Bruno,
I never got around to implementing that idea. I would still like to work on it
though.
-Adrian
--- On Sat, 11/29/08, Bruno Busco <[EMAIL PROTECTED]> wrote:
> From: Bruno Busco <[EMAIL PROTECTED]>
> Subject: Re: Discussion: Permissions Checking Enhancement
> To: dev@ofbiz.apache.org
> Date: Saturday, November 29, 2008, 10:30 AM
> Hi Adrian,
> I am thinking to something similar to what you proposed in
> this thread.
> What I would like to do is to simplify the UI to users who
> should not
> perform some operations.
>
> For instance, in the catalog application, when looking to
> the EditProduct
> screen, I would like that the following tabmenus:
> Geos, IDs, Keywords, Associations, Manufacturing, Costs,
> Attributes,
> Agreements, Accounts, Maintenance, Meters, Workefforts
>
> should not be visible to standard users while they should
> be visible to
> admin.
>
> I am thinking to implement several permissions (may be some
> are already
> there) and to check for them in the menu items.
> What do you think?
> Did you implement something about it?
>
> Thank you,
> -Bruno
>
> 2008/6/6 Adrian Crum <[EMAIL PROTECTED]>
>
> > Correct.
> >
> >
> > Bruno Busco wrote:
> >
> >> Thank you,
> >> it make sense; so a CREATE permission check will
> be sufficient for the
> >> CREATE button rendering.
> >> -Bruno
> >>
> >> 2008/6/6 Adrian Crum <[EMAIL PROTECTED]>:
> >>
> >> The pattern used so far is that the ADMIN
> permission is checked first,
> >>> then
> >>> the other permissions. So if a user has the
> ADMIN permission, they don't
> >>> need the additional permissions.
> >>>
> >>> I'll probably have all of the permissions
> Map elements set to true if the
> >>> user has the ADMIN permission.
> >>>
> >>> -Adrian
> >>>
> >>>
> >>> Bruno Busco wrote:
> >>>
> >>> Adrian,
> >>>> may be a newbie question but...
> >>>> ...in the example you give what will
> happen if a user has the ADMIN
> >>>> permission but not the CREATE one?
> >>>> Will the Create New button be rendered?
> >>>>
> >>>> In other words who is responsible for the
> permission hierarchy ?
> >>>> In order to display the CREATE button,
> should a user be given with the
> >>>> CREATE permission explicitly or the ADMIN
> is sufficient?
> >>>>
> >>>> Thank you
> >>>> -Bruno
> >>>>
> >>>>
> >>>>
> >>>> 2008/6/6 Adrian Crum
> <[EMAIL PROTECTED]>:
> >>>>
> >>>> I'll work on it this weekend.
> >>>>
> >>>>> -Adrian
> >>>>>
> >>>>>
> >>>>> Ashish Vijaywargiya wrote:
> >>>>>
> >>>>> +1
> >>>>>
> >>>>>> Adrian I liked your idea.
> >>>>>>
> >>>>>> On Thu, Jun 5, 2008 at 12:46 AM,
> Sumit Pandit <
> >>>>>> [EMAIL PROTECTED]>
> >>>>>> wrote:
> >>>>>>
> >>>>>> +1
> >>>>>>
> >>>>>> --
> >>>>>>> Sumit Pandit
> >>>>>>>
> >>>>>>>
> >>>>>>> On Jun 5, 2008, at 3:04 AM,
> Jacques Le Roux wrote:
> >>>>>>>
> >>>>>>> Yes this sounds good to me
> too
> >>>>>>>
> >>>>>>> Jacques
> >>>>>>>
> >>>>>>>> From: "Bruno
> Busco" <[EMAIL PROTECTED]>
> >>>>>>>>
> >>>>>>>> Wonderfull !!!!
> >>>>>>>>
> >>>>>>>> Looking forward to having
> it !!! ;-)
> >>>>>>>>> This will let me also
> define a more granular permissions to
> >>>>>>>>> simplify
> >>>>>>>>> the
> >>>>>>>>> interface for
> not-so-skilled users.
> >>>>>>>>> -Bruno
> >>>>>>>>> 2008/6/4 Adrian Crum
> <[EMAIL PROTECTED]>:
> >>>>>>>>>
> >>>>>>>>> In the screen
> widgets, you can check permissions with the
> >>>>>>>>>
> >>>>>>>>>
> <if-has-permission> or <if-service-permission>
> elements. That's
> >>>>>>>>>> fine
> >>>>>>>>>> if
> >>>>>>>>>> you
> >>>>>>>>>> only need to check
> a single permission to control access to the
> >>>>>>>>>> entire
> >>>>>>>>>> screen.
> >>>>>>>>>>
> >>>>>>>>>> Things get
> complicated when a screen's elements are controlled by
> >>>>>>>>>> more
> >>>>>>>>>> than
> >>>>>>>>>> one permission.
> Let's say you have a typical Edit Item screen. The
> >>>>>>>>>> screen
> >>>>>>>>>> should be viewable
> only to users who have the VIEW permission.
> >>>>>>>>>> Users
> >>>>>>>>>> who
> >>>>>>>>>> have the UPDATE
> permission can edit the item. Users who have the
> >>>>>>>>>> CREATE
> >>>>>>>>>> permission see a
> "New Item" button. Users who have DELETE
> >>>>>>>>>> permission
> >>>>>>>>>> see
> >>>>>>>>>> a
> >>>>>>>>>> "Delete
> Item" button. Users who have the ADMIN permission have
> >>>>>>>>>> unrestricted
> >>>>>>>>>> access to the
> screen. Wow. Five permission elements (and five
> >>>>>>>>>> service
> >>>>>>>>>> calls)
> >>>>>>>>>> are needed to
> control one screen.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> Here's my
> idea: have a permission service that returns ALL of the
> >>>>>>>>>> user's
> >>>>>>>>>> permissions in a
> Map. You call the service with the permission to
> >>>>>>>>>> check
> >>>>>>>>>> -
> >>>>>>>>>>
> "ACCOUNTING" for example. The service returns a
> Map containing all
> >>>>>>>>>> of
> >>>>>>>>>> the
> >>>>>>>>>> user's
> ACCOUNTING permissions stored as Boolean objects. Let's
> say
> >>>>>>>>>> the
> >>>>>>>>>> returned Map is
> called permissionsMap and the user has
> >>>>>>>>>> ACCOUNTING_VIEW
> >>>>>>>>>> and
> >>>>>>>>>> ACCOUNTING_UPDATE
> permissions, then the Map would contain these
> >>>>>>>>>> elements:
> >>>>>>>>>>
> >>>>>>>>>> CREATE=false
> >>>>>>>>>> UPDATE=true
> >>>>>>>>>> DELETE=false
> >>>>>>>>>> VIEW=true
> >>>>>>>>>> ADMIN=false
> >>>>>>>>>>
> >>>>>>>>>> If the service
> call is put in the screen's <actions> element,
> then
> >>>>>>>>>> the
> >>>>>>>>>> Map
> >>>>>>>>>> elements could be
> used to control the display of screen widget
> >>>>>>>>>> sections,
> >>>>>>>>>> menu items, and
> form fields.
> >>>>>>>>>>
> >>>>>>>>>> Freemarker code
> would be simpler too:
> >>>>>>>>>>
> >>>>>>>>>> <#if
> permissionsMap.CREATE>
> >>>>>>>>>> <!-- Render a
> Create New button -->
> >>>>>>>>>> </#if>
> >>>>>>>>>> <#if
> permissionsMap.DELETE>
> >>>>>>>>>> <!-- Render a
> Delete button -->
> >>>>>>>>>> </#if>
> >>>>>>>>>>
> >>>>>>>>>> What do you think?
> >>>>>>>>>>
> >>>>>>>>>> -Adrian
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>
