I must admit I have a disconnect when it comes to the
concepts of security and the application of security at least when it's in a complicated setting. I'm trying to find a good model. For instance, if you were to take the catalog manager and you wanted one group of people to be able to view the catalog on the ecommerce side, you'd simply add them to the Catalog -> Parties form and give them the role of Customer (Being sure of course that you haven't associated the catalog with the store that people would be accessing, otherwise everyone looking at that store would have access). The same could then be done if you wanted to limit who could update a catalog by giving a party a role (eg catalog maintainer, etc) However this doesn't use the security extention. It uses CalalogWorker.java to limit a pulldown list (and then some derivative for the catalog maintainer). The problem with that is that I can bypass the list by typing in the url of the catalog I want to view on the ecommerce side. If I give someone the security group of Catalog_Admin then he has the permissions across catalogs not just the catalogs that he should be maintaining. If anyone could help shed some light on this, I'd appreciate it. I'm going to check out the blog stuff as that has similar needs. _______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
Did this question ever get addressed/resolved? I'm also interested in understanding
security options. > "... I can bypass the list by > typing in the url of the catalog I want to view on the > ecommerce side ..." This implies that OFBiz's security probably only applies at sign-on, not for activity requests beyond the front door. If so, a bit concerning, but at least good to know. I must admit that I'm a newbie to OFBiz. Perhaps the security model is intentionally left to the application server domain. Regards, Tim Saker Owner, Felicity Gifts --- Chris Howe <[hidden email]> wrote: > I must admit I have a disconnect when it comes to the > concepts of security and the application of security > at least when it's in a complicated setting. I'm > trying to find a good model. > > For instance, if you were to take the catalog manager > and you wanted one group of people to be able to view > the catalog on the ecommerce side, you'd simply add > them to the Catalog -> Parties form and give them the > role of Customer (Being sure of course that you > haven't associated the catalog with the store that > people would be accessing, otherwise everyone looking > at that store would have access). The same could then > be done if you wanted to limit who could update a > catalog by giving a party a role (eg catalog > maintainer, etc) > > However this doesn't use the security extention. It > uses CalalogWorker.java to limit a pulldown list (and > then some derivative for the catalog maintainer). The > problem with that is that I can bypass the list by > typing in the url of the catalog I want to view on the > ecommerce side. > > If I give someone the security group of Catalog_Admin > then he has the permissions across catalogs not just > the catalogs that he should be maintaining. If anyone > could help shed some light on this, I'd appreciate it. > I'm going to check out the blog stuff as that has > similar needs. > > > > _______________________________________________ > Users mailing list > [hidden email] > http://lists.ofbiz.org/mailman/listinfo/users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
Free forum by Nabble | Edit this page |