On Oct 7, 2006, at 7:43 AM, Chris Howe wrote:
In addition, methods with createEntityName, updateEntityName and deleteEntityName should not check permissions. Rather simple methods that check permission should then call the service (or the simple method directly if there is a performance difference).
This is not how it's currently done, and I really don't want to make any changes that would go in this direction. Doing this would make it very hard to approach something like centrally managed permissions. Permission and security checks should be an integral part of all service implementations.
In OFBiz with the service oriented architecture, which is used as a replacement and not a supplement to an object oriented architecture on the business level, each service is responsible for its own security and I think it is important that it stay that way. I don't want to build any holes into the system... especially not as part of a best practices recommendation.
-David
