OFBiz › OFBiz - User

[OFBiz] Users - Security, Groups, Etc

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

2 messages Options

cjhowe

[OFBiz] Users - Security, Groups, Etc

I must admit I have a disconnect when it comes to the
concepts of security and the application of security
at least when it's in a complicated setting. I'm
trying to find a good model.

For instance, if you were to take the catalog manager
and you wanted one group of people to be able to view
the catalog on the ecommerce side, you'd simply add
them to the Catalog -> Parties form and give them the
role of Customer (Being sure of course that you
haven't associated the catalog with the store that
people would be accessing, otherwise everyone looking
at that store would have access). The same could then
be done if you wanted to limit who could update a
catalog by giving a party a role (eg catalog
maintainer, etc)

However this doesn't use the security extention. It
uses CalalogWorker.java to limit a pulldown list (and
then some derivative for the catalog maintainer). The
problem with that is that I can bypass the list by
typing in the url of the catalog I want to view on the
ecommerce side.

If I give someone the security group of Catalog_Admin
then he has the permissions across catalogs not just
the catalogs that he should be maintaining. If anyone
could help shed some light on this, I'd appreciate it.
I'm going to check out the blog stuff as that has
similar needs.

_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

Tim Saker

Re: [OFBiz] Users - Security, Groups, Etc

Did this question ever get addressed/resolved? I'm also interested in understanding
security options.

> "... I can bypass the list by
> typing in the url of the catalog I want to view on the
> ecommerce side ..."

This implies that OFBiz's security probably only applies at sign-on, not for
activity requests beyond the front door. If so, a bit concerning, but at least good
to know.

I must admit that I'm a newbie to OFBiz. Perhaps the security model is
intentionally left to the application server domain.

Regards,
Tim Saker
Owner, Felicity Gifts

--- Chris Howe <[hidden email]> wrote:

> I must admit I have a disconnect when it comes to the
> concepts of security and the application of security
> at least when it's in a complicated setting. I'm
> trying to find a good model.
>
> For instance, if you were to take the catalog manager
> and you wanted one group of people to be able to view
> the catalog on the ecommerce side, you'd simply add
> them to the Catalog -> Parties form and give them the
> role of Customer (Being sure of course that you
> haven't associated the catalog with the store that
> people would be accessing, otherwise everyone looking
> at that store would have access). The same could then
> be done if you wanted to limit who could update a
> catalog by giving a party a role (eg catalog
> maintainer, etc)
>
> However this doesn't use the security extention. It
> uses CalalogWorker.java to limit a pulldown list (and
> then some derivative for the catalog maintainer). The
> problem with that is that I can bypass the list by
> typing in the url of the catalog I want to view on the
> ecommerce side.
>
> If I give someone the security group of Catalog_Admin
> then he has the permissions across catalogs not just
> the catalogs that he should be maintaining. If anyone
> could help shed some light on this, I'd appreciate it.
> I'm going to check out the blog stuff as that has
> similar needs.
>
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users