From jmaldonado at securiport.com Thu Jan 9 13:43:30 2014 From: jmaldonado at securiport.com (Jose F. Maldonado) Date: Thu, 9 Jan 2014 12:43:30 +0000 Subject: [Erp5-users] ERP5 new security model Message-ID: <38AAFF4BFC43D64B9AF427D8AF22656570583CDA@SRV01.cac.local> Hi. I have read several pages about ERP5 security model (http://www.erp5.org/HowTo/HowToUseNewSecurity, http://en.wikibooks.org/wiki/ERP5_Handbook/Magic_Security and http://copilotco.com/mail-archives/erp5.2007/msg00137.html, but I'm still unable to implement a role that allows to users to only see content from his own country. In portal_categories/sites, I defined two sites: France and Spain. In Persons, I created two users: french_user (with an assignment of group=my_group, function=manager and site=france) and spanish_user (with an assignment of group=my_group, function=manager and site=spain). Then I logged with french_user and I created 3 products, and after that I used spanish_user to create another 3 products (I'm trying to implement the security for the Products module). Finally, in portal_types/Module, I modified the default role: * Roles:Assignor, Assignee, Associate, Auditor, Author * Base categories: * Base category script: * Categories: group/my_group Into: * Roles:Assignor, Assignee, Associate, Auditor, Author * Base categories: site * Base category script: ERP5Type_getSecurityCategoryMapping * Categories: group/my_group However both spanish_user and french_user can see and modify all the products (even the ones created by the other user), and I want that they only are able to see the products of their own country. Note that the definition of ERP5Type_getSecurityCategoryMapping is the following: return ( ('ERP5Type_getSecurityCategoryFromAssignmentStrict', ['function']), ('ERP5Type_getSecurityCategoryFromAssignmentStrict', ['follow_up']), ('ERP5Type_getSecurityCategoryFromAssignmentStrict', ['function', 'follow_up']), ('ERP5Type_getSecurityCategoryFromAssignmentStrict', ['group']), ('ERP5Type_getSecurityCategoryFromAssignmentStrict', ['site']), ('ERP5Type_getSecurityCategoryRoot', ['group']), ) ________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager and delete it from your system; you may not copy this message or disclose its contents to anyone. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Please send us by fax any message containing deadlines as incoming e-mails are not screened for response deadlines. The integrity and security of this message cannot be guaranteed on the Internet. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. -------------- next part -------------- An HTML attachment was scrubbed... URL: From yusei at nexedi.com Thu Jan 9 15:57:08 2014 From: yusei at nexedi.com (Yusei TAHARA) Date: Thu, 9 Jan 2014 23:57:08 +0900 Subject: [Erp5-users] ERP5 new security model In-Reply-To: <38AAFF4BFC43D64B9AF427D8AF22656570583CDA@SRV01.cac.local> References: <38AAFF4BFC43D64B9AF427D8AF22656570583CDA@SRV01.cac.local> Message-ID: <20140109235708.71c0ad6d6a4a4e8ecd0f9bff@nexedi.com> Hi, Have you tried simpler case? Define different security per contents (this time, product) is a bit advanced topic. The important thing to understand is that you need to implement two things: - A rule to generate local role name which is stored in document. (Role information in portal type) Read http://git.erp5.org/gitweb/erp5.git/blob/HEAD:/product/ERP5Type/Core/RoleInformation.py?js=1#l100 Go to Security tab in ZMI and click local roles link, you can check what local role is set. - A rule to generate group id which is set to authenticated user object. (ERP5Type_getSecurityCategoryMapping, ERP5Type_asSecurityGroupId as far as I remember) Read http://git.erp5.org/gitweb/erp5.git/blob/HEAD:/product/ERP5Security/ERP5GroupManager.py?js=1#l92 http://target_document_url/Base_viewSecurity, then you can check what group ids are generated. And once uesr's group id is equal to a content's local role name, finally the logged in user gets local role and privilege. > * Roles:Assignor, Assignee, Associate, Auditor, Author > * Base categories: site > * Base category script: ERP5Type_getSecurityCategoryMapping > * Categories: group/my_group Here, base category script is wrong. you can use one of ERP5Type_getSecurityCategoryFromXXX scripts in erp5_core. This time ERP5Type_getSecurityCategoryFromContent sholud be appropriate and "Categories" should be empty if you want to use site only. (Precondition: products have "site" category, user have "site" category in assignment and only if product's site is equal to user's site, user get privilege.) Regards, Yusei > > However both spanish_user and french_user can see and modify all the products (even the ones created by the other user), and I want that they only are able to see the products of their own country. > > > Note that the definition of ERP5Type_getSecurityCategoryMapping is the following: > > return ( > ('ERP5Type_getSecurityCategoryFromAssignmentStrict', ['function']), > ('ERP5Type_getSecurityCategoryFromAssignmentStrict', ['follow_up']), > ('ERP5Type_getSecurityCategoryFromAssignmentStrict', ['function', 'follow_up']), > ('ERP5Type_getSecurityCategoryFromAssignmentStrict', ['group']), > ('ERP5Type_getSecurityCategoryFromAssignmentStrict', ['site']), > ('ERP5Type_getSecurityCategoryRoot', ['group']), > ) > > ________________________________________ > This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager and delete it from your system; you may not copy this message or disclose its contents to anyone. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Please send us by fax any message containing deadlines as incoming e-mails are not screened for response deadlines. The integrity and security of this message cannot be guaranteed on the Internet. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. -- Yusei TAHARA Nexedi: Consulting and Development of Free / Open Source Software http://www.nexedi.co.jp/ ERP5: Full Featured High End Open Source ERP http://www.erp5.com/ ERP5 Wiki: Developer Zone for ERP5 Community http://www.erp5.org/