My bad, the question should rather be, is two-part permissions approach deprecated?
On 16 June 2015 at 13:43, Brad Smith <[email protected]> wrote: > Hi all, > > I am currently running through Apache OFBiz Development: The Beginner's > Tutorial by Howell and Wong. > > I have my dev environment setup in IntelliJ and so far the examples have > all more-or-less worked. I am up to Chapter 11, Permissions and the Service > Engine and have hit some issues. > > The example setup in the "learning" component is as follows: > > ${component:learning}\servicedef\services.xml > --------------------------------------------- > > <service name="learningCallingServiceOneWithPermission" engine="java" > location="org.ofbiz.learning.learning.LearningServices" > invoke="callingServiceOne"> > <description>First Service Called From The Controller</description> > <required-permissions join-type="OR"> > <check-permission permission="LEARN_VIEW"/> > </required-permissions> > <implements service="learningInterface"/> > </service> > > ${webapp:learning}\WEB-INF\controller.xml > ----------------------------------------- > > <request-map uri="TestPermissions"> > <security auth="true" https="true"/> > <response name="success" type="view" > value="TestCallingServicesWithPermission"/> > <response name="error" type="view" value="login"/> > </request-map> > <request-map uri="TestCallingServicesWithPermission"> > <security auth="true" https="true"/> > <event type="service" invoke="learningCallingServiceOneWithPermission"/> > <response name="success" type="view" > value="TestCallingServicesWithPermission"/> > <response name="error" type="view" > value="TestCallingServicesWithPermission"/> > </request-map> > > and > > <view-map name="TestCallingServicesWithPermission" type="screen" > page="component://learning/widget/learning/LearningScreens.xml#TestCallingServicesWithPermission"/> > > ${component:learning}\widget\learning\LearningScreens.xml > --------------------------------------------------------- > > <screen name="TestFirstService"> > <section> > <widgets> > <section> > <condition><if-empty field-name="formTarget"/></condition> > <actions> > <set field="formTarget" value="TestFirstService"/> > <set field="title" value="Testing Our First Service"/> > </actions> > <widgets/> > </section> > <decorator-screen name="main-decorator" > location="${parameters.mainDecoratorLocation}"> > <decorator-section name="body"> > <include-form name="TestingServices" > location="component://learning/widget/learning/LearningForms.xml"/> > <label text="Full Name: ${parameters.fullName}"/> > </decorator-section> > </decorator-screen> > </widgets> > </section> > </screen> > ... > <screen name="TestCallingServicesWithPermission"> > <section> > <actions><set field="formTarget" > value="TestCallingServicesWithPermission"/> > </actions> > <widgets> > <include-screen name="TestFirstService"/> > </widgets> > </section> > </screen> > > ${component:learning}\widget\learning\LearningForms.xml > ------------------------------------------------------- > > <form name="TestingServices" type="single" target="${formTarget}"> > <field name="firstName"><text/></field> > <field name="lastName"><text/></field> > <field name="planetId"><text/></field> > <field name="submit"><submit/></field> > </form> > > With regards to permissions, I have them set up as follows as per Chapter > 9: > > User Security Group SecurityPermission > User/Security Group From Date User/Security Group Thru Date > > ------------------------------------------------------------------------------------------------------------------------------------- > allowed LEARNSCREENS LEARN_VIEW > 2015-06-15 19:34:15.832 NULL > denied LEARNSCREENS LEARN_VIEW > 2015-06-13 18:57:44.724 2015-06-13 18:57:44.724 > " LEARNSCREENS LEARN_VIEW > 2015-06-13 18:57:44.000 2015-06-13 19:33:47.000 > > Under the above configuration, the permissions checks work as advertised, > and "allowed" is able to call the service while "denied" is not. > > The next section of the chapter talks about two-part permissions, and > makes the following changes to the configuration. Apparently, OFBiz is > supposed to interpret the underscore in permission attribute as some sort > of tokenising character, where the first token "LEARN" becomes the > permission, and the second part "VIEW" becomes an action. This seems > "loose" to me but nevertheless. > > ${component:learning}\servicedef\services.xml > --------------------------------------------- > > <check-permission permission="LEARN_VIEW"/> > > becomes > > <check-permission permission="LEARN" action="VIEW"/> > > According to the text, the authorisation behaviour should remain exactly > the same. In other words, the check-permission elements are equivalent. But > this is not the case. Under the modified configuration, neither "allowed" > nor "denied" are able to call the service. I also don't see a "LEARN" item > in the SecurityPermission entity anywhere, so I don't see how this should > work in the first place. > > Is this tokenised approach deprecated? Or is there something else going on? >
