Lack of security documentation: exact mean of roleTypeId

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Lack of security documentation: exact mean of roleTypeId

euronymous
Hi list

we arrived to Ofbiz some months ago and we chosen it to our preferred platform to develop scalable e-commerce solutions.

First our congratulations for the beauty of your code and ofbiz architecture: we really like it.

Anyway we have seen some lack of security documentation, regarding how to exactly configure roles for parties, groups and so on. Walking to almost every XML file with IntelliJ command-shift-N/F shortcuts, trying to understand where roleTypeId are exactly defined, we didn't find anything.

We understood well how the levels of privileges are working, and how levels can inherit form parents their capabilities.


But if we imagine a real case where for example it's needed a granular authentication for a customer that needs access to a catalog and not to another one, in the same ofbiz installation? How to do that?

Or for example, continuing the previous one, if we give to a PARTY the roleTypeId LTD_ADMIN, which exact privileges it will have?

Sorry but maybe we're missing some points


Sincerely
Reply | Threaded
Open this post in threaded view
|

Re: Lack of security documentation: exact mean of roleTypeId

BJ Freeman
I use eclipse and it has a search.
so I did a search on LTD_ADMIN n xml and ftl files.

   <if-has-permission permission="CATALOG_ROLE" action="_CREATE">
            <entity-and entity-name="ProductCategoryRole"
list-name="productCategoryRoles" filter-by-date="true">
                <field-map field-name="partyId"
env-name="userLogin.partyId"/>
                <field-map field-name="roleTypeId" value="LTD_ADMIN"/>
            </entity-and>
and others
so that is the best way to find out.

euronymous sent the following on 9/1/2008 12:52 PM:

> Hi list
>
> we arrived to Ofbiz some months ago and we chosen it to our preferred
> platform to develop scalable e-commerce solutions.
>
> First our congratulations for the beauty of your code and ofbiz
> architecture: we really like it.
>
> Anyway we have seen some lack of security documentation, regarding how to
> exactly configure roles for parties, groups and so on. Walking to almost
> every XML file with IntelliJ command-shift-N/F shortcuts, trying to
> understand where roleTypeId are exactly defined, we didn't find anything.
>
> We understood well how the levels of privileges are working, and how levels
> can inherit form parents their capabilities.
>
>
> But if we imagine a real case where for example it's needed a granular
> authentication for a customer that needs access to a catalog and not to
> another one, in the same ofbiz installation? How to do that?
>
> Or for example, continuing the previous one, if we give to a PARTY the
> roleTypeId LTD_ADMIN, which exact privileges it will have?
>
> Sorry but maybe we're missing some points
>
>
> Sincerely
>

Reply | Threaded
Open this post in threaded view
|

Re: Lack of security documentation: exact mean of roleTypeId

euronymous
Yes we understand how to search for it, as we wrote before...we already did it.

But what we asked is how to understand if for example the LTD_ADMIN role gives less permissions than MANAGER.

We cannot find any place where these roles are described in a good way, neither a project except from the demo data of the ecommerce part.

Have you any suggestions/links/recommendations?

Sincerely


BJ Freeman wrote
I use eclipse and it has a search.
so I did a search on LTD_ADMIN n xml and ftl files.

   <if-has-permission permission="CATALOG_ROLE" action="_CREATE">
            <entity-and entity-name="ProductCategoryRole"
list-name="productCategoryRoles" filter-by-date="true">
                <field-map field-name="partyId"
env-name="userLogin.partyId"/>
                <field-map field-name="roleTypeId" value="LTD_ADMIN"/>
            </entity-and>
and others
so that is the best way to find out.

euronymous sent the following on 9/1/2008 12:52 PM:
> Hi list
>
> we arrived to Ofbiz some months ago and we chosen it to our preferred
> platform to develop scalable e-commerce solutions.
>
> First our congratulations for the beauty of your code and ofbiz
> architecture: we really like it.
>
> Anyway we have seen some lack of security documentation, regarding how to
> exactly configure roles for parties, groups and so on. Walking to almost
> every XML file with IntelliJ command-shift-N/F shortcuts, trying to
> understand where roleTypeId are exactly defined, we didn't find anything.
>
> We understood well how the levels of privileges are working, and how levels
> can inherit form parents their capabilities.
>
>
> But if we imagine a real case where for example it's needed a granular
> authentication for a customer that needs access to a catalog and not to
> another one, in the same ofbiz installation? How to do that?
>
> Or for example, continuing the previous one, if we give to a PARTY the
> roleTypeId LTD_ADMIN, which exact privileges it will have?
>
> Sorry but maybe we're missing some points
>
>
> Sincerely
>