Bruno, I never got around to implementing that idea. I would still like to work on it though.
-Adrian --- On Sat, 11/29/08, Bruno Busco <[EMAIL PROTECTED]> wrote: > From: Bruno Busco <[EMAIL PROTECTED]> > Subject: Re: Discussion: Permissions Checking Enhancement > To: dev@ofbiz.apache.org > Date: Saturday, November 29, 2008, 10:30 AM > Hi Adrian, > I am thinking to something similar to what you proposed in > this thread. > What I would like to do is to simplify the UI to users who > should not > perform some operations. > > For instance, in the catalog application, when looking to > the EditProduct > screen, I would like that the following tabmenus: > Geos, IDs, Keywords, Associations, Manufacturing, Costs, > Attributes, > Agreements, Accounts, Maintenance, Meters, Workefforts > > should not be visible to standard users while they should > be visible to > admin. > > I am thinking to implement several permissions (may be some > are already > there) and to check for them in the menu items. > What do you think? > Did you implement something about it? > > Thank you, > -Bruno > > 2008/6/6 Adrian Crum <[EMAIL PROTECTED]> > > > Correct. > > > > > > Bruno Busco wrote: > > > >> Thank you, > >> it make sense; so a CREATE permission check will > be sufficient for the > >> CREATE button rendering. > >> -Bruno > >> > >> 2008/6/6 Adrian Crum <[EMAIL PROTECTED]>: > >> > >> The pattern used so far is that the ADMIN > permission is checked first, > >>> then > >>> the other permissions. So if a user has the > ADMIN permission, they don't > >>> need the additional permissions. > >>> > >>> I'll probably have all of the permissions > Map elements set to true if the > >>> user has the ADMIN permission. > >>> > >>> -Adrian > >>> > >>> > >>> Bruno Busco wrote: > >>> > >>> Adrian, > >>>> may be a newbie question but... > >>>> ...in the example you give what will > happen if a user has the ADMIN > >>>> permission but not the CREATE one? > >>>> Will the Create New button be rendered? > >>>> > >>>> In other words who is responsible for the > permission hierarchy ? > >>>> In order to display the CREATE button, > should a user be given with the > >>>> CREATE permission explicitly or the ADMIN > is sufficient? > >>>> > >>>> Thank you > >>>> -Bruno > >>>> > >>>> > >>>> > >>>> 2008/6/6 Adrian Crum > <[EMAIL PROTECTED]>: > >>>> > >>>> I'll work on it this weekend. > >>>> > >>>>> -Adrian > >>>>> > >>>>> > >>>>> Ashish Vijaywargiya wrote: > >>>>> > >>>>> +1 > >>>>> > >>>>>> Adrian I liked your idea. > >>>>>> > >>>>>> On Thu, Jun 5, 2008 at 12:46 AM, > Sumit Pandit < > >>>>>> [EMAIL PROTECTED]> > >>>>>> wrote: > >>>>>> > >>>>>> +1 > >>>>>> > >>>>>> -- > >>>>>>> Sumit Pandit > >>>>>>> > >>>>>>> > >>>>>>> On Jun 5, 2008, at 3:04 AM, > Jacques Le Roux wrote: > >>>>>>> > >>>>>>> Yes this sounds good to me > too > >>>>>>> > >>>>>>> Jacques > >>>>>>> > >>>>>>>> From: "Bruno > Busco" <[EMAIL PROTECTED]> > >>>>>>>> > >>>>>>>> Wonderfull !!!! > >>>>>>>> > >>>>>>>> Looking forward to having > it !!! ;-) > >>>>>>>>> This will let me also > define a more granular permissions to > >>>>>>>>> simplify > >>>>>>>>> the > >>>>>>>>> interface for > not-so-skilled users. > >>>>>>>>> -Bruno > >>>>>>>>> 2008/6/4 Adrian Crum > <[EMAIL PROTECTED]>: > >>>>>>>>> > >>>>>>>>> In the screen > widgets, you can check permissions with the > >>>>>>>>> > >>>>>>>>> > <if-has-permission> or <if-service-permission> > elements. That's > >>>>>>>>>> fine > >>>>>>>>>> if > >>>>>>>>>> you > >>>>>>>>>> only need to check > a single permission to control access to the > >>>>>>>>>> entire > >>>>>>>>>> screen. > >>>>>>>>>> > >>>>>>>>>> Things get > complicated when a screen's elements are controlled by > >>>>>>>>>> more > >>>>>>>>>> than > >>>>>>>>>> one permission. > Let's say you have a typical Edit Item screen. The > >>>>>>>>>> screen > >>>>>>>>>> should be viewable > only to users who have the VIEW permission. > >>>>>>>>>> Users > >>>>>>>>>> who > >>>>>>>>>> have the UPDATE > permission can edit the item. Users who have the > >>>>>>>>>> CREATE > >>>>>>>>>> permission see a > "New Item" button. Users who have DELETE > >>>>>>>>>> permission > >>>>>>>>>> see > >>>>>>>>>> a > >>>>>>>>>> "Delete > Item" button. Users who have the ADMIN permission have > >>>>>>>>>> unrestricted > >>>>>>>>>> access to the > screen. Wow. Five permission elements (and five > >>>>>>>>>> service > >>>>>>>>>> calls) > >>>>>>>>>> are needed to > control one screen. > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Here's my > idea: have a permission service that returns ALL of the > >>>>>>>>>> user's > >>>>>>>>>> permissions in a > Map. You call the service with the permission to > >>>>>>>>>> check > >>>>>>>>>> - > >>>>>>>>>> > "ACCOUNTING" for example. The service returns a > Map containing all > >>>>>>>>>> of > >>>>>>>>>> the > >>>>>>>>>> user's > ACCOUNTING permissions stored as Boolean objects. Let's > say > >>>>>>>>>> the > >>>>>>>>>> returned Map is > called permissionsMap and the user has > >>>>>>>>>> ACCOUNTING_VIEW > >>>>>>>>>> and > >>>>>>>>>> ACCOUNTING_UPDATE > permissions, then the Map would contain these > >>>>>>>>>> elements: > >>>>>>>>>> > >>>>>>>>>> CREATE=false > >>>>>>>>>> UPDATE=true > >>>>>>>>>> DELETE=false > >>>>>>>>>> VIEW=true > >>>>>>>>>> ADMIN=false > >>>>>>>>>> > >>>>>>>>>> If the service > call is put in the screen's <actions> element, > then > >>>>>>>>>> the > >>>>>>>>>> Map > >>>>>>>>>> elements could be > used to control the display of screen widget > >>>>>>>>>> sections, > >>>>>>>>>> menu items, and > form fields. > >>>>>>>>>> > >>>>>>>>>> Freemarker code > would be simpler too: > >>>>>>>>>> > >>>>>>>>>> <#if > permissionsMap.CREATE> > >>>>>>>>>> <!-- Render a > Create New button --> > >>>>>>>>>> </#if> > >>>>>>>>>> <#if > permissionsMap.DELETE> > >>>>>>>>>> <!-- Render a > Delete button --> > >>>>>>>>>> </#if> > >>>>>>>>>> > >>>>>>>>>> What do you think? > >>>>>>>>>> > >>>>>>>>>> -Adrian > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>