You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Andrew Zeneski (JIRA)" <ji...@apache.org> on 2009/04/29 06:59:31 UTC
[jira] Created: (OFBIZ-2380) Security Re-Implementation
Security Re-Implementation
--------------------------
Key: OFBIZ-2380
URL: https://issues.apache.org/jira/browse/OFBIZ-2380
Project: OFBiz
Issue Type: Improvement
Components: ALL COMPONENTS
Affects Versions: SVN trunk
Reporter: Andrew Zeneski
Assignee: Andrew Zeneski
Fix For: SVN trunk
Parent Task for Security Re-Implementation -- Details defined here: http://docs.ofbiz.org/x/-B0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (OFBIZ-2380) Security
Re-Implementation
Posted by "Andrew Zeneski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704342#action_12704342 ]
Andrew Zeneski edited comment on OFBIZ-2380 at 4/29/09 2:16 PM:
----------------------------------------------------------------
Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases - Effects only when running tests
Revision 769936 - Service Engine Integration - dispatchContext.getAuthz() - used in check-permission tags
Revision 769937 - Controller Integration - use request.getAttribute("authz")
was (Author: jaz):
Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases - Effects only when running tests
> Security Re-Implementation
> --------------------------
>
> Key: OFBIZ-2380
> URL: https://issues.apache.org/jira/browse/OFBIZ-2380
> Project: OFBiz
> Issue Type: Improvement
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Andrew Zeneski
> Assignee: Andrew Zeneski
> Fix For: SVN trunk
>
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> Parent Task for Security Re-Implementation -- Details defined here: http://docs.ofbiz.org/x/-B0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-2380) Security Re-Implementation
Posted by "Adrian Crum (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704356#action_12704356 ]
Adrian Crum commented on OFBIZ-2380:
------------------------------------
Andrew,
Following your logic then, FULLADMIN would have to include ALL possible permissions. Maybe it would help if your new framework could accept widlcards:
access:*
create:*
read:*
update:*
delete:*
> Security Re-Implementation
> --------------------------
>
> Key: OFBIZ-2380
> URL: https://issues.apache.org/jira/browse/OFBIZ-2380
> Project: OFBiz
> Issue Type: Improvement
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Andrew Zeneski
> Assignee: Andrew Zeneski
> Fix For: SVN trunk
>
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> Parent Task for Security Re-Implementation -- Details defined here: http://docs.ofbiz.org/x/-B0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-2380) Security Re-Implementation
Posted by "Andrew Zeneski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704178#action_12704178 ]
Andrew Zeneski commented on OFBIZ-2380:
---------------------------------------
Adrian,
I'm not sure I understand what you mean. There are "base" permissions :
access, create, read, update, delete
Which are all part of the seed data and associated with the FULLADMIN security group. These are indeed "admin" permissions since there is no granularity attached.
Check out the comments on the page : http://docs.ofbiz.org/x/JR4 there a brief description on how these permissions are handled. If I'm missing something, or not answering your question please let me know.
> Security Re-Implementation
> --------------------------
>
> Key: OFBIZ-2380
> URL: https://issues.apache.org/jira/browse/OFBIZ-2380
> Project: OFBiz
> Issue Type: Improvement
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Andrew Zeneski
> Assignee: Andrew Zeneski
> Fix For: SVN trunk
>
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> Parent Task for Security Re-Implementation -- Details defined here: http://docs.ofbiz.org/x/-B0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-2380) Security Re-Implementation
Posted by "Adrian Crum (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704387#action_12704387 ]
Adrian Crum commented on OFBIZ-2380:
------------------------------------
Andrew,
Thank you for the explanation. It's starting to make more sense now.
Getting all permissions would look something like:
*:party
where party is the context and a list of party permissions are returned. This is sorely needed, because right now if you need to query multiple permissions, you have to make multiple permission service calls. Let's say a block of code needs to check view, create, and update permissions (to control the display of screen elements for example). Right now three permission checks would have to be made. It would be nice to get a list of permissions, then check the list for view, create, and update.
The Jira comments are sent to the dev list, so this discussion is already there.
> Security Re-Implementation
> --------------------------
>
> Key: OFBIZ-2380
> URL: https://issues.apache.org/jira/browse/OFBIZ-2380
> Project: OFBiz
> Issue Type: Improvement
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Andrew Zeneski
> Assignee: Andrew Zeneski
> Fix For: SVN trunk
>
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> Parent Task for Security Re-Implementation -- Details defined here: http://docs.ofbiz.org/x/-B0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (OFBIZ-2380) Security
Re-Implementation
Posted by "Andrew Zeneski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704342#action_12704342 ]
Andrew Zeneski edited comment on OFBIZ-2380 at 4/29/09 2:29 PM:
----------------------------------------------------------------
*Commit History*
Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases - Effects only when running tests
Revision 769936 - Service Engine Integration - dispatchContext.getAuthz() - used in check-permission tags
Revision 769937 - Controller Integration - use request.getAttribute("authz") - ACTIVE IN CoreEvents.java
Revision 769943 - Widget Integration - enabled when NOT using an action="" element
Revision 769944 - Themes Integration - uses both APIs for checking permission
was (Author: jaz):
*Commit History*
Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases - Effects only when running tests
Revision 769936 - Service Engine Integration - dispatchContext.getAuthz() - used in check-permission tags
Revision 769937 - Controller Integration - use request.getAttribute("authz") - ACTIVE IN CoreEvents.java
> Security Re-Implementation
> --------------------------
>
> Key: OFBIZ-2380
> URL: https://issues.apache.org/jira/browse/OFBIZ-2380
> Project: OFBiz
> Issue Type: Improvement
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Andrew Zeneski
> Assignee: Andrew Zeneski
> Fix For: SVN trunk
>
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> Parent Task for Security Re-Implementation -- Details defined here: http://docs.ofbiz.org/x/-B0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-2380) Security Re-Implementation
Posted by "Andrew Zeneski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704380#action_12704380 ]
Andrew Zeneski commented on OFBIZ-2380:
---------------------------------------
To answer your first question, if a user has 'update' that is effectively the same as 'update:*', the * is just not needed. If the user has 'update:party' then that would mean 'update:party:*'. We define the most granular permission required when defining the permission for a piece of functionality. So, to update person information the permission would be defined as 'update:party:detail:${partyId}'. The partyId would be expanded at runtime.
The user will need either:
update
update:party
update:party:detail
Or if none of these permissions are associated with the user, then the DA logic kicks in to see if they are allowed to access the single party record.
So,
1. 'update' means update anything in the entire system,
2. 'update:party' means update anything in the party app.
3. 'update:party:detail' means update any party's detail information (name, groupName, etc)
As for you second comment, I'd like to hear more about this. I'm not sure how that would look and what the definition of 'context' is in this case. But I'm happy to add something which are helpful! :) We can take this over to the dev list if you like.
> Security Re-Implementation
> --------------------------
>
> Key: OFBIZ-2380
> URL: https://issues.apache.org/jira/browse/OFBIZ-2380
> Project: OFBiz
> Issue Type: Improvement
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Andrew Zeneski
> Assignee: Andrew Zeneski
> Fix For: SVN trunk
>
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> Parent Task for Security Re-Implementation -- Details defined here: http://docs.ofbiz.org/x/-B0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-2380) Security Re-Implementation
Posted by "Adrian Crum (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704129#action_12704129 ]
Adrian Crum commented on OFBIZ-2380:
------------------------------------
Andrew,
Why doesn't the new security API accommodate an admin permission? If the goal is to make the new API more like other software, shouldn't it include a supervisor/super user/admin permission?
> Security Re-Implementation
> --------------------------
>
> Key: OFBIZ-2380
> URL: https://issues.apache.org/jira/browse/OFBIZ-2380
> Project: OFBiz
> Issue Type: Improvement
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Andrew Zeneski
> Assignee: Andrew Zeneski
> Fix For: SVN trunk
>
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> Parent Task for Security Re-Implementation -- Details defined here: http://docs.ofbiz.org/x/-B0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-2380) Security Re-Implementation
Posted by "Adrian Crum (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704489#action_12704489 ]
Adrian Crum commented on OFBIZ-2380:
------------------------------------
Thinking about this more...
(sorry - it would have been helpful to discuss this on the dev ml before you got started)
it would be awesome if the new permissions could be expressions. Example:
(update:context1 | update:context2) & update:context3
which would express "if (update:context1 OR update:context2) AND update:context3."
I know there have been times when this would have been helpful in the permissions service interface. It would eliminate a lot of little mini-language permissions scripts. The single permission check for service calls is very limiting.
After working with UEL, I can see where implementing functions would be helpful too:
update:context1 & someFunction(...)
> Security Re-Implementation
> --------------------------
>
> Key: OFBIZ-2380
> URL: https://issues.apache.org/jira/browse/OFBIZ-2380
> Project: OFBiz
> Issue Type: Improvement
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Andrew Zeneski
> Assignee: Andrew Zeneski
> Fix For: SVN trunk
>
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> Parent Task for Security Re-Implementation -- Details defined here: http://docs.ofbiz.org/x/-B0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-2380) Security Re-Implementation
Posted by "Andrew Zeneski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704342#action_12704342 ]
Andrew Zeneski commented on OFBIZ-2380:
---------------------------------------
Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases - Effects only when running tests
> Security Re-Implementation
> --------------------------
>
> Key: OFBIZ-2380
> URL: https://issues.apache.org/jira/browse/OFBIZ-2380
> Project: OFBiz
> Issue Type: Improvement
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Andrew Zeneski
> Assignee: Andrew Zeneski
> Fix For: SVN trunk
>
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> Parent Task for Security Re-Implementation -- Details defined here: http://docs.ofbiz.org/x/-B0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-2380) Security Re-Implementation
Posted by "Andrew Zeneski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Zeneski updated OFBIZ-2380:
----------------------------------
Comment: was deleted
(was: *Commit History*
Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases - Effects only when running tests
Revision 769936 - Service Engine Integration - dispatchContext.getAuthz() - used in check-permission tags
Revision 769937 - Controller Integration - use request.getAttribute("authz") - ACTIVE IN CoreEvents.java
Revision 769943 - Widget Integration - enabled when NOT using an action="" element
Revision 769944 - Themes Integration - uses both APIs for checking permission
Revision 769963 - Fix for infinite looping when using hasPermission from service based DA implementations
Revision 769965 - MiniLang (Simple Method) integration - enabled when NOT using an action="" element)
> Security Re-Implementation
> --------------------------
>
> Key: OFBIZ-2380
> URL: https://issues.apache.org/jira/browse/OFBIZ-2380
> Project: OFBiz
> Issue Type: Improvement
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Andrew Zeneski
> Assignee: Andrew Zeneski
> Fix For: SVN trunk
>
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> Parent Task for Security Re-Implementation -- Details defined here: http://docs.ofbiz.org/x/-B0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-2380) Security Re-Implementation
Posted by "Adrian Crum (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704358#action_12704358 ]
Adrian Crum commented on OFBIZ-2380:
------------------------------------
Also, it would be helpful if the new API would return all permissions for a given context. I had suggested this on the dev mailing list some time ago, and there seemed to be some interest.
> Security Re-Implementation
> --------------------------
>
> Key: OFBIZ-2380
> URL: https://issues.apache.org/jira/browse/OFBIZ-2380
> Project: OFBiz
> Issue Type: Improvement
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Andrew Zeneski
> Assignee: Andrew Zeneski
> Fix For: SVN trunk
>
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> Parent Task for Security Re-Implementation -- Details defined here: http://docs.ofbiz.org/x/-B0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (OFBIZ-2380) Security
Re-Implementation
Posted by "Andrew Zeneski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704342#action_12704342 ]
Andrew Zeneski edited comment on OFBIZ-2380 at 4/29/09 3:11 PM:
----------------------------------------------------------------
*Commit History*
Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases - Effects only when running tests
Revision 769936 - Service Engine Integration - dispatchContext.getAuthz() - used in check-permission tags
Revision 769937 - Controller Integration - use request.getAttribute("authz") - ACTIVE IN CoreEvents.java
Revision 769943 - Widget Integration - enabled when NOT using an action="" element
Revision 769944 - Themes Integration - uses both APIs for checking permission
Revision 769963 - Fix for infinite looping when using hasPermission from service based DA implementations
Revision 769965 - MiniLang (Simple Method) integration - enabled when NOT using an action="" element
was (Author: jaz):
*Commit History*
Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases - Effects only when running tests
Revision 769936 - Service Engine Integration - dispatchContext.getAuthz() - used in check-permission tags
Revision 769937 - Controller Integration - use request.getAttribute("authz") - ACTIVE IN CoreEvents.java
Revision 769943 - Widget Integration - enabled when NOT using an action="" element
Revision 769944 - Themes Integration - uses both APIs for checking permission
> Security Re-Implementation
> --------------------------
>
> Key: OFBIZ-2380
> URL: https://issues.apache.org/jira/browse/OFBIZ-2380
> Project: OFBiz
> Issue Type: Improvement
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Andrew Zeneski
> Assignee: Andrew Zeneski
> Fix For: SVN trunk
>
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> Parent Task for Security Re-Implementation -- Details defined here: http://docs.ofbiz.org/x/-B0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (OFBIZ-2380) Security
Re-Implementation
Posted by "Andrew Zeneski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704342#action_12704342 ]
Andrew Zeneski edited comment on OFBIZ-2380 at 4/29/09 2:17 PM:
----------------------------------------------------------------
*Commit History*
Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases - Effects only when running tests
Revision 769936 - Service Engine Integration - dispatchContext.getAuthz() - used in check-permission tags
Revision 769937 - Controller Integration - use request.getAttribute("authz") - ACTIVE IN CoreEvents.java
was (Author: jaz):
*Commit History*
Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases - Effects only when running tests
Revision 769936 - Service Engine Integration - dispatchContext.getAuthz() - used in check-permission tags
Revision 769937 - Controller Integration - use request.getAttribute("authz")
> Security Re-Implementation
> --------------------------
>
> Key: OFBIZ-2380
> URL: https://issues.apache.org/jira/browse/OFBIZ-2380
> Project: OFBiz
> Issue Type: Improvement
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Andrew Zeneski
> Assignee: Andrew Zeneski
> Fix For: SVN trunk
>
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> Parent Task for Security Re-Implementation -- Details defined here: http://docs.ofbiz.org/x/-B0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-2380) Security Re-Implementation
Posted by "Andrew Zeneski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Zeneski updated OFBIZ-2380:
----------------------------------
Component/s: (was: ALL COMPONENTS)
framework
> Security Re-Implementation
> --------------------------
>
> Key: OFBIZ-2380
> URL: https://issues.apache.org/jira/browse/OFBIZ-2380
> Project: OFBiz
> Issue Type: Improvement
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Andrew Zeneski
> Assignee: Andrew Zeneski
> Fix For: SVN trunk
>
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> Parent Task for Security Re-Implementation -- Details defined here: http://docs.ofbiz.org/x/-B0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (OFBIZ-2380) Security
Re-Implementation
Posted by "Andrew Zeneski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704342#action_12704342 ]
Andrew Zeneski edited comment on OFBIZ-2380 at 4/29/09 2:16 PM:
----------------------------------------------------------------
*Commit History*
Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases - Effects only when running tests
Revision 769936 - Service Engine Integration - dispatchContext.getAuthz() - used in check-permission tags
Revision 769937 - Controller Integration - use request.getAttribute("authz")
was (Author: jaz):
Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases - Effects only when running tests
Revision 769936 - Service Engine Integration - dispatchContext.getAuthz() - used in check-permission tags
Revision 769937 - Controller Integration - use request.getAttribute("authz")
> Security Re-Implementation
> --------------------------
>
> Key: OFBIZ-2380
> URL: https://issues.apache.org/jira/browse/OFBIZ-2380
> Project: OFBiz
> Issue Type: Improvement
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Andrew Zeneski
> Assignee: Andrew Zeneski
> Fix For: SVN trunk
>
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> Parent Task for Security Re-Implementation -- Details defined here: http://docs.ofbiz.org/x/-B0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.