> I must admit I have a disconnect when it comes to the
> concepts of security and the application of security
> at least when it's in a complicated setting.  I'm
> trying to find a good model.  
>
> For instance, if you were to take the catalog manager
> and you wanted one group of people to be able to view
> the catalog on the ecommerce side, you'd simply add
> them to the Catalog -> Parties form and give them the
> role of Customer (Being sure of course that you
> haven't associated the catalog with the store that
> people would be accessing, otherwise everyone looking
> at that store would have access).  The same could then
> be done if you wanted to limit who could update a
> catalog by giving a party a role (eg catalog
> maintainer, etc)
>
> However this doesn't use the security extention.  It
> uses CalalogWorker.java to limit a pulldown list (and
> then some derivative for the catalog maintainer).  The
> problem with that is that I can bypass the list by
> typing in the url of the catalog I want to view on the
> ecommerce side.
>
> If I give someone the security group of Catalog_Admin
> then he has the permissions across catalogs not just
> the catalogs that he should be maintaining.  If anyone
> could help shed some light on this, I'd appreciate it.
>  I'm going to check out the blog stuff as that has
> similar needs.
>
>
>  
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users
>