Add permission and conditions to request-map

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Add permission and conditions to request-map

nigade@gmail.com
Currently, we can define request-map which invokes Java method, like following example:
<request-map uri="searchAddToCategory">
        <security https="true" auth="true"/>
        <event type="java" path="org.ofbiz.product.product.ProductSearchEvents" invoke="searchAddToCategory"/>
        <response name="success" type="view" value="keywordsearch"/>
        <response name="error" type="view" value="keywordsearch"/>
 </request-map>

Security element just checks, if user is Signed in or not. If you want to add permission check, you will have to keep adding code inside java method. And if developer forgets, it opens up security whole.

We can do security check on Views, but that is too late, in the sense code is already executed inside the method.

In our code we have already added following additional attributes, which checks permissions before it executes the code.
<request-map uri="searchAddToCategory">
        <security https="true" auth="true" >
           <condition>
        <if-has-permission permission="XYZ" action="_CREATE"/>
            </condition>
        </security>
        <event type="java" path="org.ofbiz.product.product.ProductSearchEvents" invoke="searchAddToCategory"/>
        <response name="success" type="view" value="keywordsearch"/>
        <response name="error" type="view" value="keywordsearch"/>
 </request-map>


I have patch for this, I am wondering if we like to add as part of feature or does anyone have better idea to handle.



Reply | Threaded
Open this post in threaded view
|

Re: Add permission and conditions to request-map

Jacques Le Roux
Administrator
Hi,

Your message has been moderated. Please subscribe to the dev ML for next exchanges

http://ofbiz.apache.org/mailing-lists.html

Thanks

Jacques


Le 09/07/2018 à 19:43, [hidden email] a écrit :

> Currently, we can define request-map which invokes Java method, like following example:
> <request-map uri="searchAddToCategory">
>          <security https="true" auth="true"/>
>          <event type="java" path="org.ofbiz.product.product.ProductSearchEvents" invoke="searchAddToCategory"/>
>          <response name="success" type="view" value="keywordsearch"/>
>          <response name="error" type="view" value="keywordsearch"/>
>   </request-map>
>
> Security element just checks, if user is Signed in or not. If you want to add permission check, you will have to keep adding code inside java method. And if developer forgets, it opens up security whole.
>
> We can do security check on Views, but that is too late, in the sense code is already executed inside the method.
>
> In our code we have already added following additional attributes, which checks permissions before it executes the code.
> <request-map uri="searchAddToCategory">
>          <security https="true" auth="true" >
>             <condition>
>         <if-has-permission permission="XYZ" action="_CREATE"/>
>              </condition>
>          </security>
>          <event type="java" path="org.ofbiz.product.product.ProductSearchEvents" invoke="searchAddToCategory"/>
>          <response name="success" type="view" value="keywordsearch"/>
>          <response name="error" type="view" value="keywordsearch"/>
>   </request-map>
>
>
> I have patch for this, I am wondering if we like to add as part of feature or does anyone have better idea to handle.
>
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Add permission and conditions to request-map

Jacques Le Roux
Administrator
In reply to this post by nigade@gmail.com
Le 09/07/2018 à 19:43, [hidden email] a écrit :
> Currently, we can define request-map which invokes Java method, like following example:
> <request-map uri="searchAddToCategory">
>          <security https="true" auth="true"/>
>          <event type="java" path="org.ofbiz.product.product.ProductSearchEvents" invoke="searchAddToCategory"/>
>          <response name="success" type="view" value="keywordsearch"/>
>          <response name="error" type="view" value="keywordsearch"/>
>   </request-map>
>
> Security element just checks, if user is Signed in or not. If you want to add permission check, you will have to keep adding code inside java method. And if developer forgets, it opens up security whole.
Actually it's not a security  hole as in a CVE, just a permission hole ;)

> We can do security check on Views, but that is too late, in the sense code is already executed inside the method.
>
> In our code we have already added following additional attributes, which checks permissions before it executes the code.
> <request-map uri="searchAddToCategory">
>          <security https="true" auth="true" >
>             <condition>
>         <if-has-permission permission="XYZ" action="_CREATE"/>
>              </condition>
>          </security>
>          <event type="java" path="org.ofbiz.product.product.ProductSearchEvents" invoke="searchAddToCategory"/>
>          <response name="success" type="view" value="keywordsearch"/>
>          <response name="error" type="view" value="keywordsearch"/>
>   </request-map>
>
>
> I have patch for this, I am wondering if we like to add as part of feature or does anyone have better idea to handle.

That's interesting, I recommend to create a Jira and to attach a patch.

This should help you: https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices

Thanks

Jacques