Currently, we can define request-map which invokes Java method, like following example:
<request-map uri="searchAddToCategory"> <security https="true" auth="true"/> <event type="java" path="org.ofbiz.product.product.ProductSearchEvents" invoke="searchAddToCategory"/> <response name="success" type="view" value="keywordsearch"/> <response name="error" type="view" value="keywordsearch"/> </request-map> Security element just checks, if user is Signed in or not. If you want to add permission check, you will have to keep adding code inside java method. And if developer forgets, it opens up security whole. We can do security check on Views, but that is too late, in the sense code is already executed inside the method. In our code we have already added following additional attributes, which checks permissions before it executes the code. <request-map uri="searchAddToCategory"> <security https="true" auth="true" > <condition> <if-has-permission permission="XYZ" action="_CREATE"/> </condition> </security> <event type="java" path="org.ofbiz.product.product.ProductSearchEvents" invoke="searchAddToCategory"/> <response name="success" type="view" value="keywordsearch"/> <response name="error" type="view" value="keywordsearch"/> </request-map> I have patch for this, I am wondering if we like to add as part of feature or does anyone have better idea to handle. |
Administrator
|
Hi,
Your message has been moderated. Please subscribe to the dev ML for next exchanges http://ofbiz.apache.org/mailing-lists.html Thanks Jacques Le 09/07/2018 à 19:43, [hidden email] a écrit : > Currently, we can define request-map which invokes Java method, like following example: > <request-map uri="searchAddToCategory"> > <security https="true" auth="true"/> > <event type="java" path="org.ofbiz.product.product.ProductSearchEvents" invoke="searchAddToCategory"/> > <response name="success" type="view" value="keywordsearch"/> > <response name="error" type="view" value="keywordsearch"/> > </request-map> > > Security element just checks, if user is Signed in or not. If you want to add permission check, you will have to keep adding code inside java method. And if developer forgets, it opens up security whole. > > We can do security check on Views, but that is too late, in the sense code is already executed inside the method. > > In our code we have already added following additional attributes, which checks permissions before it executes the code. > <request-map uri="searchAddToCategory"> > <security https="true" auth="true" > > <condition> > <if-has-permission permission="XYZ" action="_CREATE"/> > </condition> > </security> > <event type="java" path="org.ofbiz.product.product.ProductSearchEvents" invoke="searchAddToCategory"/> > <response name="success" type="view" value="keywordsearch"/> > <response name="error" type="view" value="keywordsearch"/> > </request-map> > > > I have patch for this, I am wondering if we like to add as part of feature or does anyone have better idea to handle. > > > > |
Administrator
|
In reply to this post by nigade@gmail.com
Le 09/07/2018 à 19:43, [hidden email] a écrit :
> Currently, we can define request-map which invokes Java method, like following example: > <request-map uri="searchAddToCategory"> > <security https="true" auth="true"/> > <event type="java" path="org.ofbiz.product.product.ProductSearchEvents" invoke="searchAddToCategory"/> > <response name="success" type="view" value="keywordsearch"/> > <response name="error" type="view" value="keywordsearch"/> > </request-map> > > Security element just checks, if user is Signed in or not. If you want to add permission check, you will have to keep adding code inside java method. And if developer forgets, it opens up security whole. Actually it's not a security hole as in a CVE, just a permission hole ;) > We can do security check on Views, but that is too late, in the sense code is already executed inside the method. > > In our code we have already added following additional attributes, which checks permissions before it executes the code. > <request-map uri="searchAddToCategory"> > <security https="true" auth="true" > > <condition> > <if-has-permission permission="XYZ" action="_CREATE"/> > </condition> > </security> > <event type="java" path="org.ofbiz.product.product.ProductSearchEvents" invoke="searchAddToCategory"/> > <response name="success" type="view" value="keywordsearch"/> > <response name="error" type="view" value="keywordsearch"/> > </request-map> > > > I have patch for this, I am wondering if we like to add as part of feature or does anyone have better idea to handle. That's interesting, I recommend to create a Jira and to attach a patch. This should help you: https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices Thanks Jacques |
Free forum by Nabble | Edit this page |