--- David E Jones <[EMAIL PROTECTED]> wrote: > > In OFBiz with the service oriented architecture, > which is used as a > replacement and not a supplement to an object > oriented architecture > on the business level, each service is responsible > for its own > security and I think it is important that it stay > that way. I don't > want to build any holes into the system... > especially not as part of > a best practices recommendation. > > -David
As long as one can make/create make/store and make/remove, the 'security hole' is there anyway. If the project were to commit to what I'm suggesting, it would allow a developer to make their custom installment more secure as they could enforce security permissions on create/update/delete services that are not currently requiring permissions. In addition, if one wanted to lax the permission check, one would be able to do it by simply writting a service with the same name (secureCreateEntity, secureUpdateEntity, secureDeleteEntity) and point to the insecure method. This would prevent the developer from having to rewrite the method. IMO one should not be forced to adopt the security structure of the community in order to reuse it's code and that's what this suggestion would allow.
