It's almost definitely my fault over Jacques ;) On 18 June 2015 at 11:57, Brad Smith <[email protected]> wrote:
> Merci! > > I will have a bash at it again when I get home tonight. Don't be too hard > on yourself. I am notorious for being thorough and annoying because of it. > :) I am sure I pay for my sins in other ways... :p > > Will let you know how I get on. > > On 18 June 2015 at 05:42, Jacques Le Roux <[email protected]> > wrote: > > > Le 16/06/2015 13:49, Brad Smith a écrit : > > > >> My bad, the question should rather be, is two-part permissions approach > >> deprecated? > >> > > > > Actually no, it's still usable, look for "check-permission" at > > > https://cwiki.apache.org/confluence/display/OFBADMIN/Mini+Language+-+minilang+-+simple-method+-+Reference > > Note that to effectively work it needs to be followed by a > > <check-permission> as explained here > > http://markmail.org/message/dnlrev5pnj7brhfm > > > > As a reviewer of this book, I'm embarrassed to say it, but after 8 years > > you clearly found a typo, the underscore is missing. As looking for > > examples in OFBiz shows, it should be > > <check-permission permission="LEARN" action="_VIEW"/> > > > > If you are interested in more details about OFBiz Security Permissions > the > > reference so far is > > > https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Security+Permissions > > that I completely rewrote last year. > > > > Jacques > > > > > > > >> On 16 June 2015 at 13:43, Brad Smith <[email protected]> wrote: > >> > >> Hi all, > >>> > >>> I am currently running through Apache OFBiz Development: The Beginner's > >>> Tutorial by Howell and Wong. > >>> > >>> I have my dev environment setup in IntelliJ and so far the examples > have > >>> all more-or-less worked. I am up to Chapter 11, Permissions and the > >>> Service > >>> Engine and have hit some issues. > >>> > >>> The example setup in the "learning" component is as follows: > >>> > >>> ${component:learning}\servicedef\services.xml > >>> --------------------------------------------- > >>> > >>> <service name="learningCallingServiceOneWithPermission" engine="java" > >>> location="org.ofbiz.learning.learning.LearningServices" > >>> invoke="callingServiceOne"> > >>> <description>First Service Called From The Controller</description> > >>> <required-permissions join-type="OR"> > >>> <check-permission permission="LEARN_VIEW"/> > >>> </required-permissions> > >>> <implements service="learningInterface"/> > >>> </service> > >>> > >>> ${webapp:learning}\WEB-INF\controller.xml > >>> ----------------------------------------- > >>> > >>> <request-map uri="TestPermissions"> > >>> <security auth="true" https="true"/> > >>> <response name="success" type="view" > >>> value="TestCallingServicesWithPermission"/> > >>> <response name="error" type="view" value="login"/> > >>> </request-map> > >>> <request-map uri="TestCallingServicesWithPermission"> > >>> <security auth="true" https="true"/> > >>> <event type="service" > invoke="learningCallingServiceOneWithPermission"/> > >>> <response name="success" type="view" > >>> value="TestCallingServicesWithPermission"/> > >>> <response name="error" type="view" > >>> value="TestCallingServicesWithPermission"/> > >>> </request-map> > >>> > >>> and > >>> > >>> <view-map name="TestCallingServicesWithPermission" type="screen" > >>> > >>> > page="component://learning/widget/learning/LearningScreens.xml#TestCallingServicesWithPermission"/> > >>> > >>> ${component:learning}\widget\learning\LearningScreens.xml > >>> --------------------------------------------------------- > >>> > >>> <screen name="TestFirstService"> > >>> <section> > >>> <widgets> > >>> <section> > >>> <condition><if-empty > >>> field-name="formTarget"/></condition> > >>> <actions> > >>> <set field="formTarget" value="TestFirstService"/> > >>> <set field="title" value="Testing Our First > >>> Service"/> > >>> </actions> > >>> <widgets/> > >>> </section> > >>> <decorator-screen name="main-decorator" > >>> location="${parameters.mainDecoratorLocation}"> > >>> <decorator-section name="body"> > >>> <include-form name="TestingServices" > >>> location="component://learning/widget/learning/LearningForms.xml"/> > >>> <label text="Full Name: ${parameters.fullName}"/> > >>> </decorator-section> > >>> </decorator-screen> > >>> </widgets> > >>> </section> > >>> </screen> > >>> ... > >>> <screen name="TestCallingServicesWithPermission"> > >>> <section> > >>> <actions><set field="formTarget" > >>> value="TestCallingServicesWithPermission"/> > >>> </actions> > >>> <widgets> > >>> <include-screen name="TestFirstService"/> > >>> </widgets> > >>> </section> > >>> </screen> > >>> > >>> ${component:learning}\widget\learning\LearningForms.xml > >>> ------------------------------------------------------- > >>> > >>> <form name="TestingServices" type="single" target="${formTarget}"> > >>> <field name="firstName"><text/></field> > >>> <field name="lastName"><text/></field> > >>> <field name="planetId"><text/></field> > >>> <field name="submit"><submit/></field> > >>> </form> > >>> > >>> With regards to permissions, I have them set up as follows as per > Chapter > >>> 9: > >>> > >>> User Security Group SecurityPermission > >>> User/Security Group From Date User/Security Group Thru Date > >>> > >>> > >>> > ------------------------------------------------------------------------------------------------------------------------------------- > >>> allowed LEARNSCREENS LEARN_VIEW > >>> 2015-06-15 19:34:15.832 NULL > >>> denied LEARNSCREENS LEARN_VIEW > >>> 2015-06-13 18:57:44.724 2015-06-13 18:57:44.724 > >>> " LEARNSCREENS LEARN_VIEW > >>> 2015-06-13 18:57:44.000 2015-06-13 19:33:47.000 > >>> > >>> Under the above configuration, the permissions checks work as > advertised, > >>> and "allowed" is able to call the service while "denied" is not. > >>> > >>> The next section of the chapter talks about two-part permissions, and > >>> makes the following changes to the configuration. Apparently, OFBiz is > >>> supposed to interpret the underscore in permission attribute as some > sort > >>> of tokenising character, where the first token "LEARN" becomes the > >>> permission, and the second part "VIEW" becomes an action. This seems > >>> "loose" to me but nevertheless. > >>> > >>> ${component:learning}\servicedef\services.xml > >>> --------------------------------------------- > >>> > >>> <check-permission permission="LEARN_VIEW"/> > >>> > >>> becomes > >>> > >>> <check-permission permission="LEARN" action="VIEW"/> > >>> > >>> According to the text, the authorisation behaviour should remain > exactly > >>> the same. In other words, the check-permission elements are equivalent. > >>> But > >>> this is not the case. Under the modified configuration, neither > "allowed" > >>> nor "denied" are able to call the service. I also don't see a "LEARN" > >>> item > >>> in the SecurityPermission entity anywhere, so I don't see how this > should > >>> work in the first place. > >>> > >>> Is this tokenised approach deprecated? Or is there something else going > >>> on? > >>> > >>> > -- Rupert Howell Provolve Ltd Front Office, Deale House, 16 Lavant Street, Petersfield, GU32 3EW, UK t: 01730 267868 / m: 079 0968 5308 e: [email protected] w: http://www.provolve.com
