Thanks for the reply Scott.
Your reply makes a lot of sense.
https://cwiki.apache.org/confluence/display/OFBTECH/OFBiz+security gives a
brief description of role-based security. When looking at the suggested
code of OrderService.hasPermission() and
ProductEvents.checkStoreCustomerRole(). OrderService.OrderServices() makes
use of the role type and relationship related to PartyRoles and
PartyRelationships and ProductEvents.checkStoreCustomerRole() only
references the ProductStoreRole entity.
My conclusion is that a service defined below would make little sense since
the specified role is not qualified by a relationship. Unless it is
expanded to include a from-role-type, to-role-type, relationship-type or
something like it related to a party or a partygroup. I guess that is why
<check-role-member role-type=...> is never used anywhere in the code to
date.
<service name="someservice" ...>
<required-permissions join-type="OR">
<check-role-member role-type="SOMEPARTYROLE" />
</required-permissions>
</service>
Since ModelPermission.evalRoleMember() deals with role type checks of
PartyRoles, it might be a good idea to remove it to avoid future confusion.
Same would apply to <check-role-member role-type...> tag. Unless, I'm
missing some other uses for it.
Thanks,
Wai
--
View this message in context:
http://ofbiz.135035.n4.nabble.com/Role-based-security-is-disabled-tp2319089p2323381.html
Sent from the OFBiz - Dev mailing list archive at Nabble.com.
