I like to think of it more as process-driven permission vs artifact
driven permissions, because the permission string is defined to
match a specific process. Other than that I think we finally agreed on
something.. Ha! :)
On May 4, 2009, at 1:55 AM, Adrian Crum wrote:
--- On Sun,
I don't see us agreeing on anything. I'm saying each artifact is responsible
for its own security. You're saying security is defined by a process.
If you were to view a collection of artifacts - each responsible for its own
security - defining some kind of process-driven security, then that
[
https://issues.apache.org/jira/browse/OFBIZ-2418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David E. Jones closed OFBIZ-2418.
-
Resolution: Fixed
This should be fixed now, with SVN rev 771193 in the trunk and 771196 in the
Hi Hans,
Thanks for doing this. Btw, All the files under framework/resources/
templates does not contains any license header. I think this is again
done on purpose. You might be interested in looking at the original
jira issue for this work at
I think these files are pretty questionable: it fails xml validation,
have no headers and no message, this this intended.
On Mon, 2009-05-04 at 15:13 +0530, Vikas Mayur wrote:
Hi Hans,
Thanks for doing this. Btw, All the files under framework/resources/
templates does not contains any
[
https://issues.apache.org/jira/browse/OFBIZ-2360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=1270#action_1270
]
Deyan commented on OFBIZ-2360:
--
Suggested fix:
+1 - Scott's comment for improving xsd to allow 0 or more instead of 1
or more.
--
Ashish
Scott Gray wrote:
Oh about the xml validation error, I've noticed that before as well
and I wonder if we shouldn't just alter the xsds to allow 0 or more
forms, screens, services or whatever instead of
[
https://issues.apache.org/jira/browse/OFBIZ-245?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marco Risaliti closed OFBIZ-245.
Resolution: Fixed
Fix Version/s: SVN trunk
I have tested the new CyberSource 5.2 version and
I don't think a license header is required on a file that contains
virtually nothing, also the message you've added would only serve to
confuse any newcomers who make use of the tool. A readme file in the
directory might be better.
Regards
Scott
On 4/05/2009, at 9:54 PM, Hans Bakker
Not to get in the middle of this as to be honest I don't know enough for most
of this thread to make sense but when I saw this article
http://www.readwriteweb.com/archives/mcafee_enabling_malware_distribution_and_fraud.php
it made me remember why everyone should be passionate about security
[
https://issues.apache.org/jira/browse/OFBIZ-1034?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marco Risaliti closed OFBIZ-1034.
-
Resolution: Fixed
Fix Version/s: SVN trunk
After the BigDecimal re-factory those methods
Error finding xml ressource during Contact/Lead Creation in SFA
---
Key: OFBIZ-2419
URL: https://issues.apache.org/jira/browse/OFBIZ-2419
Project: OFBiz
Issue Type: Bug
Affects
[
https://issues.apache.org/jira/browse/OFBIZ-2419?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gil Portenseigne updated OFBIZ-2419:
Attachment: PartySimpleMethods.patch
Error finding xml ressource during Contact/Lead
[
https://issues.apache.org/jira/browse/OFBIZ-769?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marco Risaliti closed OFBIZ-769.
Resolution: Fixed
Tag docs and docs-all are already implemented into OFBiz so I will close this
Over last few days this discussion has changed subject few times. This
is going more on lines of confuse them if you cannot convenience.
The new security system proposal document, implementation code and
code demonstrating its use, been out for more then week, All big names
in community
Anil, you mentioned a document. Can you send out the link? I'm sure it is in
these threads somewhere but with all the traffic on this topic I cannot seem to
find a link to the doc.
- Original Message -
From: Anil Patel anil.pa...@hotwaxmedia.com
To: dev@ofbiz.apache.org
Cc: Anil Patel
[
https://issues.apache.org/jira/browse/OFBIZ-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marco Risaliti closed OFBIZ-1365.
-
Resolution: Won't Fix
improve get method of GenericEntity class
What I see so far is what the new system will do.
that is good
what I don't see is an equivalent document on how the old system handles
or does not handle the same situations. This would tie in with why the
need for the new system.
I also don't see, since this is a security system, any
Do you really think the intent of the people discussing this is to
confuse people, or even to convince people?
Let's be realistic about this... the subject here is a complicated one
and there are lots of different issues related to it. Some points are
coming up but I don't think we've
Sam,
That's an interesting article, and very relevant for some security
related changes we've done in recent months.
I was going to say that this discussion about a new security approach
doesn't have much to do with that article since this discussion is
really just all about how to
David E Jones wrote:
If I understand right where Adrian is going with this thread it is to
just start with wanting to granular for flexibility r reasons and
instead of having permissions that each screen/sevice/etc checks just
have each screen/service/etc BE a permission of sorts. We wouldn't
- David E Jones wrote:
One of the goals of the current price rules is to make them
configurable by end-users. Admittedly they are somewhat complex so it
takes a savvy person (in terms of business and logical thinking) to do
this. However, through the existing UI you can click through
[
https://issues.apache.org/jira/browse/OFBIZ-569?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marco Risaliti closed OFBIZ-569.
Resolution: Fixed
Fix Version/s: SVN trunk
This is the old-issue when we update the OFBiz
at this point I am neither for or against the new proposal.
after I get it under my belt I will offer my view.
However I do want to add more to the Access portion.
I would like to consider extending granularity of the permission to
include Menus and display of data.
the focus is that some menus
- Adam Heath wrote:
Adam Heath wrote:
Have you considered doing a git or mercurial branch of all these changes?
hg clone http://hg.webslinger.org/hg/ofbiz.apache.org/
This situation underscores a discussion that David and I were having about
distributed development. Andy's changes
Vince,
Here are the documents
http://docs.ofbiz.org/display/~jaz/OFBiz+Security+Refactor
http://docs.ofbiz.org/display/~jaz/Permissions+By+Application
Thanks for asking for the document. I have example on How successful
people been in confusing the community.
Regards
Anil Patel
On May 4,
There are still issues but even now ARIA roles and states are baked into the
widgets. The upshot is that Google has to deal with these kinds of problems as
well and is big enough that they have to address it.
- Adrian Crum wrote:
Would that be accessible? In other words, is it
[
https://issues.apache.org/jira/browse/OFBIZ-2419?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ashish Vijaywargiya reassigned OFBIZ-2419:
--
Assignee: Ashish Vijaywargiya
Error finding xml ressource during Contact/Lead
I step back to this because I believe this is a good point.
Andy:
I did not become aware of your new security till last thur. I have been
wrapped up in other projects and have not paid much attention to the dev
list. my apologies.
so to me this has not been sitting in front of me for long.
Plus
Hello David,
It seems that you are right.
If this is the case then my previous patch can be used.
Thanks David, for your attention on this thing.
--
Ashish
I do not think that this is legally right.
My understanding of the Berne Convention rules for Copyright (which covers
most
Hans,
Why is this change necessary? The theme DOES exist and it works fine.
Are you sure you updated your local copy and ran ant run-install?
-Adrian
hans...@apache.org wrote:
Author: hansbak
Date: Mon May 4 03:56:07 2009
New Revision: 771170
URL:
Ean Schuessler schrieb:
[..]
Now a completely separate issue is how we determine whether someone's changes are ready to go into the production repository. In a Linus style model, it would just be up to David and then maybe a lot of people would also follow Andy's branches closely (kind of like
I proposed the contributor model of branches in 2004, did not get much
support for it. someone can create their contribution for others to
evaluate when it is passed must they it can be voted on to be merged
with the trunk.
The value then, it would water down the trunk contributions.
Ean
On May 4, 2009, at 10:53 AM, Christian Geisert wrote:
Ean Schuessler schrieb:
[..]
Now a completely separate issue is how we determine whether
someone's changes are ready to go into the production repository.
In a Linus style model, it would just be up to David and then maybe
a lot of
This thread is specifically for discussing security requirements and
security use scenarios to drive OFBiz security functionality going
forward. Please keep other discussion in another thread.
These things tend to fall into two categories: functionality access
and record-level access, or
No you misunderstood me. I was referring to us agreeing in a previous
email that it was a fair assessment. Hence the smiley. I think your
comparison here is correct. In the process driven model, the logic is
attached to the process, and the process is attached to various
artifacts. The
The list you have here seems to imply we have decided on an artifact
based security system, that is not the case. So far there are two
different styles being discussed one is artifact based where the other
is process based.
Andrew
On May 4, 2009, at 1:28 PM, David E Jones wrote:
This
This is a great start! I have nothing to add.
-Adrian
David E Jones wrote:
This thread is specifically for discussing security requirements and
security use scenarios to drive OFBiz security functionality going
forward. Please keep other discussion in another thread.
These things tend to
I don't think the ASF imposes any kind of vote per trunk commit model for
revision control.
- Christian Geisert wrote:
Uh no, this isn't up for debate at the ASF ;-)
See http://www.apache.org/foundation/voting.html
--
Ean Schuessler, CTO Brainfood.com
e...@brainfood.com -
This thread is specifically for discussing possible configuration
patterns to use in OFBiz going forward. Please keep other discussion
in another thread, including the merits of each possibility... let's
just brainstorm in this thread.
To get things started, here are the patterns that
That's great feedback Andrew. Could you put this in terms of one or
more items we can add to the list?
-David
On May 4, 2009, at 11:47 AM, Andrew Zeneski wrote:
The list you have here seems to imply we have decided on an artifact
based security system, that is not the case. So far there
David E Jones wrote:
1. artifacts responsible for their own security (especially services and
screens), and security permissions are referred to directly (ie the
actual permissions are configured directly in the XML tags for the
artifact)
If this is referring to my proposal, it's not
On May 4, 2009, at 12:31 PM, Adrian Crum wrote:
David E Jones wrote:
1. artifacts responsible for their own security (especially
services and screens), and security permissions are referred to
directly (ie the actual permissions are configured directly in the
XML tags for the artifact)
Am I correct in thinking that artifact driven approach naturally integrates
the concept of allowing inherited permission checking by roles, but in the
process-driven approach we would have to use something like the
RoleCheckingDa API extension? So if I want to give an administrator access
to all
I believe that no matter which method is used (process or artifact)
both would require similar access control logic to be implemented. I'm
not sure how this would look in the artifact system (Adrian can
comment on that), but in the process driven system there would be two
options.
1. For
In the artifact-driven approach, the inheritance is from higher level
artifacts to lower level artifacts. So if I assign a user permission to
use a screen, that permission is inherited by all the artifacts the
screen contains. Contained artifacts can optionally override the
inherited
We need to agree on terminology, authentication would refer to
confirming a subject is who they say they are (checking user's name/
password combination), where authorization would refer to granting
access to something.
What we having been discussing is re-designing the way ofbiz handles
[
https://issues.apache.org/jira/browse/OFBIZ-2417?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marco Risaliti closed OFBIZ-2417.
-
Resolution: Fixed
Fixed into rev. 771419.
Support of Authorize Dot Net v3.1 and use the new
Hi,
I am working on experimental project to run the OFBiz framework in a
OSGi kernel and thereby creating OSGi bundle from various framework
components. I have created bundles for entity and service engine and
could launch entity and service engine as OSGi Service. Although entity
engine is
Agreed!
-Adrian
Andrew Zeneski wrote:
We need to agree on terminology, authentication would refer to
confirming a subject is who they say they are (checking user's
name/password combination), where authorization would refer to granting
access to something.
What we having been discussing is
Jacques,
Thanks for your questions. I will address each one inline...
Honestly, in my initial plan I only had 4 permissions
create,read,update and delete. Then after thinking about it,
access seemed
to be a nice extra permission to limit access to applications.
Read is nothing more
Raj Saini wrote:
I am working on experimental project to run the OFBiz framework in a
OSGi kernel and thereby creating OSGi bundle from various framework
components. I have created bundles for entity and service engine and
could launch entity and service engine as OSGi Service. Although
Hi Adam,
Yes, this is a problem inside a OSGi Bundle. This makes the entity
engine bundle depends on service engine bundle.
Thanks,
Raj
Huh? There are no circular deps during the compile. That class is
only referenced by use of a String. GenericDelegator then tries to
load the class, and
Raj Saini wrote:
Hi Adam,
Yes, this is a problem inside a OSGi Bundle. This makes the entity
engine bundle depends on service engine bundle.
How can it be a problem? The attempted class load is done in a try
catch, and if not found, ofbiz continues processing. Are you saying
that any osgi
Security permission seems to be based on action, resource and context of
resource.
I have been working on system to extending ofbiz security for our custom system.
A main difference is that we wanted to get away from has-permission constructs
in the xml files. Hope was that end users would be
Thanks for sharing this Harmeet. I've started a couple of threads
about brainstorming, and this sounds a lot like the option #4 for the
Security Configuration Patterns.
A few people have mentioned over time that they'd like to change
security without changing code (or XML configuration,
At least when i have this change in, after a clean-all;run-install the
system cannot find ANY theme Try it yourself.
In the mean time i have put in some code that when the default theme
cannot be found it reverts back to the good old ofbiz theme.
Regards,
Hans
On Mon, 2009-05-04 at 07:57
--- On Mon, 5/4/09, Hans Bakker mailingl...@antwebsystems.com wrote:
At least when i have this change in, after a
clean-all;run-install the
system cannot find ANY theme Try it yourself.
I've done that twice on two different computers. Still no problems. The theme
works fine.
-Adrian
Now that the UEL supports logical operator substitution
(http://docs.ofbiz.org/display/OFBTECH/Unified+Expression+Language+(JSR-245)+in+OFBiz#UnifiedExpressionLanguage%28JSR-245%29inOFBiz-OperatorSubstitutions)
we have the ability to eliminate the clumsy XML escaping in the form widget
+1
--
Ashish Vijaywargiya
Adrian Crum wrote:
Now that the UEL supports logical operator substitution
(http://docs.ofbiz.org/display/OFBTECH/Unified+Expression+Language+(JSR-245)+in+OFBiz#UnifiedExpressionLanguage%28JSR-245%29inOFBiz-OperatorSubstitutions)
we have the ability to eliminate the
I don't mind either way, only one question, how does UEL handle
undefined values e.g. (partyIdFrom == void) would we just do
(partyIdFrom == null)?
It's also worth mentioning that we never needed to use XML escaping
for beanshell it was the one that supported the method I suggested for
The UEL throws an exception if an undefined value is used in an expression. I
added an extension that allows you to specify a default value if one isn't
found. So, it would look like this: ${partyIdfrom$string == ''}.
I tried to use the operator overload in BeanShell, but it threw a parse
62 matches
Mail list logo