Le 09/07/2018 à 19:43, nig...@gmail.com a écrit :
Currently, we can define request-map which invokes Java method, like following
example:
<request-map uri="searchAddToCategory">
<security https="true" auth="true"/>
<event type="java" path="org.ofbiz.product.product.ProductSearchEvents"
invoke="searchAddToCategory"/>
<response name="success" type="view" value="keywordsearch"/>
<response name="error" type="view" value="keywordsearch"/>
</request-map>
Security element just checks, if user is Signed in or not. If you want to add
permission check, you will have to keep adding code inside java method. And if
developer forgets, it opens up security whole.
Actually it's not a security hole as in a CVE, just a permission hole ;)
We can do security check on Views, but that is too late, in the sense code is
already executed inside the method.
In our code we have already added following additional attributes, which checks
permissions before it executes the code.
<request-map uri="searchAddToCategory">
<security https="true" auth="true" >
<condition>
<if-has-permission permission="XYZ"
action="_CREATE"/>
</condition>
</security>
<event type="java" path="org.ofbiz.product.product.ProductSearchEvents"
invoke="searchAddToCategory"/>
<response name="success" type="view" value="keywordsearch"/>
<response name="error" type="view" value="keywordsearch"/>
</request-map>
I have patch for this, I am wondering if we like to add as part of feature or
does anyone have better idea to handle.
That's interesting, I recommend to create a Jira and to attach a patch.
This should help you:
https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices
Thanks
Jacques
