OFBiz › OFBiz - Dev

Discussion: Permissions Checking Enhancement

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

47 messages Options

123

Jacques Le Roux

Re: Grey list in OFBiz [was Re: Discussion: Permissions Checking Enhancement]

Administrator

From: "Adrian Crum" <[hidden email]>
> Maybe we should also decide on whether it is spelled "grey" or "gray." ;-)

I fight hard to write correctly grey but as with prodcut most of the time I failed and write gray (here I must say I"m not a
dyslexic). For prodcut I don't know why (though I suspect our hands to be used to the word cut) but have a look at
http://www.nabble.com/forum/Search.jtp?local=y&forum=2740&query=prodcut : I'm not the only one :D

For gray may be I'm influenced by Scott's name ?

Anyway I have changed my mind and I think it does not make sense to call something grey list at this stage, protected-view seems a
better name. The grey list concept will be at used at the end of the process. When a login is unable to access a view again without
admin intervention.

About the protect-view attribute (was allowGrayList below), I think now that we should better set it to false by default. This will
make the process a bit faster since most of the time views will not be protected. BTW I wrote something to deal with that in
RequestHandler.doRequest but I'm really not satisified by my solution (I hard coded a method name). I put it in
https://issues.apache.org/jira/browse/OFBIZ-2074 for review. I will try to rewrite it today, suggestions highly appreciated.

Jacques

> -Adrian
>
> Jacques Le Roux wrote:
>> I think the phrase "grey list" is easier to speak about this functionnality and easier to understand and remember. So I propose
>> to
>> use it rather than the tarpit word when speaking about this at large (I will change Entities names, fields, etc. accordinlgly
>> when appropriate)
>>
>> As we use a prepocessor, to avoid any bad surprise later, I propose we introduce in site-conf.xsd an attribute allowGrayList in
>> request-map element. It would work like track-visit and track-serverhit being true by default (though I wonder if we should not
>> do
>> reverse to false).
>>
>> Jacques
>>
>>
>

Jacques Le Roux

Re: Discussion: Permissions Checking Enhancement

Administrator

In reply to this post by David E Jones-3

Thanks for your review David,

From: "David E Jones" <[hidden email]>
>
> What is a "Security Role"?

Al spoke about Security Role when you are using a permission with _ROLE_ in it. I took these informations from pages Al wrote in the
old Wiki.

> In that page (the "OFBiz security" page) the stuff mentioned about the role-limited permissions is incorrect.

What is incorrect exactly ? I just put facts I found in code and in answers on user/dev ML (from Bilgin and Adrian I guess).

> The purpose of role-limited permissions is to tie a SecurityPermission to record level security using the RoleType/PartyRole and
> related entities. In OFBiz this is how record level permissions are done, ie somehow the user (through their Party record) is
> associated with another record in the database, and that specific relationship must exist in order for the role-limited
> permission to take effect.

I put your explanation in the role-limited permissions section. I did not remove the examples for now. I think it helps newbies to
understand how it's used. Please let me know what's wrong

Jacques

> -David
>
>
> On Dec 11, 2008, at 12:27 PM, Jacques Le Roux wrote:
>
>> Maybe we could use "Security Roles" and not "Role limited permissions" inside Security Groups for more flexibility ?
>> Définitions are in http://docs.ofbiz.org/display/OFBTECH/OFBiz +security
>>
>> I will use that for now because I need something to move forward
>>
>> Jacques
>>
>> From: "Ray" <[hidden email]>
>>> It came about from a requirement driven around roles so that was the
>>> suggested limiter. The example would be someone with a role of "Sales
>>> Rep" who works in house answering calls, processing paperwork might
>>> easily deal with 200 a day where as someone operating as "Sales
>>> Consultant" in the field visiting clients personally might only deal
>>> with 20 a day.
>>>
>>> They both have security to access the same client view but the user
>>> request was to limit them with a differing number of allowed accesses
>>> based on their roles.
>>>
>>> If that needs to be translated in to security groups for implementation
>>> to fit in with OFBiz practices then fine, I'm not struck to it being
>>> roles. This was thought to be a generally useful feature others might be
>>> interested in hence we are trying to make it compatible for the community.
>>>
>>> Ray
>>>
>>>
>>> David E Jones wrote:
>>>>
>>>> Instead of attaching this to a Party RoleType, it would be better to
>>>> attach it to a SecurityPermission or SecurityGroup. Access to resources
>>>> like pages and such is governed by permissions in OFBiz, and roles are
>>>> used for record-level security (like which parties a user can
>>>> view/edit/etc as opposed to being able to use the view profile screen).
>>>>
>>>> -David
>>>>
>>>>
>>>
>>
>
>

Jacques Le Roux

Re: Grey list in OFBiz [was Re: Discussion: Permissions Checking Enhancement]

Administrator

In reply to this post by Adam Heath-2

From: "Adam Heath" <[hidden email]>

> Adrian Crum wrote:
>> Maybe we should also decide on whether it is spelled "grey" or "gray." ;-)
>
> Or how about a red-black list?

What is a red-black list ? I used grey list because it's something you can easily compare with the concept already used in spam
control (tarpitting). We will use an anolog concept here, that's why.

Jacques

rajsaini

Re: Grey list in OFBiz [was Re: Discussion: Permissions Checking Enhancement]

In reply to this post by Jacques Le Roux

Gray and Grey is same as color and colour.

http://www.answers.com/main/ntquery?s=grey&gwp=13

Thanks,

Raj

Jacques Le Roux wrote:

> From: "Adrian Crum" <[hidden email]>
>> Maybe we should also decide on whether it is spelled "grey" or
>> "gray." ;-)
>
> I fight hard to write correctly grey but as with prodcut most of the
> time I failed and write gray (here I must say I"m not a Dyslexic). For
> prodcut I don't know why (though I suspect our hands to be used to the
> word cut) but have a look at
> http://www.nabble.com/forum/Search.jtp?local=y&forum=2740&query=prodcut
> : I'm not the only one :D
>
> For gray may be I'm influenced by Scott's name ?
>
> Jacques
>
>> -Adrian
>>
>> Jacques Le Roux wrote:
>>> I think the phrase "grey list" is easier to speak about this
>>> functionnality and easier to understand and remember. So I propose to
>>> use it rather than the tarpit word when speaking about this at large
>>> (I will change Entities names, fields, etc. accordinlgly when
>>> appropriate)
>>>
>>> As we use a prepocessor, to avoid any bad surprise later, I propose
>>> we introduce in site-conf.xsd an attribute allowGrayList in
>>> request-map element. It would work like track-visit and
>>> track-serverhit being true by default (though I wonder if we should
>>> not do
>>> reverse to false).
>>>
>>> Jacques
>>>
>>>
>>
>
>

Jacques Le Roux

Re: Grey list in OFBiz [was Re: Discussion: Permissions Checking Enhancement]

Administrator

Thanks Raj,

Finally my English is not so bad :p

Jacques

From: "Raj Saini" <[hidden email]>

> Gray and Grey is same as color and colour.
>
> http://www.answers.com/main/ntquery?s=grey&gwp=13
>
> Thanks,
>
> Raj
>
> Jacques Le Roux wrote:
>> From: "Adrian Crum" <[hidden email]>
>>> Maybe we should also decide on whether it is spelled "grey" or
>>> "gray." ;-)
>>
>> I fight hard to write correctly grey but as with prodcut most of the
>> time I failed and write gray (here I must say I"m not a Dyslexic). For
>> prodcut I don't know why (though I suspect our hands to be used to the
>> word cut) but have a look at
>> http://www.nabble.com/forum/Search.jtp?local=y&forum=2740&query=prodcut
>> : I'm not the only one :D
>>
>> For gray may be I'm influenced by Scott's name ?
>>
>> Jacques
>>
>>> -Adrian
>>>
>>> Jacques Le Roux wrote:
>>>> I think the phrase "grey list" is easier to speak about this
>>>> functionnality and easier to understand and remember. So I propose to
>>>> use it rather than the tarpit word when speaking about this at large
>>>> (I will change Entities names, fields, etc. accordinlgly when
>>>> appropriate)
>>>>
>>>> As we use a prepocessor, to avoid any bad surprise later, I propose
>>>> we introduce in site-conf.xsd an attribute allowGrayList in
>>>> request-map element. It would work like track-visit and
>>>> track-serverhit being true by default (though I wonder if we should
>>>> not do
>>>> reverse to false).
>>>>
>>>> Jacques
>>>>
>>>>
>>>
>>
>>
>

Adam Heath-2

Re: Grey list in OFBiz [was Re: Discussion: Permissions Checking Enhancement]

In reply to this post by Jacques Le Roux

Jacques Le Roux wrote:

> From: "Adam Heath" <[hidden email]>
>
>> Adrian Crum wrote:
>>> Maybe we should also decide on whether it is spelled "grey" or
>>> "gray." ;-)
>>
>> Or how about a red-black list?
>
> What is a red-black list ? I used grey list because it's something you
> can easily compare with the concept already used in spam control
> (tarpitting). We will use an anolog concept here, that's why.

It's a computer scientest joke. Use google. Actually, look for
red-black list, with the '-'.

Jacques Le Roux

Re: Grey list in OFBiz [was Re: Discussion: Permissions Checking Enhancement]

Administrator

Did not find anything clear, anyway this will not prevent me to sleep at night :o)

Jacques

From: "Adam Heath" <[hidden email]>

> Jacques Le Roux wrote:
>> From: "Adam Heath" <[hidden email]>
>>
>>> Adrian Crum wrote:
>>>> Maybe we should also decide on whether it is spelled "grey" or
>>>> "gray." ;-)
>>>
>>> Or how about a red-black list?
>>
>> What is a red-black list ? I used grey list because it's something you
>> can easily compare with the concept already used in spam control
>> (tarpitting). We will use an anolog concept here, that's why.
>
> It's a computer scientest joke. Use google. Actually, look for
> red-black list, with the '-'.
>

123