OFBiz OFBiz - Dev

Role-based security is disabled

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Wai
Reply | Threaded
Open this post in threaded view
|

Role-based security is disabled

Wai

There is a section of code that is commented out in ModelPermission.evalRoleMember().  The comment indicates that it is a security risk.
Could someone tell what risk it presents.

As this code is masked out, role-based security is effectively disabled.  In addition, the code is looking for from/thru date which are not a part of the PartyRole entity.

Could someone provide some insight.

Thanks,
Wai

Wai
Reply | Threaded
Open this post in threaded view
|

Re: Role-based security is disabled

Wai
Hello,
Any takers for this post?
Thanks
Scott Gray-2
Reply | Threaded
Open this post in threaded view
|

Re: Role-based security is disabled

Scott Gray-2
In reply to this post by Wai
Probably because PartyRole records actually mean very little by themselves and typically require some sort of context before they're useful.  For example it doesn't mean much to be an EMPLOYEE if we don't know what company you're employed by.

So you can't simply use PartyRole by itself as some sort of authorization mechanism.  That's my take on it at least, I didn't comment the code so I can't say for a fact what the motivation was.

Regards
Scott

HotWax Media
http://www.hotwaxmedia.com

On 10/08/2010, at 9:53 AM, Wai wrote:

>
>
> There is a section of code that is commented out in
> ModelPermission.evalRoleMember().  The comment indicates that it is a
> security risk.
> Could someone tell what risk it presents.
>
> As this code is masked out, role-based security is effectively disabled.  In
> addition, the code is looking for from/thru date which are not a part of the
> PartyRole entity.
>
> Could someone provide some insight.
>
> Thanks,
> Wai
>
>
> --
> View this message in context: http://ofbiz.135035.n4.nabble.com/Role-based-security-is-disabled-tp2319089p2319089.html
> Sent from the OFBiz - Dev mailing list archive at Nabble.com.


smime.p7s (3K) Download Attachment
Wai
Reply | Threaded
Open this post in threaded view
|

Re: Role-based security is disabled

Wai
Thanks for the reply Scott.
Your reply makes a lot of sense.

https://cwiki.apache.org/confluence/display/OFBTECH/OFBiz+security gives a brief description of role-based security.  When looking at the suggested code of OrderService.hasPermission() and ProductEvents.checkStoreCustomerRole().  OrderService.OrderServices() makes use of the role type and relationship related to PartyRoles and PartyRelationships and ProductEvents.checkStoreCustomerRole() only references the ProductStoreRole entity.

My conclusion is that a service defined below would make little sense since the specified role is not qualified by a relationship.  Unless it is expanded to include a from-role-type, to-role-type, relationship-type or something like it related to a party or a partygroup.  I guess that is why <check-role-member role-type=...> is never used anywhere in the code to date.

<service name="someservice" ...>
    <required-permissions join-type="OR">
        <check-role-member role-type="SOMEPARTYROLE" />
    </required-permissions>
</service>

Since ModelPermission.evalRoleMember() deals with role type checks of PartyRoles, it might be a good idea to remove it to avoid future confusion.  Same would apply to <check-role-member role-type...> tag.  Unless, I'm missing some other uses for it.

Thanks,
Wai
Free forum by Nabble Edit this page