Protecting Project Screen from parties not listed as a resource

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Protecting Project Screen from parties not listed as a resource

Mansour
On my local system, any user with PROJECTMGR_VIEW can access projects
even if they are not listed as a resource. I wanted to limit this
permission so, I edited the ProjectScreens.xml to check for permissions.

<screen name="ProjectView">
    <section>
        <condition>
            <or>
                <if-has-permission permission="PROJECTMGR_ADMIN"/>
                <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/>
            </or>
        </condition>
        <actions>
            <set field="titleProperty" value="ProjectMgrProjectSummary"/>
            <set field="tabButtonItem" value="projectView"/>
            <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/>
            <service service-name="getProject" result-map="result">
                <field-map field-name="projectId" from-field="projectId"/>
            </service>
            <set field="project" from-field="result.projectInfo"/>
        </actions>
        <widgets>
            <decorator-screen name="CommonProjectDecorator" location="${parameters.mainDecoratorLocation}">
                <decorator-section name="body">
                    <container style="lefthalf">
                        <screenlet title="${uiLabelMap.PageTitleProjectInformation}">
                            <include-form name="ProjectInfo" location="component://projectmgr/widget/forms/ProjectForms.xml"/>
                        </screenlet>
                        <include-screen name="SubProjectsInfo"/>
                        <include-screen name="PhasesInfo"/>
                    </container>
                    <container style="righthalf">
                        <include-screen name="PartiesInfo"/>
                        <include-screen name="NoteInfo"/>
                        <include-screen name="ListProjectContent"/>
                        <include-screen name="OrderInfo"/>
                    </container>
                    <container style="clear"/>
                    <include-screen name="TasksInfo"/>
                </decorator-section>
            </decorator-screen>
        </widgets>
    </section>
</screen>

However, a user with PROJECTMGR_ROLE_VIEW can still view any project
regardless if she is a member of that project or not, by navigating to:

https://localhost:8443/projectmgr/control/projectView?projectId=9100

If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to
entities owned by party, or if she is listed as a resource.

Any advice ?


Reply | Threaded
Open this post in threaded view
|

Re: Protecting Project Screen from parties not listed as a resource

Adrian Crum-3
Create a permission service, then use that in your screens instead of
specific permission checks. You can find examples of this in the Party
Manager.

-Adrian


On 7/28/2011 6:49 PM, Mansour Al Akeel wrote:

> On my local system, any user with PROJECTMGR_VIEW can access projects
> even if they are not listed as a resource. I wanted to limit this
> permission so, I edited the ProjectScreens.xml to check for permissions.
>
> <screen name="ProjectView">
>      <section>
>          <condition>
>              <or>
>                  <if-has-permission permission="PROJECTMGR_ADMIN"/>
>                  <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/>
>              </or>
>          </condition>
>          <actions>
>              <set field="titleProperty" value="ProjectMgrProjectSummary"/>
>              <set field="tabButtonItem" value="projectView"/>
>              <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/>
>              <service service-name="getProject" result-map="result">
>                  <field-map field-name="projectId" from-field="projectId"/>
>              </service>
>              <set field="project" from-field="result.projectInfo"/>
>          </actions>
>          <widgets>
>              <decorator-screen name="CommonProjectDecorator" location="${parameters.mainDecoratorLocation}">
>                  <decorator-section name="body">
>                      <container style="lefthalf">
>                          <screenlet title="${uiLabelMap.PageTitleProjectInformation}">
>                              <include-form name="ProjectInfo" location="component://projectmgr/widget/forms/ProjectForms.xml"/>
>                          </screenlet>
>                          <include-screen name="SubProjectsInfo"/>
>                          <include-screen name="PhasesInfo"/>
>                      </container>
>                      <container style="righthalf">
>                          <include-screen name="PartiesInfo"/>
>                          <include-screen name="NoteInfo"/>
>                          <include-screen name="ListProjectContent"/>
>                          <include-screen name="OrderInfo"/>
>                      </container>
>                      <container style="clear"/>
>                      <include-screen name="TasksInfo"/>
>                  </decorator-section>
>              </decorator-screen>
>          </widgets>
>      </section>
> </screen>
>
> However, a user with PROJECTMGR_ROLE_VIEW can still view any project
> regardless if she is a member of that project or not, by navigating to:
>
> https://localhost:8443/projectmgr/control/projectView?projectId=9100
>
> If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to
> entities owned by party, or if she is listed as a resource.
>
> Any advice ?
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Protecting Project Screen from parties not listed as a resource

BJ Freeman
In reply to this post by Mansour
there is another permission in the ProjectMgrSecurityData.xml
PROJECTUSER
so remove the PROJECTMGR_ from those that you don't want to have that
permission.


Mansour Al Akeel sent the following on 7/28/2011 10:49 AM:

> On my local system, any user with PROJECTMGR_VIEW can access projects
> even if they are not listed as a resource. I wanted to limit this
> permission so, I edited the ProjectScreens.xml to check for permissions.
>
> <screen name="ProjectView">
>     <section>
>         <condition>
>             <or>
>                 <if-has-permission permission="PROJECTMGR_ADMIN"/>
>                 <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/>
>             </or>
>         </condition>
>         <actions>
>             <set field="titleProperty" value="ProjectMgrProjectSummary"/>
>             <set field="tabButtonItem" value="projectView"/>
>             <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/>
>             <service service-name="getProject" result-map="result">
>                 <field-map field-name="projectId" from-field="projectId"/>
>             </service>
>             <set field="project" from-field="result.projectInfo"/>
>         </actions>
>         <widgets>
>             <decorator-screen name="CommonProjectDecorator" location="${parameters.mainDecoratorLocation}">
>                 <decorator-section name="body">
>                     <container style="lefthalf">
>                         <screenlet title="${uiLabelMap.PageTitleProjectInformation}">
>                             <include-form name="ProjectInfo" location="component://projectmgr/widget/forms/ProjectForms.xml"/>
>                         </screenlet>
>                         <include-screen name="SubProjectsInfo"/>
>                         <include-screen name="PhasesInfo"/>
>                     </container>
>                     <container style="righthalf">
>                         <include-screen name="PartiesInfo"/>
>                         <include-screen name="NoteInfo"/>
>                         <include-screen name="ListProjectContent"/>
>                         <include-screen name="OrderInfo"/>
>                     </container>
>                     <container style="clear"/>
>                     <include-screen name="TasksInfo"/>
>                 </decorator-section>
>             </decorator-screen>
>         </widgets>
>     </section>
> </screen>
>
> However, a user with PROJECTMGR_ROLE_VIEW can still view any project
> regardless if she is a member of that project or not, by navigating to:
>
> https://localhost:8443/projectmgr/control/projectView?projectId=9100
>
> If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to
> entities owned by party, or if she is listed as a resource.
>
> Any advice ?
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Protecting Project Screen from parties not listed as a resource

BJ Freeman
sorry that did not make much sense.
so Create a new Permisson Like PERSONPROJ with just PROJECTMGR_ you want
it to have.

BJ Freeman sent the following on 7/28/2011 12:13 PM:

> there is another permission in the ProjectMgrSecurityData.xml
> PROJECTUSER
> so remove the PROJECTMGR_ from those that you don't want to have that
> permission.
>
>
> Mansour Al Akeel sent the following on 7/28/2011 10:49 AM:
>> On my local system, any user with PROJECTMGR_VIEW can access projects
>> even if they are not listed as a resource. I wanted to limit this
>> permission so, I edited the ProjectScreens.xml to check for permissions.
>>
>> <screen name="ProjectView">
>>     <section>
>>         <condition>
>>             <or>
>>                 <if-has-permission permission="PROJECTMGR_ADMIN"/>
>>                 <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/>
>>             </or>
>>         </condition>
>>         <actions>
>>             <set field="titleProperty" value="ProjectMgrProjectSummary"/>
>>             <set field="tabButtonItem" value="projectView"/>
>>             <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/>
>>             <service service-name="getProject" result-map="result">
>>                 <field-map field-name="projectId" from-field="projectId"/>
>>             </service>
>>             <set field="project" from-field="result.projectInfo"/>
>>         </actions>
>>         <widgets>
>>             <decorator-screen name="CommonProjectDecorator" location="${parameters.mainDecoratorLocation}">
>>                 <decorator-section name="body">
>>                     <container style="lefthalf">
>>                         <screenlet title="${uiLabelMap.PageTitleProjectInformation}">
>>                             <include-form name="ProjectInfo" location="component://projectmgr/widget/forms/ProjectForms.xml"/>
>>                         </screenlet>
>>                         <include-screen name="SubProjectsInfo"/>
>>                         <include-screen name="PhasesInfo"/>
>>                     </container>
>>                     <container style="righthalf">
>>                         <include-screen name="PartiesInfo"/>
>>                         <include-screen name="NoteInfo"/>
>>                         <include-screen name="ListProjectContent"/>
>>                         <include-screen name="OrderInfo"/>
>>                     </container>
>>                     <container style="clear"/>
>>                     <include-screen name="TasksInfo"/>
>>                 </decorator-section>
>>             </decorator-screen>
>>         </widgets>
>>     </section>
>> </screen>
>>
>> However, a user with PROJECTMGR_ROLE_VIEW can still view any project
>> regardless if she is a member of that project or not, by navigating to:
>>
>> https://localhost:8443/projectmgr/control/projectView?projectId=9100
>>
>> If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to
>> entities owned by party, or if she is listed as a resource.
>>
>> Any advice ?
>>
>>
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: Protecting Project Screen from parties not listed as a resource

BJ Freeman
In reply to this post by Mansour
another approach is to use the portlets and follow the myxxxx like
mytasks. Then only allow them to login to myportal and have the portal
permissions.

Mansour Al Akeel sent the following on 7/28/2011 10:49 AM:

> On my local system, any user with PROJECTMGR_VIEW can access projects
> even if they are not listed as a resource. I wanted to limit this
> permission so, I edited the ProjectScreens.xml to check for permissions.
>
> <screen name="ProjectView">
>     <section>
>         <condition>
>             <or>
>                 <if-has-permission permission="PROJECTMGR_ADMIN"/>
>                 <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/>
>             </or>
>         </condition>
>         <actions>
>             <set field="titleProperty" value="ProjectMgrProjectSummary"/>
>             <set field="tabButtonItem" value="projectView"/>
>             <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/>
>             <service service-name="getProject" result-map="result">
>                 <field-map field-name="projectId" from-field="projectId"/>
>             </service>
>             <set field="project" from-field="result.projectInfo"/>
>         </actions>
>         <widgets>
>             <decorator-screen name="CommonProjectDecorator" location="${parameters.mainDecoratorLocation}">
>                 <decorator-section name="body">
>                     <container style="lefthalf">
>                         <screenlet title="${uiLabelMap.PageTitleProjectInformation}">
>                             <include-form name="ProjectInfo" location="component://projectmgr/widget/forms/ProjectForms.xml"/>
>                         </screenlet>
>                         <include-screen name="SubProjectsInfo"/>
>                         <include-screen name="PhasesInfo"/>
>                     </container>
>                     <container style="righthalf">
>                         <include-screen name="PartiesInfo"/>
>                         <include-screen name="NoteInfo"/>
>                         <include-screen name="ListProjectContent"/>
>                         <include-screen name="OrderInfo"/>
>                     </container>
>                     <container style="clear"/>
>                     <include-screen name="TasksInfo"/>
>                 </decorator-section>
>             </decorator-screen>
>         </widgets>
>     </section>
> </screen>
>
> However, a user with PROJECTMGR_ROLE_VIEW can still view any project
> regardless if she is a member of that project or not, by navigating to:
>
> https://localhost:8443/projectmgr/control/projectView?projectId=9100
>
> If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to
> entities owned by party, or if she is listed as a resource.
>
> Any advice ?
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Protecting Project Screen from parties not listed as a resource

Mansour
In reply to this post by Adrian Crum-3
Adrian,
What would be the correct permission to use to protect projects the user
is not part of ?
I am using "PROJECTMGR_ROLE_VIEW", based on my understanding but not
sure if this is correct.

Can you please kindly, explain (give a link) about the difference in
creating a separate service to check the permission, and specific
permission check in the screen the way I am doing it ? I understand
examples exist in another components, but examples for checking the
permission in a screen are used widely in the same file I am editing.


Thank you.


On Thu Jul 28,2011 06:51 pm, Adrian Crum wrote:

> Create a permission service, then use that in your screens instead of
> specific permission checks. You can find examples of this in the Party
> Manager.
>
> -Adrian
>
>
> On 7/28/2011 6:49 PM, Mansour Al Akeel wrote:
> > On my local system, any user with PROJECTMGR_VIEW can access projects
> > even if they are not listed as a resource. I wanted to limit this
> > permission so, I edited the ProjectScreens.xml to check for permissions.
> >
> > <screen name="ProjectView">
> >      <section>
> >          <condition>
> >              <or>
> >                  <if-has-permission permission="PROJECTMGR_ADMIN"/>
> >                  <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/>
> >              </or>
> >          </condition>
> >          <actions>
> >              <set field="titleProperty" value="ProjectMgrProjectSummary"/>
> >              <set field="tabButtonItem" value="projectView"/>
> >              <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/>
> >              <service service-name="getProject" result-map="result">
> >                  <field-map field-name="projectId" from-field="projectId"/>
> >              </service>
> >              <set field="project" from-field="result.projectInfo"/>
> >          </actions>
> >          <widgets>
> >              <decorator-screen name="CommonProjectDecorator" location="${parameters.mainDecoratorLocation}">
> >                  <decorator-section name="body">
> >                      <container style="lefthalf">
> >                          <screenlet title="${uiLabelMap.PageTitleProjectInformation}">
> >                              <include-form name="ProjectInfo" location="component://projectmgr/widget/forms/ProjectForms.xml"/>
> >                          </screenlet>
> >                          <include-screen name="SubProjectsInfo"/>
> >                          <include-screen name="PhasesInfo"/>
> >                      </container>
> >                      <container style="righthalf">
> >                          <include-screen name="PartiesInfo"/>
> >                          <include-screen name="NoteInfo"/>
> >                          <include-screen name="ListProjectContent"/>
> >                          <include-screen name="OrderInfo"/>
> >                      </container>
> >                      <container style="clear"/>
> >                      <include-screen name="TasksInfo"/>
> >                  </decorator-section>
> >              </decorator-screen>
> >          </widgets>
> >      </section>
> > </screen>
> >
> > However, a user with PROJECTMGR_ROLE_VIEW can still view any project
> > regardless if she is a member of that project or not, by navigating to:
> >
> > https://localhost:8443/projectmgr/control/projectView?projectId=9100
> >
> > If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to
> > entities owned by party, or if she is listed as a resource.
> >
> > Any advice ?
> >
> >
Reply | Threaded
Open this post in threaded view
|

Re: Protecting Project Screen from parties not listed as a resource

Adrian Crum-3
Look in Party Manager. There are permission services that check to see
if the logged-in user is connected to another party in some way before
granting permission to do something.

-Adrian

On 7/28/2011 11:18 PM, Mansour Al Akeel wrote:

> Adrian,
> What would be the correct permission to use to protect projects the user
> is not part of ?
> I am using "PROJECTMGR_ROLE_VIEW", based on my understanding but not
> sure if this is correct.
>
> Can you please kindly, explain (give a link) about the difference in
> creating a separate service to check the permission, and specific
> permission check in the screen the way I am doing it ? I understand
> examples exist in another components, but examples for checking the
> permission in a screen are used widely in the same file I am editing.
>
>
> Thank you.
>
>
> On Thu Jul 28,2011 06:51 pm, Adrian Crum wrote:
>> Create a permission service, then use that in your screens instead of
>> specific permission checks. You can find examples of this in the Party
>> Manager.
>>
>> -Adrian
>>
>>
>> On 7/28/2011 6:49 PM, Mansour Al Akeel wrote:
>>> On my local system, any user with PROJECTMGR_VIEW can access projects
>>> even if they are not listed as a resource. I wanted to limit this
>>> permission so, I edited the ProjectScreens.xml to check for permissions.
>>>
>>> <screen name="ProjectView">
>>>       <section>
>>>           <condition>
>>>               <or>
>>>                   <if-has-permission permission="PROJECTMGR_ADMIN"/>
>>>                   <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/>
>>>               </or>
>>>           </condition>
>>>           <actions>
>>>               <set field="titleProperty" value="ProjectMgrProjectSummary"/>
>>>               <set field="tabButtonItem" value="projectView"/>
>>>               <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/>
>>>               <service service-name="getProject" result-map="result">
>>>                   <field-map field-name="projectId" from-field="projectId"/>
>>>               </service>
>>>               <set field="project" from-field="result.projectInfo"/>
>>>           </actions>
>>>           <widgets>
>>>               <decorator-screen name="CommonProjectDecorator" location="${parameters.mainDecoratorLocation}">
>>>                   <decorator-section name="body">
>>>                       <container style="lefthalf">
>>>                           <screenlet title="${uiLabelMap.PageTitleProjectInformation}">
>>>                               <include-form name="ProjectInfo" location="component://projectmgr/widget/forms/ProjectForms.xml"/>
>>>                           </screenlet>
>>>                           <include-screen name="SubProjectsInfo"/>
>>>                           <include-screen name="PhasesInfo"/>
>>>                       </container>
>>>                       <container style="righthalf">
>>>                           <include-screen name="PartiesInfo"/>
>>>                           <include-screen name="NoteInfo"/>
>>>                           <include-screen name="ListProjectContent"/>
>>>                           <include-screen name="OrderInfo"/>
>>>                       </container>
>>>                       <container style="clear"/>
>>>                       <include-screen name="TasksInfo"/>
>>>                   </decorator-section>
>>>               </decorator-screen>
>>>           </widgets>
>>>       </section>
>>> </screen>
>>>
>>> However, a user with PROJECTMGR_ROLE_VIEW can still view any project
>>> regardless if she is a member of that project or not, by navigating to:
>>>
>>> https://localhost:8443/projectmgr/control/projectView?projectId=9100
>>>
>>> If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to
>>> entities owned by party, or if she is listed as a resource.
>>>
>>> Any advice ?
>>>
>>>
Reply | Threaded
Open this post in threaded view
|

Re: Protecting Project Screen from parties not listed as a resource

Mansour
Adrian,
I think there's a service already that does that. However, I am not sure
I am using it or understand it properly.

The service is in "specialpurpose/projectmgr/script/org/ofbiz/project/ProjectPermissionServices.xml"

<simple-method method-name="projectMgrPermission" short-description="general service to check access to the project component">
    <set field="primaryPermission" value="PROJECTMGR"/>
    <set field="hasPermission" value="true" type="Boolean"/>
    <set field="hasNoPermission" value="false" type="Boolean"/>
    <set field="mainAction" from-field="parameters.mainAction"/>

    <!-- find object -->
    <if-compare field="parameters.resourceDescription" value="Timesheet" operator="contains">
        <set field="sec_object" value="TIMESHEET"/>
        <else>
            <if-compare field="parameters.resourceDescription" value="TimeEntry" operator="contains">
                <set field="sec_object" value="TIMEENTRY"/>
                <else>
                    <if-compare field="parameters.resourceDescription" value="Task" operator="contains">
                        <set field="sec_object" value="TASK"/><!-- task before project because of name 'getProjectTask' -->

I am calling it from projectmgr/widget/ProjectScreens.xml. I just added the <condition> part

<screen name="ProjectView">
    <section>
        <condition>
            <if-service-permission service-name="projectMgrPermission" main-action="VIEW"/>
        </condition>
        <actions>
            <set field="titleProperty" value="ProjectMgrProjectSummary"/>
            <set field="tabButtonItem" value="projectView"/>
            <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/>
            <service service-name="getProject" result-map="result">
                <field-map field-name="projectId" from-field="projectId"/>
            </service>

The issue now is not user have access to any project.
What am I missing ?

Thank you in advance.

On Thu Jul 28,2011 11:34 pm, Adrian Crum wrote:

> Look in Party Manager. There are permission services that check to see
> if the logged-in user is connected to another party in some way before
> granting permission to do something.
>
> -Adrian
>
> On 7/28/2011 11:18 PM, Mansour Al Akeel wrote:
> > Adrian,
> > What would be the correct permission to use to protect projects the user
> > is not part of ?
> > I am using "PROJECTMGR_ROLE_VIEW", based on my understanding but not
> > sure if this is correct.
> >
> > Can you please kindly, explain (give a link) about the difference in
> > creating a separate service to check the permission, and specific
> > permission check in the screen the way I am doing it ? I understand
> > examples exist in another components, but examples for checking the
> > permission in a screen are used widely in the same file I am editing.
> >
> >
> > Thank you.
> >
> >
> > On Thu Jul 28,2011 06:51 pm, Adrian Crum wrote:
> >> Create a permission service, then use that in your screens instead of
> >> specific permission checks. You can find examples of this in the Party
> >> Manager.
> >>
> >> -Adrian
> >>
> >>
> >> On 7/28/2011 6:49 PM, Mansour Al Akeel wrote:
> >>> On my local system, any user with PROJECTMGR_VIEW can access projects
> >>> even if they are not listed as a resource. I wanted to limit this
> >>> permission so, I edited the ProjectScreens.xml to check for permissions.
> >>>
> >>> <screen name="ProjectView">
> >>>       <section>
> >>>           <condition>
> >>>               <or>
> >>>                   <if-has-permission permission="PROJECTMGR_ADMIN"/>
> >>>                   <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/>
> >>>               </or>
> >>>           </condition>
> >>>           <actions>
> >>>               <set field="titleProperty" value="ProjectMgrProjectSummary"/>
> >>>               <set field="tabButtonItem" value="projectView"/>
> >>>               <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/>
> >>>               <service service-name="getProject" result-map="result">
> >>>                   <field-map field-name="projectId" from-field="projectId"/>
> >>>               </service>
> >>>               <set field="project" from-field="result.projectInfo"/>
> >>>           </actions>
> >>>           <widgets>
> >>>               <decorator-screen name="CommonProjectDecorator" location="${parameters.mainDecoratorLocation}">
> >>>                   <decorator-section name="body">
> >>>                       <container style="lefthalf">
> >>>                           <screenlet title="${uiLabelMap.PageTitleProjectInformation}">
> >>>                               <include-form name="ProjectInfo" location="component://projectmgr/widget/forms/ProjectForms.xml"/>
> >>>                           </screenlet>
> >>>                           <include-screen name="SubProjectsInfo"/>
> >>>                           <include-screen name="PhasesInfo"/>
> >>>                       </container>
> >>>                       <container style="righthalf">
> >>>                           <include-screen name="PartiesInfo"/>
> >>>                           <include-screen name="NoteInfo"/>
> >>>                           <include-screen name="ListProjectContent"/>
> >>>                           <include-screen name="OrderInfo"/>
> >>>                       </container>
> >>>                       <container style="clear"/>
> >>>                       <include-screen name="TasksInfo"/>
> >>>                   </decorator-section>
> >>>               </decorator-screen>
> >>>           </widgets>
> >>>       </section>
> >>> </screen>
> >>>
> >>> However, a user with PROJECTMGR_ROLE_VIEW can still view any project
> >>> regardless if she is a member of that project or not, by navigating to:
> >>>
> >>> https://localhost:8443/projectmgr/control/projectView?projectId=9100
> >>>
> >>> If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to
> >>> entities owned by party, or if she is listed as a resource.
> >>>
> >>> Any advice ?
> >>>
> >>>
Reply | Threaded
Open this post in threaded view
|

Re: Protecting Project Screen from parties not listed as a resource

Adrian Crum-3
You have your code set up correctly. You just need to examine the
permission service to see what conditions it is looking for to grant
permission, then set up your user with those conditions.

-Adrian



On 7/29/2011 7:35 PM, Mansour Al Akeel wrote:

> Adrian,
> I think there's a service already that does that. However, I am not sure
> I am using it or understand it properly.
>
> The service is in "specialpurpose/projectmgr/script/org/ofbiz/project/ProjectPermissionServices.xml"
>
> <simple-method method-name="projectMgrPermission" short-description="general service to check access to the project component">
>      <set field="primaryPermission" value="PROJECTMGR"/>
>      <set field="hasPermission" value="true" type="Boolean"/>
>      <set field="hasNoPermission" value="false" type="Boolean"/>
>      <set field="mainAction" from-field="parameters.mainAction"/>
>
>      <!-- find object -->
>      <if-compare field="parameters.resourceDescription" value="Timesheet" operator="contains">
>          <set field="sec_object" value="TIMESHEET"/>
>          <else>
>              <if-compare field="parameters.resourceDescription" value="TimeEntry" operator="contains">
>                  <set field="sec_object" value="TIMEENTRY"/>
>                  <else>
>                      <if-compare field="parameters.resourceDescription" value="Task" operator="contains">
>                          <set field="sec_object" value="TASK"/><!-- task before project because of name 'getProjectTask' -->
>
> I am calling it from projectmgr/widget/ProjectScreens.xml. I just added the<condition>  part
>
> <screen name="ProjectView">
>      <section>
>          <condition>
>              <if-service-permission service-name="projectMgrPermission" main-action="VIEW"/>
>          </condition>
>          <actions>
>              <set field="titleProperty" value="ProjectMgrProjectSummary"/>
>              <set field="tabButtonItem" value="projectView"/>
>              <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/>
>              <service service-name="getProject" result-map="result">
>                  <field-map field-name="projectId" from-field="projectId"/>
>              </service>
>
> The issue now is not user have access to any project.
> What am I missing ?
>
> Thank you in advance.
>
> On Thu Jul 28,2011 11:34 pm, Adrian Crum wrote:
>> Look in Party Manager. There are permission services that check to see
>> if the logged-in user is connected to another party in some way before
>> granting permission to do something.
>>
>> -Adrian
>>
>> On 7/28/2011 11:18 PM, Mansour Al Akeel wrote:
>>> Adrian,
>>> What would be the correct permission to use to protect projects the user
>>> is not part of ?
>>> I am using "PROJECTMGR_ROLE_VIEW", based on my understanding but not
>>> sure if this is correct.
>>>
>>> Can you please kindly, explain (give a link) about the difference in
>>> creating a separate service to check the permission, and specific
>>> permission check in the screen the way I am doing it ? I understand
>>> examples exist in another components, but examples for checking the
>>> permission in a screen are used widely in the same file I am editing.
>>>
>>>
>>> Thank you.
>>>
>>>
>>> On Thu Jul 28,2011 06:51 pm, Adrian Crum wrote:
>>>> Create a permission service, then use that in your screens instead of
>>>> specific permission checks. You can find examples of this in the Party
>>>> Manager.
>>>>
>>>> -Adrian
>>>>
>>>>
>>>> On 7/28/2011 6:49 PM, Mansour Al Akeel wrote:
>>>>> On my local system, any user with PROJECTMGR_VIEW can access projects
>>>>> even if they are not listed as a resource. I wanted to limit this
>>>>> permission so, I edited the ProjectScreens.xml to check for permissions.
>>>>>
>>>>> <screen name="ProjectView">
>>>>>        <section>
>>>>>            <condition>
>>>>>                <or>
>>>>>                    <if-has-permission permission="PROJECTMGR_ADMIN"/>
>>>>>                    <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/>
>>>>>                </or>
>>>>>            </condition>
>>>>>            <actions>
>>>>>                <set field="titleProperty" value="ProjectMgrProjectSummary"/>
>>>>>                <set field="tabButtonItem" value="projectView"/>
>>>>>                <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/>
>>>>>                <service service-name="getProject" result-map="result">
>>>>>                    <field-map field-name="projectId" from-field="projectId"/>
>>>>>                </service>
>>>>>                <set field="project" from-field="result.projectInfo"/>
>>>>>            </actions>
>>>>>            <widgets>
>>>>>                <decorator-screen name="CommonProjectDecorator" location="${parameters.mainDecoratorLocation}">
>>>>>                    <decorator-section name="body">
>>>>>                        <container style="lefthalf">
>>>>>                            <screenlet title="${uiLabelMap.PageTitleProjectInformation}">
>>>>>                                <include-form name="ProjectInfo" location="component://projectmgr/widget/forms/ProjectForms.xml"/>
>>>>>                            </screenlet>
>>>>>                            <include-screen name="SubProjectsInfo"/>
>>>>>                            <include-screen name="PhasesInfo"/>
>>>>>                        </container>
>>>>>                        <container style="righthalf">
>>>>>                            <include-screen name="PartiesInfo"/>
>>>>>                            <include-screen name="NoteInfo"/>
>>>>>                            <include-screen name="ListProjectContent"/>
>>>>>                            <include-screen name="OrderInfo"/>
>>>>>                        </container>
>>>>>                        <container style="clear"/>
>>>>>                        <include-screen name="TasksInfo"/>
>>>>>                    </decorator-section>
>>>>>                </decorator-screen>
>>>>>            </widgets>
>>>>>        </section>
>>>>> </screen>
>>>>>
>>>>> However, a user with PROJECTMGR_ROLE_VIEW can still view any project
>>>>> regardless if she is a member of that project or not, by navigating to:
>>>>>
>>>>> https://localhost:8443/projectmgr/control/projectView?projectId=9100
>>>>>
>>>>> If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to
>>>>> entities owned by party, or if she is listed as a resource.
>>>>>
>>>>> Any advice ?
>>>>>
>>>>>
Reply | Threaded
Open this post in threaded view
|

Re: Protecting Project Screen from parties not listed as a resource

Mansour
Adrian,
first of all, thank you for the fast response.

The issue is even admin can not login. I feel there's something wrong
with the parameters. Here's the declaration of the service in:
specialpurpose/projectmgr/servicedef/services.xml

<service name="projectMgrPermission" engine="simple"
    location="component://projectmgr/script/org/ofbiz/project/ProjectPermissionServices.xml" invoke="projectMgrPermission">
    <implements service="permissionInterface"/>
    <attribute name="projectId" type="String" mode="IN" optional="true"/>
    <attribute name="phaseId" type="String" mode="IN" optional="true"/>
    <attribute name="workEffortId" type="String" mode="IN" optional="true"/>
    <attribute name="taskId" type="String" mode="IN" optional="true"/>
    <attribute name="partyId" type="String" mode="IN" optional="true"/>
    <attribute name="timesheetId" type="String" mode="IN" optional="true"/>
    <attribute name="timeEntryId" type="String" mode="IN" optional="true"/>
</service>

None of these attributes I see them being set anywhere. Am I missing
something ?


On Fri Jul 29,2011 08:53 pm, Adrian Crum wrote:

> You have your code set up correctly. You just need to examine the
> permission service to see what conditions it is looking for to grant
> permission, then set up your user with those conditions.
>
> -Adrian
>
>
>
> On 7/29/2011 7:35 PM, Mansour Al Akeel wrote:
> > Adrian,
> > I think there's a service already that does that. However, I am not sure
> > I am using it or understand it properly.
> >
> > The service is in "specialpurpose/projectmgr/script/org/ofbiz/project/ProjectPermissionServices.xml"
> >
> > <simple-method method-name="projectMgrPermission" short-description="general service to check access to the project component">
> >      <set field="primaryPermission" value="PROJECTMGR"/>
> >      <set field="hasPermission" value="true" type="Boolean"/>
> >      <set field="hasNoPermission" value="false" type="Boolean"/>
> >      <set field="mainAction" from-field="parameters.mainAction"/>
> >
> >      <!-- find object -->
> >      <if-compare field="parameters.resourceDescription" value="Timesheet" operator="contains">
> >          <set field="sec_object" value="TIMESHEET"/>
> >          <else>
> >              <if-compare field="parameters.resourceDescription" value="TimeEntry" operator="contains">
> >                  <set field="sec_object" value="TIMEENTRY"/>
> >                  <else>
> >                      <if-compare field="parameters.resourceDescription" value="Task" operator="contains">
> >                          <set field="sec_object" value="TASK"/><!-- task before project because of name 'getProjectTask' -->
> >
> > I am calling it from projectmgr/widget/ProjectScreens.xml. I just added the<condition>  part
> >
> > <screen name="ProjectView">
> >      <section>
> >          <condition>
> >              <if-service-permission service-name="projectMgrPermission" main-action="VIEW"/>
> >          </condition>
> >          <actions>
> >              <set field="titleProperty" value="ProjectMgrProjectSummary"/>
> >              <set field="tabButtonItem" value="projectView"/>
> >              <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/>
> >              <service service-name="getProject" result-map="result">
> >                  <field-map field-name="projectId" from-field="projectId"/>
> >              </service>
> >
> > The issue now is not user have access to any project.
> > What am I missing ?
> >
> > Thank you in advance.
> >
> > On Thu Jul 28,2011 11:34 pm, Adrian Crum wrote:
> >> Look in Party Manager. There are permission services that check to see
> >> if the logged-in user is connected to another party in some way before
> >> granting permission to do something.
> >>
> >> -Adrian
> >>
> >> On 7/28/2011 11:18 PM, Mansour Al Akeel wrote:
> >>> Adrian,
> >>> What would be the correct permission to use to protect projects the user
> >>> is not part of ?
> >>> I am using "PROJECTMGR_ROLE_VIEW", based on my understanding but not
> >>> sure if this is correct.
> >>>
> >>> Can you please kindly, explain (give a link) about the difference in
> >>> creating a separate service to check the permission, and specific
> >>> permission check in the screen the way I am doing it ? I understand
> >>> examples exist in another components, but examples for checking the
> >>> permission in a screen are used widely in the same file I am editing.
> >>>
> >>>
> >>> Thank you.
> >>>
> >>>
> >>> On Thu Jul 28,2011 06:51 pm, Adrian Crum wrote:
> >>>> Create a permission service, then use that in your screens instead of
> >>>> specific permission checks. You can find examples of this in the Party
> >>>> Manager.
> >>>>
> >>>> -Adrian
> >>>>
> >>>>
> >>>> On 7/28/2011 6:49 PM, Mansour Al Akeel wrote:
> >>>>> On my local system, any user with PROJECTMGR_VIEW can access projects
> >>>>> even if they are not listed as a resource. I wanted to limit this
> >>>>> permission so, I edited the ProjectScreens.xml to check for permissions.
> >>>>>
> >>>>> <screen name="ProjectView">
> >>>>>        <section>
> >>>>>            <condition>
> >>>>>                <or>
> >>>>>                    <if-has-permission permission="PROJECTMGR_ADMIN"/>
> >>>>>                    <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/>
> >>>>>                </or>
> >>>>>            </condition>
> >>>>>            <actions>
> >>>>>                <set field="titleProperty" value="ProjectMgrProjectSummary"/>
> >>>>>                <set field="tabButtonItem" value="projectView"/>
> >>>>>                <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/>
> >>>>>                <service service-name="getProject" result-map="result">
> >>>>>                    <field-map field-name="projectId" from-field="projectId"/>
> >>>>>                </service>
> >>>>>                <set field="project" from-field="result.projectInfo"/>
> >>>>>            </actions>
> >>>>>            <widgets>
> >>>>>                <decorator-screen name="CommonProjectDecorator" location="${parameters.mainDecoratorLocation}">
> >>>>>                    <decorator-section name="body">
> >>>>>                        <container style="lefthalf">
> >>>>>                            <screenlet title="${uiLabelMap.PageTitleProjectInformation}">
> >>>>>                                <include-form name="ProjectInfo" location="component://projectmgr/widget/forms/ProjectForms.xml"/>
> >>>>>                            </screenlet>
> >>>>>                            <include-screen name="SubProjectsInfo"/>
> >>>>>                            <include-screen name="PhasesInfo"/>
> >>>>>                        </container>
> >>>>>                        <container style="righthalf">
> >>>>>                            <include-screen name="PartiesInfo"/>
> >>>>>                            <include-screen name="NoteInfo"/>
> >>>>>                            <include-screen name="ListProjectContent"/>
> >>>>>                            <include-screen name="OrderInfo"/>
> >>>>>                        </container>
> >>>>>                        <container style="clear"/>
> >>>>>                        <include-screen name="TasksInfo"/>
> >>>>>                    </decorator-section>
> >>>>>                </decorator-screen>
> >>>>>            </widgets>
> >>>>>        </section>
> >>>>> </screen>
> >>>>>
> >>>>> However, a user with PROJECTMGR_ROLE_VIEW can still view any project
> >>>>> regardless if she is a member of that project or not, by navigating to:
> >>>>>
> >>>>> https://localhost:8443/projectmgr/control/projectView?projectId=9100
> >>>>>
> >>>>> If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to
> >>>>> entities owned by party, or if she is listed as a resource.
> >>>>>
> >>>>> Any advice ?
> >>>>>
> >>>>>