The behavior with the catalogs is because it has nothing to do with
security. To work correctly, it has more to do with validation
then security. If that makes sense.
OT: that is what kind of scares me about Lazlo and Ajax, how do
you simply validate the continuous back and forth from malicious code
being sent?
--- Tim Saker
wrote:
Did this question ever get addressed/resolved? I'm
also interested in understanding
security options.
> "... I can bypass the list by
> typing in the url of the catalog I want to view on
the
> ecommerce side ..."
This implies that OFBiz's security probably only
applies at sign-on, not for
activity requests beyond the front door. If so, a
bit concerning, but at least good
to know.
I must admit that I'm a newbie to OFBiz. Perhaps
the security model is
intentionally left to the application server domain.
Regards,
Tim Saker
Owner, Felicity Gifts
--- Chris Howe wrote:
> I must admit I have a disconnect when it comes to
the
> concepts of security and the application of
security
> at least!
when
it's in a complicated setting. I'm
> trying to find a good model.
>
> For instance, if you were to take the catalog
manager
> and you wanted one group of people to be able to
view
> the catalog on the ecommerce side, you'd simply
add
> them to the Catalog -> Parties form and give them
the
> role of Customer (Being sure of course that you
> haven't associated the catalog with the store that
> people would be accessing, otherwise everyone
looking
> at that store would have access). The same could
then
> be done if you wanted to limit who could update a
> catalog by giving a party a role (eg catalog
> maintainer, etc)
>
> However this doesn't use the security extention.
It
> uses CalalogWorker.java to limit a pulldown list
(and
> then some derivative for the catalog maintainer).
The
> problem with that is t!
hat I can
bypass the list by
> typing in the url of the catalog I want to view on
the
> ecommerce side.
>
> If I give someone the security group of
Catalog_Admin
> then he has the permissions across catalogs not
just
> the catalogs that he should be maintaining. If
anyone
> could help shed some light on this, I'd appreciate
it.
> I'm going to check out the blog stuff as that has
> similar needs.
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.ofbiz.org
> http://lists.ofbiz.org/mailman/listinfo/users
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam
protection around
http://mail.yahoo.com
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
Locked
