On my local system, any user with PROJECTMGR_VIEW can access projects
even if they are not listed as a resource. I wanted to limit this permission so, I edited the ProjectScreens.xml to check for permissions. <screen name="ProjectView"> <section> <condition> <or> <if-has-permission permission="PROJECTMGR_ADMIN"/> <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/> </or> </condition> <actions> <set field="titleProperty" value="ProjectMgrProjectSummary"/> <set field="tabButtonItem" value="projectView"/> <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/> <service service-name="getProject" result-map="result"> <field-map field-name="projectId" from-field="projectId"/> </service> <set field="project" from-field="result.projectInfo"/> </actions> <widgets> <decorator-screen name="CommonProjectDecorator" location="${parameters.mainDecoratorLocation}"> <decorator-section name="body"> <container style="lefthalf"> <screenlet title="${uiLabelMap.PageTitleProjectInformation}"> <include-form name="ProjectInfo" location="component://projectmgr/widget/forms/ProjectForms.xml"/> </screenlet> <include-screen name="SubProjectsInfo"/> <include-screen name="PhasesInfo"/> </container> <container style="righthalf"> <include-screen name="PartiesInfo"/> <include-screen name="NoteInfo"/> <include-screen name="ListProjectContent"/> <include-screen name="OrderInfo"/> </container> <container style="clear"/> <include-screen name="TasksInfo"/> </decorator-section> </decorator-screen> </widgets> </section> </screen> However, a user with PROJECTMGR_ROLE_VIEW can still view any project regardless if she is a member of that project or not, by navigating to: https://localhost:8443/projectmgr/control/projectView?projectId=9100 If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to entities owned by party, or if she is listed as a resource. Any advice ? |
Create a permission service, then use that in your screens instead of
specific permission checks. You can find examples of this in the Party Manager. -Adrian On 7/28/2011 6:49 PM, Mansour Al Akeel wrote: > On my local system, any user with PROJECTMGR_VIEW can access projects > even if they are not listed as a resource. I wanted to limit this > permission so, I edited the ProjectScreens.xml to check for permissions. > > <screen name="ProjectView"> > <section> > <condition> > <or> > <if-has-permission permission="PROJECTMGR_ADMIN"/> > <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/> > </or> > </condition> > <actions> > <set field="titleProperty" value="ProjectMgrProjectSummary"/> > <set field="tabButtonItem" value="projectView"/> > <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/> > <service service-name="getProject" result-map="result"> > <field-map field-name="projectId" from-field="projectId"/> > </service> > <set field="project" from-field="result.projectInfo"/> > </actions> > <widgets> > <decorator-screen name="CommonProjectDecorator" location="${parameters.mainDecoratorLocation}"> > <decorator-section name="body"> > <container style="lefthalf"> > <screenlet title="${uiLabelMap.PageTitleProjectInformation}"> > <include-form name="ProjectInfo" location="component://projectmgr/widget/forms/ProjectForms.xml"/> > </screenlet> > <include-screen name="SubProjectsInfo"/> > <include-screen name="PhasesInfo"/> > </container> > <container style="righthalf"> > <include-screen name="PartiesInfo"/> > <include-screen name="NoteInfo"/> > <include-screen name="ListProjectContent"/> > <include-screen name="OrderInfo"/> > </container> > <container style="clear"/> > <include-screen name="TasksInfo"/> > </decorator-section> > </decorator-screen> > </widgets> > </section> > </screen> > > However, a user with PROJECTMGR_ROLE_VIEW can still view any project > regardless if she is a member of that project or not, by navigating to: > > https://localhost:8443/projectmgr/control/projectView?projectId=9100 > > If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to > entities owned by party, or if she is listed as a resource. > > Any advice ? > > |
In reply to this post by Mansour
there is another permission in the ProjectMgrSecurityData.xml
PROJECTUSER so remove the PROJECTMGR_ from those that you don't want to have that permission. Mansour Al Akeel sent the following on 7/28/2011 10:49 AM: > On my local system, any user with PROJECTMGR_VIEW can access projects > even if they are not listed as a resource. I wanted to limit this > permission so, I edited the ProjectScreens.xml to check for permissions. > > <screen name="ProjectView"> > <section> > <condition> > <or> > <if-has-permission permission="PROJECTMGR_ADMIN"/> > <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/> > </or> > </condition> > <actions> > <set field="titleProperty" value="ProjectMgrProjectSummary"/> > <set field="tabButtonItem" value="projectView"/> > <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/> > <service service-name="getProject" result-map="result"> > <field-map field-name="projectId" from-field="projectId"/> > </service> > <set field="project" from-field="result.projectInfo"/> > </actions> > <widgets> > <decorator-screen name="CommonProjectDecorator" location="${parameters.mainDecoratorLocation}"> > <decorator-section name="body"> > <container style="lefthalf"> > <screenlet title="${uiLabelMap.PageTitleProjectInformation}"> > <include-form name="ProjectInfo" location="component://projectmgr/widget/forms/ProjectForms.xml"/> > </screenlet> > <include-screen name="SubProjectsInfo"/> > <include-screen name="PhasesInfo"/> > </container> > <container style="righthalf"> > <include-screen name="PartiesInfo"/> > <include-screen name="NoteInfo"/> > <include-screen name="ListProjectContent"/> > <include-screen name="OrderInfo"/> > </container> > <container style="clear"/> > <include-screen name="TasksInfo"/> > </decorator-section> > </decorator-screen> > </widgets> > </section> > </screen> > > However, a user with PROJECTMGR_ROLE_VIEW can still view any project > regardless if she is a member of that project or not, by navigating to: > > https://localhost:8443/projectmgr/control/projectView?projectId=9100 > > If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to > entities owned by party, or if she is listed as a resource. > > Any advice ? > > > |
sorry that did not make much sense.
so Create a new Permisson Like PERSONPROJ with just PROJECTMGR_ you want it to have. BJ Freeman sent the following on 7/28/2011 12:13 PM: > there is another permission in the ProjectMgrSecurityData.xml > PROJECTUSER > so remove the PROJECTMGR_ from those that you don't want to have that > permission. > > > Mansour Al Akeel sent the following on 7/28/2011 10:49 AM: >> On my local system, any user with PROJECTMGR_VIEW can access projects >> even if they are not listed as a resource. I wanted to limit this >> permission so, I edited the ProjectScreens.xml to check for permissions. >> >> <screen name="ProjectView"> >> <section> >> <condition> >> <or> >> <if-has-permission permission="PROJECTMGR_ADMIN"/> >> <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/> >> </or> >> </condition> >> <actions> >> <set field="titleProperty" value="ProjectMgrProjectSummary"/> >> <set field="tabButtonItem" value="projectView"/> >> <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/> >> <service service-name="getProject" result-map="result"> >> <field-map field-name="projectId" from-field="projectId"/> >> </service> >> <set field="project" from-field="result.projectInfo"/> >> </actions> >> <widgets> >> <decorator-screen name="CommonProjectDecorator" location="${parameters.mainDecoratorLocation}"> >> <decorator-section name="body"> >> <container style="lefthalf"> >> <screenlet title="${uiLabelMap.PageTitleProjectInformation}"> >> <include-form name="ProjectInfo" location="component://projectmgr/widget/forms/ProjectForms.xml"/> >> </screenlet> >> <include-screen name="SubProjectsInfo"/> >> <include-screen name="PhasesInfo"/> >> </container> >> <container style="righthalf"> >> <include-screen name="PartiesInfo"/> >> <include-screen name="NoteInfo"/> >> <include-screen name="ListProjectContent"/> >> <include-screen name="OrderInfo"/> >> </container> >> <container style="clear"/> >> <include-screen name="TasksInfo"/> >> </decorator-section> >> </decorator-screen> >> </widgets> >> </section> >> </screen> >> >> However, a user with PROJECTMGR_ROLE_VIEW can still view any project >> regardless if she is a member of that project or not, by navigating to: >> >> https://localhost:8443/projectmgr/control/projectView?projectId=9100 >> >> If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to >> entities owned by party, or if she is listed as a resource. >> >> Any advice ? >> >> >> > |
In reply to this post by Mansour
another approach is to use the portlets and follow the myxxxx like
mytasks. Then only allow them to login to myportal and have the portal permissions. Mansour Al Akeel sent the following on 7/28/2011 10:49 AM: > On my local system, any user with PROJECTMGR_VIEW can access projects > even if they are not listed as a resource. I wanted to limit this > permission so, I edited the ProjectScreens.xml to check for permissions. > > <screen name="ProjectView"> > <section> > <condition> > <or> > <if-has-permission permission="PROJECTMGR_ADMIN"/> > <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/> > </or> > </condition> > <actions> > <set field="titleProperty" value="ProjectMgrProjectSummary"/> > <set field="tabButtonItem" value="projectView"/> > <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/> > <service service-name="getProject" result-map="result"> > <field-map field-name="projectId" from-field="projectId"/> > </service> > <set field="project" from-field="result.projectInfo"/> > </actions> > <widgets> > <decorator-screen name="CommonProjectDecorator" location="${parameters.mainDecoratorLocation}"> > <decorator-section name="body"> > <container style="lefthalf"> > <screenlet title="${uiLabelMap.PageTitleProjectInformation}"> > <include-form name="ProjectInfo" location="component://projectmgr/widget/forms/ProjectForms.xml"/> > </screenlet> > <include-screen name="SubProjectsInfo"/> > <include-screen name="PhasesInfo"/> > </container> > <container style="righthalf"> > <include-screen name="PartiesInfo"/> > <include-screen name="NoteInfo"/> > <include-screen name="ListProjectContent"/> > <include-screen name="OrderInfo"/> > </container> > <container style="clear"/> > <include-screen name="TasksInfo"/> > </decorator-section> > </decorator-screen> > </widgets> > </section> > </screen> > > However, a user with PROJECTMGR_ROLE_VIEW can still view any project > regardless if she is a member of that project or not, by navigating to: > > https://localhost:8443/projectmgr/control/projectView?projectId=9100 > > If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to > entities owned by party, or if she is listed as a resource. > > Any advice ? > > > |
In reply to this post by Adrian Crum-3
Adrian,
What would be the correct permission to use to protect projects the user is not part of ? I am using "PROJECTMGR_ROLE_VIEW", based on my understanding but not sure if this is correct. Can you please kindly, explain (give a link) about the difference in creating a separate service to check the permission, and specific permission check in the screen the way I am doing it ? I understand examples exist in another components, but examples for checking the permission in a screen are used widely in the same file I am editing. Thank you. On Thu Jul 28,2011 06:51 pm, Adrian Crum wrote: > Create a permission service, then use that in your screens instead of > specific permission checks. You can find examples of this in the Party > Manager. > > -Adrian > > > On 7/28/2011 6:49 PM, Mansour Al Akeel wrote: > > On my local system, any user with PROJECTMGR_VIEW can access projects > > even if they are not listed as a resource. I wanted to limit this > > permission so, I edited the ProjectScreens.xml to check for permissions. > > > > <screen name="ProjectView"> > > <section> > > <condition> > > <or> > > <if-has-permission permission="PROJECTMGR_ADMIN"/> > > <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/> > > </or> > > </condition> > > <actions> > > <set field="titleProperty" value="ProjectMgrProjectSummary"/> > > <set field="tabButtonItem" value="projectView"/> > > <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/> > > <service service-name="getProject" result-map="result"> > > <field-map field-name="projectId" from-field="projectId"/> > > </service> > > <set field="project" from-field="result.projectInfo"/> > > </actions> > > <widgets> > > <decorator-screen name="CommonProjectDecorator" location="${parameters.mainDecoratorLocation}"> > > <decorator-section name="body"> > > <container style="lefthalf"> > > <screenlet title="${uiLabelMap.PageTitleProjectInformation}"> > > <include-form name="ProjectInfo" location="component://projectmgr/widget/forms/ProjectForms.xml"/> > > </screenlet> > > <include-screen name="SubProjectsInfo"/> > > <include-screen name="PhasesInfo"/> > > </container> > > <container style="righthalf"> > > <include-screen name="PartiesInfo"/> > > <include-screen name="NoteInfo"/> > > <include-screen name="ListProjectContent"/> > > <include-screen name="OrderInfo"/> > > </container> > > <container style="clear"/> > > <include-screen name="TasksInfo"/> > > </decorator-section> > > </decorator-screen> > > </widgets> > > </section> > > </screen> > > > > However, a user with PROJECTMGR_ROLE_VIEW can still view any project > > regardless if she is a member of that project or not, by navigating to: > > > > https://localhost:8443/projectmgr/control/projectView?projectId=9100 > > > > If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to > > entities owned by party, or if she is listed as a resource. > > > > Any advice ? > > > > |
Look in Party Manager. There are permission services that check to see
if the logged-in user is connected to another party in some way before granting permission to do something. -Adrian On 7/28/2011 11:18 PM, Mansour Al Akeel wrote: > Adrian, > What would be the correct permission to use to protect projects the user > is not part of ? > I am using "PROJECTMGR_ROLE_VIEW", based on my understanding but not > sure if this is correct. > > Can you please kindly, explain (give a link) about the difference in > creating a separate service to check the permission, and specific > permission check in the screen the way I am doing it ? I understand > examples exist in another components, but examples for checking the > permission in a screen are used widely in the same file I am editing. > > > Thank you. > > > On Thu Jul 28,2011 06:51 pm, Adrian Crum wrote: >> Create a permission service, then use that in your screens instead of >> specific permission checks. You can find examples of this in the Party >> Manager. >> >> -Adrian >> >> >> On 7/28/2011 6:49 PM, Mansour Al Akeel wrote: >>> On my local system, any user with PROJECTMGR_VIEW can access projects >>> even if they are not listed as a resource. I wanted to limit this >>> permission so, I edited the ProjectScreens.xml to check for permissions. >>> >>> <screen name="ProjectView"> >>> <section> >>> <condition> >>> <or> >>> <if-has-permission permission="PROJECTMGR_ADMIN"/> >>> <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/> >>> </or> >>> </condition> >>> <actions> >>> <set field="titleProperty" value="ProjectMgrProjectSummary"/> >>> <set field="tabButtonItem" value="projectView"/> >>> <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/> >>> <service service-name="getProject" result-map="result"> >>> <field-map field-name="projectId" from-field="projectId"/> >>> </service> >>> <set field="project" from-field="result.projectInfo"/> >>> </actions> >>> <widgets> >>> <decorator-screen name="CommonProjectDecorator" location="${parameters.mainDecoratorLocation}"> >>> <decorator-section name="body"> >>> <container style="lefthalf"> >>> <screenlet title="${uiLabelMap.PageTitleProjectInformation}"> >>> <include-form name="ProjectInfo" location="component://projectmgr/widget/forms/ProjectForms.xml"/> >>> </screenlet> >>> <include-screen name="SubProjectsInfo"/> >>> <include-screen name="PhasesInfo"/> >>> </container> >>> <container style="righthalf"> >>> <include-screen name="PartiesInfo"/> >>> <include-screen name="NoteInfo"/> >>> <include-screen name="ListProjectContent"/> >>> <include-screen name="OrderInfo"/> >>> </container> >>> <container style="clear"/> >>> <include-screen name="TasksInfo"/> >>> </decorator-section> >>> </decorator-screen> >>> </widgets> >>> </section> >>> </screen> >>> >>> However, a user with PROJECTMGR_ROLE_VIEW can still view any project >>> regardless if she is a member of that project or not, by navigating to: >>> >>> https://localhost:8443/projectmgr/control/projectView?projectId=9100 >>> >>> If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to >>> entities owned by party, or if she is listed as a resource. >>> >>> Any advice ? >>> >>> |
Adrian,
I think there's a service already that does that. However, I am not sure I am using it or understand it properly. The service is in "specialpurpose/projectmgr/script/org/ofbiz/project/ProjectPermissionServices.xml" <simple-method method-name="projectMgrPermission" short-description="general service to check access to the project component"> <set field="primaryPermission" value="PROJECTMGR"/> <set field="hasPermission" value="true" type="Boolean"/> <set field="hasNoPermission" value="false" type="Boolean"/> <set field="mainAction" from-field="parameters.mainAction"/> <!-- find object --> <if-compare field="parameters.resourceDescription" value="Timesheet" operator="contains"> <set field="sec_object" value="TIMESHEET"/> <else> <if-compare field="parameters.resourceDescription" value="TimeEntry" operator="contains"> <set field="sec_object" value="TIMEENTRY"/> <else> <if-compare field="parameters.resourceDescription" value="Task" operator="contains"> <set field="sec_object" value="TASK"/><!-- task before project because of name 'getProjectTask' --> I am calling it from projectmgr/widget/ProjectScreens.xml. I just added the <condition> part <screen name="ProjectView"> <section> <condition> <if-service-permission service-name="projectMgrPermission" main-action="VIEW"/> </condition> <actions> <set field="titleProperty" value="ProjectMgrProjectSummary"/> <set field="tabButtonItem" value="projectView"/> <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/> <service service-name="getProject" result-map="result"> <field-map field-name="projectId" from-field="projectId"/> </service> The issue now is not user have access to any project. What am I missing ? Thank you in advance. On Thu Jul 28,2011 11:34 pm, Adrian Crum wrote: > Look in Party Manager. There are permission services that check to see > if the logged-in user is connected to another party in some way before > granting permission to do something. > > -Adrian > > On 7/28/2011 11:18 PM, Mansour Al Akeel wrote: > > Adrian, > > What would be the correct permission to use to protect projects the user > > is not part of ? > > I am using "PROJECTMGR_ROLE_VIEW", based on my understanding but not > > sure if this is correct. > > > > Can you please kindly, explain (give a link) about the difference in > > creating a separate service to check the permission, and specific > > permission check in the screen the way I am doing it ? I understand > > examples exist in another components, but examples for checking the > > permission in a screen are used widely in the same file I am editing. > > > > > > Thank you. > > > > > > On Thu Jul 28,2011 06:51 pm, Adrian Crum wrote: > >> Create a permission service, then use that in your screens instead of > >> specific permission checks. You can find examples of this in the Party > >> Manager. > >> > >> -Adrian > >> > >> > >> On 7/28/2011 6:49 PM, Mansour Al Akeel wrote: > >>> On my local system, any user with PROJECTMGR_VIEW can access projects > >>> even if they are not listed as a resource. I wanted to limit this > >>> permission so, I edited the ProjectScreens.xml to check for permissions. > >>> > >>> <screen name="ProjectView"> > >>> <section> > >>> <condition> > >>> <or> > >>> <if-has-permission permission="PROJECTMGR_ADMIN"/> > >>> <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/> > >>> </or> > >>> </condition> > >>> <actions> > >>> <set field="titleProperty" value="ProjectMgrProjectSummary"/> > >>> <set field="tabButtonItem" value="projectView"/> > >>> <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/> > >>> <service service-name="getProject" result-map="result"> > >>> <field-map field-name="projectId" from-field="projectId"/> > >>> </service> > >>> <set field="project" from-field="result.projectInfo"/> > >>> </actions> > >>> <widgets> > >>> <decorator-screen name="CommonProjectDecorator" location="${parameters.mainDecoratorLocation}"> > >>> <decorator-section name="body"> > >>> <container style="lefthalf"> > >>> <screenlet title="${uiLabelMap.PageTitleProjectInformation}"> > >>> <include-form name="ProjectInfo" location="component://projectmgr/widget/forms/ProjectForms.xml"/> > >>> </screenlet> > >>> <include-screen name="SubProjectsInfo"/> > >>> <include-screen name="PhasesInfo"/> > >>> </container> > >>> <container style="righthalf"> > >>> <include-screen name="PartiesInfo"/> > >>> <include-screen name="NoteInfo"/> > >>> <include-screen name="ListProjectContent"/> > >>> <include-screen name="OrderInfo"/> > >>> </container> > >>> <container style="clear"/> > >>> <include-screen name="TasksInfo"/> > >>> </decorator-section> > >>> </decorator-screen> > >>> </widgets> > >>> </section> > >>> </screen> > >>> > >>> However, a user with PROJECTMGR_ROLE_VIEW can still view any project > >>> regardless if she is a member of that project or not, by navigating to: > >>> > >>> https://localhost:8443/projectmgr/control/projectView?projectId=9100 > >>> > >>> If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to > >>> entities owned by party, or if she is listed as a resource. > >>> > >>> Any advice ? > >>> > >>> |
You have your code set up correctly. You just need to examine the
permission service to see what conditions it is looking for to grant permission, then set up your user with those conditions. -Adrian On 7/29/2011 7:35 PM, Mansour Al Akeel wrote: > Adrian, > I think there's a service already that does that. However, I am not sure > I am using it or understand it properly. > > The service is in "specialpurpose/projectmgr/script/org/ofbiz/project/ProjectPermissionServices.xml" > > <simple-method method-name="projectMgrPermission" short-description="general service to check access to the project component"> > <set field="primaryPermission" value="PROJECTMGR"/> > <set field="hasPermission" value="true" type="Boolean"/> > <set field="hasNoPermission" value="false" type="Boolean"/> > <set field="mainAction" from-field="parameters.mainAction"/> > > <!-- find object --> > <if-compare field="parameters.resourceDescription" value="Timesheet" operator="contains"> > <set field="sec_object" value="TIMESHEET"/> > <else> > <if-compare field="parameters.resourceDescription" value="TimeEntry" operator="contains"> > <set field="sec_object" value="TIMEENTRY"/> > <else> > <if-compare field="parameters.resourceDescription" value="Task" operator="contains"> > <set field="sec_object" value="TASK"/><!-- task before project because of name 'getProjectTask' --> > > I am calling it from projectmgr/widget/ProjectScreens.xml. I just added the<condition> part > > <screen name="ProjectView"> > <section> > <condition> > <if-service-permission service-name="projectMgrPermission" main-action="VIEW"/> > </condition> > <actions> > <set field="titleProperty" value="ProjectMgrProjectSummary"/> > <set field="tabButtonItem" value="projectView"/> > <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/> > <service service-name="getProject" result-map="result"> > <field-map field-name="projectId" from-field="projectId"/> > </service> > > The issue now is not user have access to any project. > What am I missing ? > > Thank you in advance. > > On Thu Jul 28,2011 11:34 pm, Adrian Crum wrote: >> Look in Party Manager. There are permission services that check to see >> if the logged-in user is connected to another party in some way before >> granting permission to do something. >> >> -Adrian >> >> On 7/28/2011 11:18 PM, Mansour Al Akeel wrote: >>> Adrian, >>> What would be the correct permission to use to protect projects the user >>> is not part of ? >>> I am using "PROJECTMGR_ROLE_VIEW", based on my understanding but not >>> sure if this is correct. >>> >>> Can you please kindly, explain (give a link) about the difference in >>> creating a separate service to check the permission, and specific >>> permission check in the screen the way I am doing it ? I understand >>> examples exist in another components, but examples for checking the >>> permission in a screen are used widely in the same file I am editing. >>> >>> >>> Thank you. >>> >>> >>> On Thu Jul 28,2011 06:51 pm, Adrian Crum wrote: >>>> Create a permission service, then use that in your screens instead of >>>> specific permission checks. You can find examples of this in the Party >>>> Manager. >>>> >>>> -Adrian >>>> >>>> >>>> On 7/28/2011 6:49 PM, Mansour Al Akeel wrote: >>>>> On my local system, any user with PROJECTMGR_VIEW can access projects >>>>> even if they are not listed as a resource. I wanted to limit this >>>>> permission so, I edited the ProjectScreens.xml to check for permissions. >>>>> >>>>> <screen name="ProjectView"> >>>>> <section> >>>>> <condition> >>>>> <or> >>>>> <if-has-permission permission="PROJECTMGR_ADMIN"/> >>>>> <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/> >>>>> </or> >>>>> </condition> >>>>> <actions> >>>>> <set field="titleProperty" value="ProjectMgrProjectSummary"/> >>>>> <set field="tabButtonItem" value="projectView"/> >>>>> <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/> >>>>> <service service-name="getProject" result-map="result"> >>>>> <field-map field-name="projectId" from-field="projectId"/> >>>>> </service> >>>>> <set field="project" from-field="result.projectInfo"/> >>>>> </actions> >>>>> <widgets> >>>>> <decorator-screen name="CommonProjectDecorator" location="${parameters.mainDecoratorLocation}"> >>>>> <decorator-section name="body"> >>>>> <container style="lefthalf"> >>>>> <screenlet title="${uiLabelMap.PageTitleProjectInformation}"> >>>>> <include-form name="ProjectInfo" location="component://projectmgr/widget/forms/ProjectForms.xml"/> >>>>> </screenlet> >>>>> <include-screen name="SubProjectsInfo"/> >>>>> <include-screen name="PhasesInfo"/> >>>>> </container> >>>>> <container style="righthalf"> >>>>> <include-screen name="PartiesInfo"/> >>>>> <include-screen name="NoteInfo"/> >>>>> <include-screen name="ListProjectContent"/> >>>>> <include-screen name="OrderInfo"/> >>>>> </container> >>>>> <container style="clear"/> >>>>> <include-screen name="TasksInfo"/> >>>>> </decorator-section> >>>>> </decorator-screen> >>>>> </widgets> >>>>> </section> >>>>> </screen> >>>>> >>>>> However, a user with PROJECTMGR_ROLE_VIEW can still view any project >>>>> regardless if she is a member of that project or not, by navigating to: >>>>> >>>>> https://localhost:8443/projectmgr/control/projectView?projectId=9100 >>>>> >>>>> If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to >>>>> entities owned by party, or if she is listed as a resource. >>>>> >>>>> Any advice ? >>>>> >>>>> |
Adrian,
first of all, thank you for the fast response. The issue is even admin can not login. I feel there's something wrong with the parameters. Here's the declaration of the service in: specialpurpose/projectmgr/servicedef/services.xml <service name="projectMgrPermission" engine="simple" location="component://projectmgr/script/org/ofbiz/project/ProjectPermissionServices.xml" invoke="projectMgrPermission"> <implements service="permissionInterface"/> <attribute name="projectId" type="String" mode="IN" optional="true"/> <attribute name="phaseId" type="String" mode="IN" optional="true"/> <attribute name="workEffortId" type="String" mode="IN" optional="true"/> <attribute name="taskId" type="String" mode="IN" optional="true"/> <attribute name="partyId" type="String" mode="IN" optional="true"/> <attribute name="timesheetId" type="String" mode="IN" optional="true"/> <attribute name="timeEntryId" type="String" mode="IN" optional="true"/> </service> None of these attributes I see them being set anywhere. Am I missing something ? On Fri Jul 29,2011 08:53 pm, Adrian Crum wrote: > You have your code set up correctly. You just need to examine the > permission service to see what conditions it is looking for to grant > permission, then set up your user with those conditions. > > -Adrian > > > > On 7/29/2011 7:35 PM, Mansour Al Akeel wrote: > > Adrian, > > I think there's a service already that does that. However, I am not sure > > I am using it or understand it properly. > > > > The service is in "specialpurpose/projectmgr/script/org/ofbiz/project/ProjectPermissionServices.xml" > > > > <simple-method method-name="projectMgrPermission" short-description="general service to check access to the project component"> > > <set field="primaryPermission" value="PROJECTMGR"/> > > <set field="hasPermission" value="true" type="Boolean"/> > > <set field="hasNoPermission" value="false" type="Boolean"/> > > <set field="mainAction" from-field="parameters.mainAction"/> > > > > <!-- find object --> > > <if-compare field="parameters.resourceDescription" value="Timesheet" operator="contains"> > > <set field="sec_object" value="TIMESHEET"/> > > <else> > > <if-compare field="parameters.resourceDescription" value="TimeEntry" operator="contains"> > > <set field="sec_object" value="TIMEENTRY"/> > > <else> > > <if-compare field="parameters.resourceDescription" value="Task" operator="contains"> > > <set field="sec_object" value="TASK"/><!-- task before project because of name 'getProjectTask' --> > > > > I am calling it from projectmgr/widget/ProjectScreens.xml. I just added the<condition> part > > > > <screen name="ProjectView"> > > <section> > > <condition> > > <if-service-permission service-name="projectMgrPermission" main-action="VIEW"/> > > </condition> > > <actions> > > <set field="titleProperty" value="ProjectMgrProjectSummary"/> > > <set field="tabButtonItem" value="projectView"/> > > <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/> > > <service service-name="getProject" result-map="result"> > > <field-map field-name="projectId" from-field="projectId"/> > > </service> > > > > The issue now is not user have access to any project. > > What am I missing ? > > > > Thank you in advance. > > > > On Thu Jul 28,2011 11:34 pm, Adrian Crum wrote: > >> Look in Party Manager. There are permission services that check to see > >> if the logged-in user is connected to another party in some way before > >> granting permission to do something. > >> > >> -Adrian > >> > >> On 7/28/2011 11:18 PM, Mansour Al Akeel wrote: > >>> Adrian, > >>> What would be the correct permission to use to protect projects the user > >>> is not part of ? > >>> I am using "PROJECTMGR_ROLE_VIEW", based on my understanding but not > >>> sure if this is correct. > >>> > >>> Can you please kindly, explain (give a link) about the difference in > >>> creating a separate service to check the permission, and specific > >>> permission check in the screen the way I am doing it ? I understand > >>> examples exist in another components, but examples for checking the > >>> permission in a screen are used widely in the same file I am editing. > >>> > >>> > >>> Thank you. > >>> > >>> > >>> On Thu Jul 28,2011 06:51 pm, Adrian Crum wrote: > >>>> Create a permission service, then use that in your screens instead of > >>>> specific permission checks. You can find examples of this in the Party > >>>> Manager. > >>>> > >>>> -Adrian > >>>> > >>>> > >>>> On 7/28/2011 6:49 PM, Mansour Al Akeel wrote: > >>>>> On my local system, any user with PROJECTMGR_VIEW can access projects > >>>>> even if they are not listed as a resource. I wanted to limit this > >>>>> permission so, I edited the ProjectScreens.xml to check for permissions. > >>>>> > >>>>> <screen name="ProjectView"> > >>>>> <section> > >>>>> <condition> > >>>>> <or> > >>>>> <if-has-permission permission="PROJECTMGR_ADMIN"/> > >>>>> <if-has-permission permission="PROJECTMGR_ROLE_VIEW"/> > >>>>> </or> > >>>>> </condition> > >>>>> <actions> > >>>>> <set field="titleProperty" value="ProjectMgrProjectSummary"/> > >>>>> <set field="tabButtonItem" value="projectView"/> > >>>>> <set field="projectId" from-field="parameters.projectId" default-value="${parameters.workEffortId}"/> > >>>>> <service service-name="getProject" result-map="result"> > >>>>> <field-map field-name="projectId" from-field="projectId"/> > >>>>> </service> > >>>>> <set field="project" from-field="result.projectInfo"/> > >>>>> </actions> > >>>>> <widgets> > >>>>> <decorator-screen name="CommonProjectDecorator" location="${parameters.mainDecoratorLocation}"> > >>>>> <decorator-section name="body"> > >>>>> <container style="lefthalf"> > >>>>> <screenlet title="${uiLabelMap.PageTitleProjectInformation}"> > >>>>> <include-form name="ProjectInfo" location="component://projectmgr/widget/forms/ProjectForms.xml"/> > >>>>> </screenlet> > >>>>> <include-screen name="SubProjectsInfo"/> > >>>>> <include-screen name="PhasesInfo"/> > >>>>> </container> > >>>>> <container style="righthalf"> > >>>>> <include-screen name="PartiesInfo"/> > >>>>> <include-screen name="NoteInfo"/> > >>>>> <include-screen name="ListProjectContent"/> > >>>>> <include-screen name="OrderInfo"/> > >>>>> </container> > >>>>> <container style="clear"/> > >>>>> <include-screen name="TasksInfo"/> > >>>>> </decorator-section> > >>>>> </decorator-screen> > >>>>> </widgets> > >>>>> </section> > >>>>> </screen> > >>>>> > >>>>> However, a user with PROJECTMGR_ROLE_VIEW can still view any project > >>>>> regardless if she is a member of that project or not, by navigating to: > >>>>> > >>>>> https://localhost:8443/projectmgr/control/projectView?projectId=9100 > >>>>> > >>>>> If I understand thing correctely, PROJECTMGR_ROLE_VIEW allows access to > >>>>> entities owned by party, or if she is listed as a resource. > >>>>> > >>>>> Any advice ? > >>>>> > >>>>> |
Free forum by Nabble | Edit this page |