Merci! I will have a bash at it again when I get home tonight. Don't be too hard on yourself. I am notorious for being thorough and annoying because of it. :) I am sure I pay for my sins in other ways... :p
Will let you know how I get on. On 18 June 2015 at 05:42, Jacques Le Roux <[email protected]> wrote: > Le 16/06/2015 13:49, Brad Smith a écrit : > >> My bad, the question should rather be, is two-part permissions approach >> deprecated? >> > > Actually no, it's still usable, look for "check-permission" at > https://cwiki.apache.org/confluence/display/OFBADMIN/Mini+Language+-+minilang+-+simple-method+-+Reference > Note that to effectively work it needs to be followed by a > <check-permission> as explained here > http://markmail.org/message/dnlrev5pnj7brhfm > > As a reviewer of this book, I'm embarrassed to say it, but after 8 years > you clearly found a typo, the underscore is missing. As looking for > examples in OFBiz shows, it should be > <check-permission permission="LEARN" action="_VIEW"/> > > If you are interested in more details about OFBiz Security Permissions the > reference so far is > https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Security+Permissions > that I completely rewrote last year. > > Jacques > > > >> On 16 June 2015 at 13:43, Brad Smith <[email protected]> wrote: >> >> Hi all, >>> >>> I am currently running through Apache OFBiz Development: The Beginner's >>> Tutorial by Howell and Wong. >>> >>> I have my dev environment setup in IntelliJ and so far the examples have >>> all more-or-less worked. I am up to Chapter 11, Permissions and the >>> Service >>> Engine and have hit some issues. >>> >>> The example setup in the "learning" component is as follows: >>> >>> ${component:learning}\servicedef\services.xml >>> --------------------------------------------- >>> >>> <service name="learningCallingServiceOneWithPermission" engine="java" >>> location="org.ofbiz.learning.learning.LearningServices" >>> invoke="callingServiceOne"> >>> <description>First Service Called From The Controller</description> >>> <required-permissions join-type="OR"> >>> <check-permission permission="LEARN_VIEW"/> >>> </required-permissions> >>> <implements service="learningInterface"/> >>> </service> >>> >>> ${webapp:learning}\WEB-INF\controller.xml >>> ----------------------------------------- >>> >>> <request-map uri="TestPermissions"> >>> <security auth="true" https="true"/> >>> <response name="success" type="view" >>> value="TestCallingServicesWithPermission"/> >>> <response name="error" type="view" value="login"/> >>> </request-map> >>> <request-map uri="TestCallingServicesWithPermission"> >>> <security auth="true" https="true"/> >>> <event type="service" invoke="learningCallingServiceOneWithPermission"/> >>> <response name="success" type="view" >>> value="TestCallingServicesWithPermission"/> >>> <response name="error" type="view" >>> value="TestCallingServicesWithPermission"/> >>> </request-map> >>> >>> and >>> >>> <view-map name="TestCallingServicesWithPermission" type="screen" >>> >>> page="component://learning/widget/learning/LearningScreens.xml#TestCallingServicesWithPermission"/> >>> >>> ${component:learning}\widget\learning\LearningScreens.xml >>> --------------------------------------------------------- >>> >>> <screen name="TestFirstService"> >>> <section> >>> <widgets> >>> <section> >>> <condition><if-empty >>> field-name="formTarget"/></condition> >>> <actions> >>> <set field="formTarget" value="TestFirstService"/> >>> <set field="title" value="Testing Our First >>> Service"/> >>> </actions> >>> <widgets/> >>> </section> >>> <decorator-screen name="main-decorator" >>> location="${parameters.mainDecoratorLocation}"> >>> <decorator-section name="body"> >>> <include-form name="TestingServices" >>> location="component://learning/widget/learning/LearningForms.xml"/> >>> <label text="Full Name: ${parameters.fullName}"/> >>> </decorator-section> >>> </decorator-screen> >>> </widgets> >>> </section> >>> </screen> >>> ... >>> <screen name="TestCallingServicesWithPermission"> >>> <section> >>> <actions><set field="formTarget" >>> value="TestCallingServicesWithPermission"/> >>> </actions> >>> <widgets> >>> <include-screen name="TestFirstService"/> >>> </widgets> >>> </section> >>> </screen> >>> >>> ${component:learning}\widget\learning\LearningForms.xml >>> ------------------------------------------------------- >>> >>> <form name="TestingServices" type="single" target="${formTarget}"> >>> <field name="firstName"><text/></field> >>> <field name="lastName"><text/></field> >>> <field name="planetId"><text/></field> >>> <field name="submit"><submit/></field> >>> </form> >>> >>> With regards to permissions, I have them set up as follows as per Chapter >>> 9: >>> >>> User Security Group SecurityPermission >>> User/Security Group From Date User/Security Group Thru Date >>> >>> >>> ------------------------------------------------------------------------------------------------------------------------------------- >>> allowed LEARNSCREENS LEARN_VIEW >>> 2015-06-15 19:34:15.832 NULL >>> denied LEARNSCREENS LEARN_VIEW >>> 2015-06-13 18:57:44.724 2015-06-13 18:57:44.724 >>> " LEARNSCREENS LEARN_VIEW >>> 2015-06-13 18:57:44.000 2015-06-13 19:33:47.000 >>> >>> Under the above configuration, the permissions checks work as advertised, >>> and "allowed" is able to call the service while "denied" is not. >>> >>> The next section of the chapter talks about two-part permissions, and >>> makes the following changes to the configuration. Apparently, OFBiz is >>> supposed to interpret the underscore in permission attribute as some sort >>> of tokenising character, where the first token "LEARN" becomes the >>> permission, and the second part "VIEW" becomes an action. This seems >>> "loose" to me but nevertheless. >>> >>> ${component:learning}\servicedef\services.xml >>> --------------------------------------------- >>> >>> <check-permission permission="LEARN_VIEW"/> >>> >>> becomes >>> >>> <check-permission permission="LEARN" action="VIEW"/> >>> >>> According to the text, the authorisation behaviour should remain exactly >>> the same. In other words, the check-permission elements are equivalent. >>> But >>> this is not the case. Under the modified configuration, neither "allowed" >>> nor "denied" are able to call the service. I also don't see a "LEARN" >>> item >>> in the SecurityPermission entity anywhere, so I don't see how this should >>> work in the first place. >>> >>> Is this tokenised approach deprecated? Or is there something else going >>> on? >>> >>>
