[ http://issues.apache.org/jira/browse/OFBIZ-455?page=comments#action_12449817 ] Adrian Crum commented on OFBIZ-455: -----------------------------------
Eriks, I agree with continuing the discussion here. Just to be sure others who read this fully understand what is being proposed, let me recap: We're trying to develop a simple set of services to tie a logged-in user to a subset of data - called an Organization Context. If you read this Wiki page: http://ofbizwiki.go-integral.com/Wiki.jsp?page=SecurityAdministration David Jones mentions Category #2 security. That is what we're trying to implement. Category #2 security has been partially implemented by Si Chen in the accounting apps. Whatever work is done here needs to "mesh" with Si's existing work. FYI - User Security Overview -------------------------------------- Use an application - controlled by existing security permissions Create/Edit/Delete data on a page - controlled by existing security permissions Access only subsets of data - implemented in some apps, not others (Proposed) Access only subsets of data - controlled by Organization Context Here is an additional thought I have: Organization Context should be invisible to OFBiz's existing apps. In other words, whatever is submitted here should not break any existing code and it shouldn't introduce anything new to the user unless an administrator switches the feature "on." Regarding storing the current organization context in the session: I think you misunderstood what I was trying to say. I'll demonstrate the problem with an example: An OFBiz user has permission to log into two Organization Contexts - ABC Company and XYZ Company. He starts a browser and logs into ABC Company. The ABC Company context is stored in that browser's session. A little while later he starts up a second browser and it comes up as logged into ABC Company because his current selection is stored in the DB. Then in the second browser he switches over to XYZ company. The XYZ Company context is stored in that browser's session. When he returns to the first browser, it will still think he's logged into ABC Company because it has a separate session - and ABC Company is stored in that session. That will confuse the user. Trust me - it's a problem we experienced here and I had to come up with a solution to it. We can put the currently selected context in the session, but the session will have to be updated with every page request. As far as submitting patches that limit access to data - I'm not sure that is needed in OFBiz out-of-the-box. I'm thinking it would be better suited as an unused feature that is available to people who customize OFBiz (a "tool"). Perhaps we could load the Party Manager with a little POC data to demonstrate how it is used. > Selecting active organization party > ----------------------------------- > > Key: OFBIZ-455 > URL: http://issues.apache.org/jira/browse/OFBIZ-455 > Project: OFBiz (The Open for Business Project) > Issue Type: New Feature > Reporter: Eriks Dobelis > Attachments: activeOrgParty.diff, selectingOrganizationalContext.jpg > > > Idea is to provide possibility to select active organization party id, which > then could be used: > 1) to provide default in different components (e.g. in creating invoices, > payments, accounting transactions, etc.); > 2) in implementation of OFBIZ-118, i.e. to show or hide data based on the > active organization; > 3) to improve current Accounting/Companies/Admin so that organizationPartyId > is remembered throughout the session (if not changed). -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
