svn commit: r499124 - /ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml

Tue, 23 Jan 2007 12:49:48 -0800 

Author: byersa
Date: Tue Jan 23 12:48:35 2007
New Revision: 499124

URL: http://svn.apache.org/viewvc?view=rev&rev=499124
Log:
ContentServices.xml setContentStatus does not use content role based security. 
It only test whether or not a user has CONTENTMGR_CREATE/ADMIN privileges. 
I have added a call to the checkContentPermission service. 
This fix may not be in line with new security scheme, but it will serve as a 
good place to evaluate how it would be done in the new scheme.

Modified:
    
ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml

Modified: 
ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml
URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml?view=diff&rev=499124&r1=499123&r2=499124
==============================================================================
--- 
ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml
 (original)
+++ 
ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml
 Tue Jan 23 12:48:35 2007
@@ -19,21 +19,34 @@
         
xsi:noNamespaceSchemaLocation="http://www.ofbiz.org/dtds/simple-methods.xsd";>
 
     <simple-method method-name="setContentStatus" short-description="Set The 
Content Status">
-        <check-permission permission="CONTENTMGR" action="_CREATE">
-            <fail-message message="Security Error: to change the Content 
Status you must have the CONTENTMGR_CREATE or CONTENTMGR_ADMIN 
permission"/></check-permission>
-        <check-errors/>
-        
+    
         <entity-one entity-name="Content" value-name="content"/>
         <field-to-result field-name="content.statusId" 
result-name="oldStatusId"/>
+   
+        <!-- Test with content permission checking service -->
+        <set field="mapIn.targetOperationList[]" value="CONTENT_UPDATE"/>
+        <set field="mapIn.currentContent" from-field="content"/>
+        <set field="mapIn.userLogin" from-field="parameters.userLogin"/>
+               <call-service service-name="checkContentPermission" 
in-map-name="mapIn">
+                       <result-to-field result-name="permissionStatus" 
field-name="permissionStatus"/>
+               </call-service>
+       
+               <if-compare operator="not-equals" field-name="permissionStatus" 
value="granted">
+               <check-permission permission="CONTENTMGR" action="_CREATE">
+                   <fail-message message="Security Error: to change the 
Content Status you must have the CONTENTMGR_CREATE or CONTENTMGR_ADMIN 
permission"/>
+               </check-permission>
+               <check-errors/>
         
-        <if-compare-field field-name="content.statusId" operator="not-equals" 
to-field-name="parameters.statusId">
+       </if-compare>
+         
+       <if-compare-field field-name="content.statusId" operator="not-equals" 
to-field-name="parameters.statusId">
             <entity-one entity-name="StatusValidChange" 
value-name="statusChange" auto-field-map="false">
                 <field-map field-name="statusId" env-name="content.statusId"/>
                 <field-map field-name="statusIdTo" 
env-name="parameters.statusId"/>
             </entity-one>
             
             <if-empty field-name="statusChange">
-                <add-error><fail-message message="Status is not a valid 
change"/></add-error>
+                <add-error><fail-message message="Cannot change from 
${content.statusId} to ${parameters.statusId}"/></add-error>
                 <log level="error" message="Cannot change from 
${content.statusId} to ${parameters.statusId}"/>
                 <check-errors/>
                 <else>

Reply via email to