David, You said "service implementations" and it threw me because all checks that I had seen were done in the simple-method implementation. I just noticed an implementation of security check in the service definition(accounting/servicedef/services_ledger#createAcctgTrans).
Would you be opposed to an effort to remove the security checks from the methods and move the security check to the service that calls the method? This would accomplish my suggestion. --- David E Jones <[EMAIL PROTECTED]> wrote: > > On Oct 7, 2006, at 7:43 AM, Chris Howe wrote: > > > In addition, methods with createEntityName, > > updateEntityName and deleteEntityName should not > check > > permissions. Rather simple methods that check > > permission should then call the service (or the > simple > > method directly if there is a performance > difference). > > This is not how it's currently done, and I really > don't want to make > any changes that would go in this direction. Doing > this would make it > very hard to approach something like centrally > managed permissions. > Permission and security checks should be an integral > part of all > service implementations. > > In OFBiz with the service oriented architecture, > which is used as a > replacement and not a supplement to an object > oriented architecture > on the business level, each service is responsible > for its own > security and I think it is important that it stay > that way. I don't > want to build any holes into the system... > especially not as part of > a best practices recommendation. > > -David > > >
