Have you got familiar with roles and permission in ofbiz?
you can assign partyID to other partyID with a link.
Since a company is a party this is party to party relationships.
also you can use party groups and one party can be in more than one
partygroup.
as far as passing parameter they are part of the session data or context
when you do a POST the data is not in the URL.
snowch sent the following on 4/24/2009 10:39 PM:
> In my controller postprocessor, I would like to add an event that sets the a
> list of companies that the user can access. I.e. if the user is an external
> user, I only want them to have access to their own data.
>
> companyCodeList = // lookup in db based on userLoginId
> Security security = (Security)request.getAttribute("security");
> if (security.hasPermission("INTERNAL_STAFF", request.getSession())) {
> request.removeAttribute("companyCodeList");
> } else {
> request.setAttribute("companyCodeList", companyCodeList);
> }
>
> In the entity condition for the form:
>
> <condition-expr field-name="companyCode" operator="in"
> value="${parameters.companyCodeList}" ignore-if-empty="true"
> ignore-if-null="true"/>
>
> It seams that it is possible for malicious users to try to override this by
> adding http parameters, e.g.
>
http://localhost/myapp/control/something?companyCodeList=ABC>
> What is the recommended way of passing data from my controller event without
> using parameters?
>
> Many thanks in advance,
>
> Chris
--
BJ Freeman
http://www.businessesnetwork.com/automationhttp://bjfreeman.elance.comhttp://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_proSystems Integrator.