[
https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12852456#action_12852456
]
David E. Jones commented on OFBIZ-3632:
---------------------------------------
A better solution to this right now would be to use the permission-service tag
and implement it in a simple-method or Java. Either way, we've been trying to
move away from definitions tied too closely to service definitions and
implementations both. Having a separate permission service helps a little with
this, but the external declarative permissions are the real way to go (just not
easy to implement, especially the way OFBiz is currently architected, and even
tougher since discussions about it haven't been very productive, it seems like
it's hard for some people to understand the point of things like run-time call
chain inheritance of permissions as opposed to location based inheritance of
permissions).
If the point is to try to save a couple of lines of code... I guess that would
make sense only if this is something you'll be doing dozens or hundreds of
times.
> Extending the service model to specify more complex permissions using
> permission service
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-3632
> URL: https://issues.apache.org/jira/browse/OFBIZ-3632
> Project: OFBiz
> Issue Type: Improvement
> Components: framework, product
> Reporter: Vikas Mayur
> Priority: Minor
> Fix For: SVN trunk
>
> Attachments: permission.patch
>
>
> At present <permission-service> in the service definition allows only one
> permission service. I have extended the <required-permissions> tag to
> specify more then one permission services by doing an AND/OR operation.
> For instance the following code in service definition
> {code}
> <required-permissions join-type="AND">
> <permission-service service-name="facilityGenericPermission"
> main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission"
> main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace the following code in service implementation.
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <fail-message message="Security Error: to run
> setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or
> FACILITY_ADMIN permission"/>
> </check-permission>
> <check-permission permission="FACILITY" action="_UPDATE">
> <fail-message message="Security Error: to run
> setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or
> FACILITY_ADMIN permission"/>
> </check-permission>
> {code}
> Similarly the code
> {code}
> <required-permissions join-type="OR">
> <permission-service service-name="facilityGenericPermission"
> main-action="CREATE"/>
> <permission-service service-name="facilityGenericPermission"
> main-action="UPDATE"/>
> </required-permissions>
> {code}
> will replace
> {code}
> <check-permission permission="FACILITY" action="_CREATE">
> <alt-permission permission="FACILITY" action="_UPDATE"/>
> <fail-message message="Security Error: to run createShipmentItem you must
> have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/>
> </check-permission>
> <check-errors/>
> {code}
> The patch also contains additional changes where the permission service is
> defined in the service definition.
> EDITS: Added missing ending \{code\} tag for the last code snippet
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
