Hi forum,
Some of my requests will contain a parameter (UpliftId) that holds an identifier for a entity record. This is to provide record level security checks. Is there a way of performing this check in the controller so that every (logged in) request that has the parameter UpliftId is checked to ensure that the userLoginId has access to the the UpliftId? Many thanks in advance, Chris |
Administrator
|
http://markmail.org/message/3qpow4arm6tdqqp2
Also it seems that there would be an effort soon in this area http://docs.ofbiz.org/display/~jaz/OFBiz+Security+Refactor Jacques From: "snowch" <[hidden email]> > > Hi forum, > > Some of my requests will contain a parameter (UpliftId) that holds an > identifier for a entity record. This is to provide record level security > checks. Is there a way of performing this check in the controller so that > every (logged in) request that has the parameter UpliftId is checked to > ensure that the userLoginId has access to the the UpliftId? > > Many thanks in advance, > > Chris > -- > View this message in context: http://www.nabble.com/Best-place-for-security-check--tp23255712p23255712.html > Sent from the OFBiz - User mailing list archive at Nabble.com. > |
Unfortunately, I have to implement this within the next week...
I have a bsh script that will check that the loginUserId has permission for reading an entity record based on the parameter holding the entity Id (upliftId). I don't want to have to call this bsh in every service, etc. Ideally, I would like every request checked for the the upliftId parameter, and if the loginUserId doesn't have access, an error is thrown redirecting to an error page. I was wondering whether this could be done in the controller or as an entity ECA? Many thanks, Chris
|
In reply to this post by snowch
If you want to check something on every request you might try the "preprocessor" events that run before each request. -David On Apr 27, 2009, at 6:57 AM, snowch wrote: > > Hi forum, > > Some of my requests will contain a parameter (UpliftId) that holds an > identifier for a entity record. This is to provide record level > security > checks. Is there a way of performing this check in the controller > so that > every (logged in) request that has the parameter UpliftId is checked > to > ensure that the userLoginId has access to the the UpliftId? > > Many thanks in advance, > > Chris > -- > View this message in context: http://www.nabble.com/Best-place-for-security-check--tp23255712p23255712.html > Sent from the OFBiz - User mailing list archive at Nabble.com. > |
When checking the record level security using the preprocessor, is it possible to return an "error" view from the preprocessor?
Many thanks, Chris
|
perhaps the best way would be to send 'response.sendRedirect("/Unauthorized);' on authorization error?
|
Administrator
|
In reply to this post by snowch
Yes, I have used this for the "tarpitting" feature
http://docs.ofbiz.org/display/OFBTECH/OFBiz+security#OFBizsecurity-Protectedviews Look for "protect" in java code Jacques From: "snowch" <[hidden email]> > > When checking the record level security using the preprocessor, is it > possible to return an "error" view from the preprocessor? > > Many thanks, > > Chris > > > David E Jones-3 wrote: >> >> >> If you want to check something on every request you might try the >> "preprocessor" events that run before each request. >> >> -David >> >> >> On Apr 27, 2009, at 6:57 AM, snowch wrote: >> >>> >>> Hi forum, >>> >>> Some of my requests will contain a parameter (UpliftId) that holds an >>> identifier for a entity record. This is to provide record level >>> security >>> checks. Is there a way of performing this check in the controller >>> so that >>> every (logged in) request that has the parameter UpliftId is checked >>> to >>> ensure that the userLoginId has access to the the UpliftId? >>> >>> Many thanks in advance, >>> >>> Chris >>> -- >>> View this message in context: >>> http://www.nabble.com/Best-place-for-security-check--tp23255712p23255712.html >>> Sent from the OFBiz - User mailing list archive at Nabble.com. >>> >> >> >> > > -- > View this message in context: http://www.nabble.com/Best-place-for-security-check--tp23255712p23259063.html > Sent from the OFBiz - User mailing list archive at Nabble.com. > |
Free forum by Nabble | Edit this page |