David,
I have the Fixed Asset permission checking extended as you described. It was
incredibly easy.
One problem though - when the user doesn't have the required permission, the fail message that is
displayed is from the original service, not the one invoked by the ECA. Any ideas for that?
-Adrian
David E Jones wrote:
Just define where alternate permissions are acceptable and add those
cases to the permission checking services.
The new permission-service stuff in the service engine (see the example
entity for examples ;) ) makes this easier.
You can extend the base permission service using ECA rules on the
permission service used by the service you want to reuse. Just have it
run your permission service after the main one IFF the main one results
in an error (failed permission check), and make sure your ECA rule has
it put its results in the context if your security scenario succeeds,
and off you go...
-David
Adrian Crum wrote:
I noticed that the Asset Maint component requires the OFBTOOLS base
permission to use the component. So, I added that permission to a test
user login. The Asset Maint component appears for that user login.
When I try to perform any work, I get permissions errors because the
Asset Maint component calls services in other components - which have
their own sets of permissions.
Updating a maintenance produced this error message:
"Security Error: to run updateFixedAssetMaint you must have the
ACCOUNTING_UPDATE or ACCOUNTING_ADMIN permission, or the limited
ACCOUNTING_ROLE_UPDATE permission calling service
updateFixedAssetMaint in updateFixedAssetMaintAndWorkEffort"
The ACCOUNTING_ROLE_UPDATE permission doesn't exist. I added it
manually to the test user login. After logging out and back in, I
still get the same error message. I added the ACCOUNTING_UPDATE
permission to the user login, and I was able to update a maintenance.
Problem is, that gives me permission to update other things in
Accounting..
This is the same type of problem I ran into with Forums - the Forum
feature calls Content Manager services which require Content Manager
permissions.
I've suggested separating business logic from permissions checking
logic in the past, but that got a mixed response. I could do that with
the FixedAssetServices.xml file - move the embedded permissions
checking to a separate service (using the new permissions checking
capability).
Any thoughts?
-Adrian