Just define where alternate permissions are acceptable and add those cases to
the permission checking services.
The new permission-service stuff in the service engine (see the example entity
for examples ;) ) makes this easier.
You can extend the base permission service using ECA rules on the permission
service used by the service you want to reuse. Just have it run your permission
service after the main one IFF the main one results in an error (failed
permission check), and make sure your ECA rule has it put its results in the
context if your security scenario succeeds, and off you go...
-David
Adrian Crum wrote:
I noticed that the Asset Maint component requires the OFBTOOLS base
permission to use the component. So, I added that permission to a test
user login. The Asset Maint component appears for that user login. When
I try to perform any work, I get permissions errors because the Asset
Maint component calls services in other components - which have their
own sets of permissions.
Updating a maintenance produced this error message:
"Security Error: to run updateFixedAssetMaint you must have the
ACCOUNTING_UPDATE or ACCOUNTING_ADMIN permission, or the limited
ACCOUNTING_ROLE_UPDATE permission calling service updateFixedAssetMaint
in updateFixedAssetMaintAndWorkEffort"
The ACCOUNTING_ROLE_UPDATE permission doesn't exist. I added it manually
to the test user login. After logging out and back in, I still get the
same error message. I added the ACCOUNTING_UPDATE permission to the user
login, and I was able to update a maintenance. Problem is, that gives me
permission to update other things in Accounting..
This is the same type of problem I ran into with Forums - the Forum
feature calls Content Manager services which require Content Manager
permissions.
I've suggested separating business logic from permissions checking logic
in the past, but that got a mixed response. I could do that with the
FixedAssetServices.xml file - move the embedded permissions checking to
a separate service (using the new permissions checking capability).
Any thoughts?
-Adrian