From: Bruno Busco <[EMAIL PROTECTED]>
Subject: Re: Discussion: Permissions Checking Enhancement
To: dev@ofbiz.apache.org
Date: Saturday, November 29, 2008, 10:30 AM
Hi Adrian,
I am thinking to something similar to what you proposed in
this thread.
What I would like to do is to simplify the UI to users who
should not
perform some operations.
For instance, in the catalog application, when looking to
the EditProduct
screen, I would like that the following tabmenus:
Geos, IDs, Keywords, Associations, Manufacturing, Costs,
Attributes,
Agreements, Accounts, Maintenance, Meters, Workefforts
should not be visible to standard users while they should
be visible to
admin.
I am thinking to implement several permissions (may be some
are already
there) and to check for them in the menu items.
What do you think?
Did you implement something about it?
Thank you,
-Bruno
2008/6/6 Adrian Crum <[EMAIL PROTECTED]>
Correct.
Bruno Busco wrote:
Thank you,
it make sense; so a CREATE permission check will
be sufficient for the
CREATE button rendering.
-Bruno
2008/6/6 Adrian Crum <[EMAIL PROTECTED]>:
The pattern used so far is that the ADMIN
permission is checked first,
then
the other permissions. So if a user has the
ADMIN permission, they don't
need the additional permissions.
I'll probably have all of the permissions
Map elements set to true if the
user has the ADMIN permission.
-Adrian
Bruno Busco wrote:
Adrian,
may be a newbie question but...
...in the example you give what will
happen if a user has the ADMIN
permission but not the CREATE one?
Will the Create New button be rendered?
In other words who is responsible for the
permission hierarchy ?
In order to display the CREATE button,
should a user be given with the
CREATE permission explicitly or the ADMIN
is sufficient?
Thank you
-Bruno
2008/6/6 Adrian Crum
<[EMAIL PROTECTED]>:
I'll work on it this weekend.
-Adrian
Ashish Vijaywargiya wrote:
+1
Adrian I liked your idea.
On Thu, Jun 5, 2008 at 12:46 AM,
Sumit Pandit <
[EMAIL PROTECTED]>
wrote:
+1
--
Sumit Pandit
On Jun 5, 2008, at 3:04 AM,
Jacques Le Roux wrote:
Yes this sounds good to me
too
Jacques
From: "Bruno
Busco" <[EMAIL PROTECTED]>
Wonderfull !!!!
Looking forward to having
it !!! ;-)
This will let me also
define a more granular permissions to
simplify
the
interface for
not-so-skilled users.
-Bruno
2008/6/4 Adrian Crum
<[EMAIL PROTECTED]>:
In the screen
widgets, you can check permissions with the
<if-has-permission> or <if-service-permission>
elements. That's
fine
if
you
only need to check
a single permission to control access to the
entire
screen.
Things get
complicated when a screen's elements are controlled by
more
than
one permission.
Let's say you have a typical Edit Item screen. The
screen
should be viewable
only to users who have the VIEW permission.
Users
who
have the UPDATE
permission can edit the item. Users who have the
CREATE
permission see a
"New Item" button. Users who have DELETE
permission
see
a
"Delete
Item" button. Users who have the ADMIN permission have
unrestricted
access to the
screen. Wow. Five permission elements (and five
service
calls)
are needed to
control one screen.
Here's my
idea: have a permission service that returns ALL of the
user's
permissions in a
Map. You call the service with the permission to
check
-
"ACCOUNTING" for example. The service returns a
Map containing all
of
the
user's
ACCOUNTING permissions stored as Boolean objects. Let's
say
the
returned Map is
called permissionsMap and the user has
ACCOUNTING_VIEW
and
ACCOUNTING_UPDATE
permissions, then the Map would contain these
elements:
CREATE=false
UPDATE=true
DELETE=false
VIEW=true
ADMIN=false
If the service
call is put in the screen's <actions> element,
then
the
Map
elements could be
used to control the display of screen widget
sections,
menu items, and
form fields.
Freemarker code
would be simpler too:
<#if
permissionsMap.CREATE>
<!-- Render a
Create New button -->
</#if>
<#if
permissionsMap.DELETE>
<!-- Render a
Delete button -->
</#if>
What do you think?
-Adrian