type="view" value="keywordsearch"/>
>   </request-map>
>
> Security element just checks, if user is Signed in or not. If you want to add permission check, you will have to keep adding code inside java method. And if developer forgets, it opens up security whole.
Actually it's not a security  hole as in a CVE, just a permission hole ;)

> We can do security check on Views, but that is too late, in the sense code is already executed inside the method.
>
> In our code we have already added following additional attributes, which checks permissions before it executes the code.
> <request-map uri="searchAddToCategory">
>          <security https="true" auth="true" >
>             <condition>
>         			<if-has-permission permission="XYZ" action="_CREATE"/>
>              </condition>
>          </security>
>          <event type="java" path="org.ofbiz.product.product.ProductSearchEvents" invoke="searchAddToCategory"/>
>          <response name="success" type="view" value="keywordsearch"/>
>          <response name="error" type="view" value="keywordsearch"/>
>   </request-map>
>
>
> I have patch for this, I am wondering if we like to add as part of feature or does anyone have better idea to handle.

That's interesting, I recommend to create a Jira and to attach a patch.

This should help you: https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices

Thanks

Jacques