Pierre, thank you for contributing this patch. It solves the first part of the issue.
On Mon Jul 25,2011 08:31 am, Pierre Smits wrote: > Hi Mansour, > > See my inline comment regarding the issue with > https://demo-trunk-ofbiz-apache.org/projectmgr/control/main > > With regards, > > Pierre Smits > > 2011/7/24 Mansour Al Akeel <mansour.alak...@gmail.com> > > > BJ, > > thank you for all your help. I looked at the links you sent me, and they > > were usefull. I still don't understand why permissions are checked in > > the ftl and not the service layer. However this is not the issue I am > > stuck at now. > > I think I am still confused about permissions. > > I created an account on trunk demo to show what I am talking about. > > > > If you go to: > > https://demo-trunk.ofbiz.apache.org/projectmgr/control/main > > > > I have created a patch that alleviates this problem, but it is not yet > incorporated in the trunk. > See jira for the patch. > > https://issues.apache.org/jira/browse/OFBIZ-4206 > > > > > > > and try to login with mansour:ofbiz you will be greated with a screen > > saying: > > > > org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen > > [component://common/widget/CommonScreens.xml#GlobalDecorator]: > > java.lang.IllegalArgumentException: Error running Groovy script at location > > [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: > > org.ofbiz.service.ServiceAuthException: You have no access to the project#: > > 9000 (Error running Groovy script at location > > [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: > > org.ofbiz.service.ServiceAuthException: You have no access to the project#: > > 9000) > > > > This is fine, as the user "mansour" doesn't have persmission to view > > this project, but shouldn't this screen display the projects he is > > member of (if any). > > > > The second part is if you go to: > > > > https://demo-trunk.ofbiz.apache.org/projectmgr/control/FindTask > > > > and hit find, the user can see all the tasks that he is not member of, > > and clicking on any of them, will open the details about that task. > > > > This user is in "PROJECTUSER" security group, which has: > > > > ROJECTMGR_ROLE_TASK_CREATE Be able to create a task (should be member of > > project) > > PROJECTMGR_ROLE_TIMESHEET_CREATE Be able to create a weekly timesheet for > > the loginid. > > PROJECTMGR_ROLE_TIMESHEET_UPDATE Be able to update(report) on an existing > > own timesheet > > PROJECTMGR_ROLE_VIEW All view operations in the Project Manager for a > > project/phase/task the user is member of.. > > PROJECTMGR_VIEW ALL View operations in the Project Manager(but can be > > limited by ROLE_VIEW) > > > > On my local machine, I removed that last one "PROJECTMGR_VIEW", but > > still this user can see others tasks. > > > > Am I doing something wrong here? > > > > I appreciate your help. > > > > On Sun Jul 17,2011 10:09 am, BJ Freeman wrote: > > > New Role Type (see chapter two of the Book) > > > lets you define a new role type to use. > > > it is best to link with the book to use the webtools > > > > > https://demo-trunk.ofbiz.apache.org/webtools/control/ViewRelations?entityName=RoleType > > > you can also get the xml structure from the data and created a bunch of > > > them then load them via the web tools import. note: that service engine > > > and UI (widgets and ftls) need to changed if you want that role type to > > > have access. > > > > > > doing a google search for > > > ofbiz main role > > > http://ofbiz.135035.n4.nabble.com/Party-Main-Role-td1680393.html > > > > > > I hope these tips help you research you answer more. and As I said > > > before parts of you question are already been answered. > > > > > > > > > This may clear up more on security and Role View all. > > > https://cwiki.apache.org/OFBTECH/ofbiz-security.html > > > > > > > > > Mansour Al Akeel sent the following on 7/17/2011 8:45 AM: > > > > Hello BJ, > > > > and thank you for your reply. > > > > > > > > You can check the link here: > > > > > > https://demo-trunk.ofbiz.apache.org/partymgr/control/viewroles?partyId=DemoEmployee > > > > > > > > It has > > > > "Add To Main Role" and "Add To Role : view all" Fields. and if you > > > > select soemthing like "Calendare" for the first one, you will get a > > > > third field "Add To Second Role". What is the difference between them ? > > > > > > > > I was confused with the security part, because was adding a user to a > > > > group, but still the user was not allowed to edit a project. I have to > > > > add the user as a resource for that project. > > > > > > > > What I understand now is, Party Roles has nothing to do with > > > > permissions, and the later has to be handled separately through the > > > > security group. > > > > > > > > > > > > Thank you. > > > > > > > > > > > > On Sat Jul 16,2011 11:01 pm, BJ Freeman wrote: > > > >> Yes I still have to go back and review. The book Deals only with Roles > > > >> related to Party. Security based on login is not in the Book. > > > >> The is covered in the Service Engine and Webapps, widgets > > > >> > > > >> It helps if you give complete URL to the places you talking about. It > > > >> saves time of the answerer and verify we are talking the same > > component. > > > >> The labels are in seperate files from actual code, so depending on who > > > >> put in the text for that label, it may not be clear as to its meaning. > > > >> > > > >> you can limit based on Roles, security groups and/or security roles > > > >> which is different from roles. > > > >> going through the widgets and Ftls will give you code examples of how > > > >> this is accomplished. > > > >> > > > >> The example component is good to review. > > > >> > > > >> > > > >> Mansour Al Akeel sent the following on 7/16/2011 8:29 PM: > > > >>> Ok, the "BOOK" explained things, and I know I have to read many parts > > > >>> again, especially while trying to match the readings with the > > > >>> functionality offered by OFBiz. > > > >>> > > > >>> Now I have a question related to adding roles. In the "Add To Role" > > > >>> screen: > > > >>> > > > >>> > > > >>> Add To Main Role > > > >>> --> Role Type Id > > > >>> > > > >>> Add To Second Role > > > >>> --> Role Type Id > > > >>> > > > >>> Add To Role : view all > > > >>> --> Role Type Id > > > >>> > > > >>> What is the difference between "Main Role" and "Second Role" and how > > do > > > >>> I use them ? > > > >>> What is the "Add To Role" mean ? > > > >>> > > > >>> Back again to the senario in the first email, and after I modeled the > > > >>> Parties, how do I let each access only to the functionality they need > > to > > > >>> access ? For example, "Approver" to aprove timesheet and work effort. > > > >>> Project manager to Assing tasks, "Developer" to update tasks. Would > > this > > > >>> have to be separately using "Security Groups" ? > > > >>> > > > >>> Thank you. > > > >>> > > > >>> > > > >>> On Mon Jun 27,2011 09:29 am, BJ Freeman wrote: > > > >>>> as both Adrian and I mentioned most of that would be described well > > in > > > >>>> the Data model book that ofbiz was modeled after, which is why not > > much > > > >>>> documentation is written specifically in ofbiz. > > > >>>> > > > >>>> There are emails in the archive that have covered different parts of > > > >>>> your question. > > > >>>> > > > >>>> Actually it has been a good time for the Documentation for over 6 > > years, > > > >>>> problem is getting someone to volunteer to do it. We have added > > internal > > > >>>> Help in ofbiz that needs to be filled out. ANY VOLUNTEERS. > > > >>>> > > > >>>> Normally such Contributions have been from someone hiring someone to > > do > > > >>>> the documentation, because it takes a lot of time to volunteer and > > those > > > >>>> that have to make a living do not have such time free. Then that > > > >>>> documentation was volunteered to ofbiz community. > > > >>>> > > > >>>> I limit my volunteer time per subject on the mailing list to 15 min, > > > >>>> unless i have a vested interest in it. I have even stopped answering > > on > > > >>>> here because my time has become very limited. as an example this > > email > > > >>>> took over two hours to finish because of interruptions to do > > business. > > > >>>> > > > >>>> so maybe others that have the time will volunteer the information > > you > > > >>>> desire. > > > >>>> > > > >>>> Most find the charge for the "BOOK" a lot less than hiring someone, > > or > > > >>>> volunteering the time to document. > > > >>>> > > > >>>> That said, feel free once you understand to volunteer you time to > > > >>>> documented this the way you think it should be done. > > > >>>> BTW I have made this offer to others that presented the same > > proposal in > > > >>>> the past and they have not volunteer such documentation yet. > > > >>>> > > > >>>> I would suggest you draw an organizational chart then use the fields > > in > > > >>>> ofbiz to associated the chart to relationships. There is no "ONE" > > > >>>> organization chart. > > > >>>> > > > >>>> Demo employee shows two relationships as examples, in a normal > > Company > > > >>>> there may be many relationships. like the one that says the demo > > > >>>> employee is a employee. > > > >>>> > > > >>>> you would use roles and relationship > > > >>>> > > > >>>> Mansour Al Akeel sent the following on 6/27/2011 4:28 AM: > > > >>>>> BJ thank you. > > > >>>>> > > > >>>>> My question is related more to ofbiz usage. In the relationship > > page: > > > >>>>> > > https://demo-trunk.ofbiz.apache.org/partymgr/control/EditPartyRelationships?partyId=DemoEmployee > > > >>>>> you can see some fields that are not clear to me. To be more > > specific, We have: > > > >>>>> in the role of | is A of Party | in the role of > > > >>>>> > > > >>>>> There two relations for DemoEmployee. And each relation has two > > fields > > > >>>>> "in the Role Of". > > > >>>>> Further more, there is some confusion about where to relate > > employee > > > >>>>> to organization. I mean if you go to: > > > >>>>> > > > >>>>> > > https://demo-trunk.ofbiz.apache.org/partymgr/control/viewprofile?partyId=DemoEmployee > > > >>>>> > > > >>>>> You will see four tabs with labels indicates similar functionality: > > > >>>>> -Roles > > > >>>>> -Link Party > > > >>>>> -Relationships > > > >>>>> -Segments > > > >>>>> > > > >>>>> > > > >>>>> What is the difference between these ? To add employee to > > Organization > > > >>>>> I need to use ..... ? > > > >>>>> May be it's a good opportunity to discuss and document each of > > them, > > > >>>>> instead of referring me to the "BOOK" ;) > > > >>>>> > > > >>>>> > > > >>>>> > > > >>>>> On Sun, Jun 26, 2011 at 9:10 PM, BJ Freeman <bjf...@free-man.net> > > wrote: > > > >>>>>> there is not much documented in ofbiz about party. > > > >>>>>> however if you read the Data model book Vol I you will see a lot > > about > > > >>>>>> partyrelationsips. Good diagram on pg 41 > > > >>>>>> In this case you would have party relationship with the company > > that > > > >>>>>> supplies contractors > > > >>>>>> so you need to setup the roles of each party then setup the > > relationship > > > >>>>>> between them > > > >>>>>> start with organizational party relationship then individual > > (person) > > > >>>>>> realtionships with organizations. > > > >>>>>> > > > >>>>>> example > > > >>>>>> the programmer would be a employee role with the recruitment > > company if > > > >>>>>> they contract, then the programmer would have a contractor > > relationship > > > >>>>>> with the Company. > > > >>>>>> > > > >>>>>> the rest you can get from the demo data or you can look at the > > demo site > > > >>>>>> at the different parties to see the relationships. > > > >>>>>> > > > >>>>>> Mansour Al Akeel sent the following on 6/26/2011 4:43 PM: > > > >>>>>>> Hello all, > > > >>>>>>> I didn't use the parties component extensively, and don't know a > > lot about it. > > > >>>>>>> Here's the scenario we have. Three Group parties: > > > >>>>>>> Programmers > > > >>>>>>> Recruiter > > > >>>>>>> Sales /marketing/Distributing > > > >>>>>>> The distributor obtains the requirements and hires the > > Programmers > > > >>>>>>> through the "Recruitment" company. Billing is done by hour. > > > >>>>>>> In each company there's two employees that interact with the > > system. > > > >>>>>>> programmer1 , programmer2 > > > >>>>>>> hr manager 1, hr manager2 > > > >>>>>>> project manager1, project manager2 > > > >>>>>>> > > > >>>>>>> We need to setup the system, to handle the requirements > > communication, > > > >>>>>>> timesheet, project management ... etc. > > > >>>>>>> I have created the three group parties, and 6 employees parties, > > and > > > >>>>>>> stopped there not knowing how to connect them. > > > >>>>>>> > > > >>>>>>> How to associate users (employee) with companies (Group Party) ? > > > >>>>>>> I tried to go to Relationships page and use "Add other party > > > >>>>>>> relationship", but those fields are not clear to me. For example > > "in > > > >>>>>>> the Role of" .... etc. > > > >>>>>>> Let's say I need to put hr_manager1 as an employee of "Recruiter" > > ?? > > > >>>>>>> How many accounts I need, knowing that the recruiter get a > > percentage ? > > > >>>>>>> > > > >>>>>>> What do I need to do after that ? > > > >>>>>>> > > > >>>>>>> Guessing is not very help full here as it relies on trial and > > error, > > > >>>>>>> and an error may not be initially visible. So I like to get an > > advice > > > >>>>>>> from someone with more experience in this area. > > > >>>>>>> > > > >>>>>>> Thank you. > > > >>>>>>> > > > >>>>>> > > > >>>>> > > > >>> > > > > > >
