[ https://issues.apache.org/jira/browse/OFBIZ-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12852449#action_12852449 ]
Vikas Mayur commented on OFBIZ-3632: ------------------------------------ Hi Adrian, Sorry, I did not closely followed the commits to this branch on new security design. Is there any alternative way (or better way) to achieve the same solution as proposed in the patch? The reason I am asking this because (assuming this is implemented in far better way in new security implementation) I have no idea when this branch will be merged with trunk and the code is usable as well as this solution is required in one of my project where a user can run certain processes without necessarily having the component specific permission by using the eca's rule to override the component specific permission (similar to implementation in assetmaint component.) The eca's rule solution works fine until there is only one permission service included in the service def. With the submitted patch it will be possible to override permission checking for a given number of permission services. > Extending the service model to specify more complex permissions using > permission service > ---------------------------------------------------------------------------------------- > > Key: OFBIZ-3632 > URL: https://issues.apache.org/jira/browse/OFBIZ-3632 > Project: OFBiz > Issue Type: Improvement > Components: framework, product > Reporter: Vikas Mayur > Priority: Minor > Fix For: SVN trunk > > Attachments: permission.patch > > > At present <permission-service> in the service definition allows only one > permission service. I have extended the <required-permissions> tag to > specify more then one permission services by doing an AND/OR operation. > For instance the following code in service definition > {code} > <required-permissions join-type="AND"> > <permission-service service-name="facilityGenericPermission" > main-action="CREATE"/> > <permission-service service-name="facilityGenericPermission" > main-action="UPDATE"/> > </required-permissions> > {code} > will replace the following code in service implementation. > {code} > <check-permission permission="FACILITY" action="_CREATE"> > <fail-message message="Security Error: to run > setShipmentSettingsFromPrimaryOrder you must have the FACILITY_CREATE or > FACILITY_ADMIN permission"/> > </check-permission> > <check-permission permission="FACILITY" action="_UPDATE"> > <fail-message message="Security Error: to run > setShipmentSettingsFromPrimaryOrder you must have the FACILITY_UPDATE or > FACILITY_ADMIN permission"/> > </check-permission> > {code} > Similarly the code > {code} > <required-permissions join-type="OR"> > <permission-service service-name="facilityGenericPermission" > main-action="CREATE"/> > <permission-service service-name="facilityGenericPermission" > main-action="UPDATE"/> > </required-permissions> > {code} > will replace > {code} > <check-permission permission="FACILITY" action="_CREATE"> > <alt-permission permission="FACILITY" action="_UPDATE"/> > <fail-message message="Security Error: to run createShipmentItem you must > have the FACILITY_CREATE, FACILITY_UPDATE or FACILITY_ADMIN permission"/> > </check-permission> > <check-errors/> > {code} > The patch also contains additional changes where the permission service is > defined in the service definition. > EDITS: Added missing ending \{code\} tag for the last code snippet -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.