[Erp5-users] ERP5 new security model

Yusei TAHARA yusei at nexedi.com
Thu Jan 9 15:57:08 CET 2014 

Hi,

Have you tried simpler case? Define different security per contents
(this time, product) is a bit advanced topic.

The important thing to understand is that you need to implement two things:
 - A rule to generate local role name which is stored in document.
   (Role information in portal type)
   Read http://git.erp5.org/gitweb/erp5.git/blob/HEAD:/product/ERP5Type/Core/RoleInformation.py?js=1#l100

   Go to Security tab in ZMI and click local roles link, you can check what local role is set.

 - A rule to generate group id which is set to authenticated user object.
   (ERP5Type_getSecurityCategoryMapping, ERP5Type_asSecurityGroupId as far as I remember)
   Read http://git.erp5.org/gitweb/erp5.git/blob/HEAD:/product/ERP5Security/ERP5GroupManager.py?js=1#l92

   http://target_document_url/Base_viewSecurity, then you can check what group ids are generated.

And once uesr's group id is equal to a content's local role name, finally the logged in user gets
local role and privilege.


>   *   Roles:Assignor, Assignee, Associate, Auditor, Author
>   *   Base categories: site
>   *   Base category script: ERP5Type_getSecurityCategoryMapping
>   *   Categories: group/my_group

Here, base category script is wrong. you can use one of ERP5Type_getSecurityCategoryFromXXX scripts
in erp5_core. This time ERP5Type_getSecurityCategoryFromContent sholud be appropriate and
"Categories" should be empty if you want to use site only.

(Precondition: products have "site" category, user have "site" category in assignment
and only if product's site is equal to user's site, user get privilege.)


Regards,
Yusei



> 
> However both spanish_user and french_user can see and modify all the products (even the ones created by the other user), and I want that they only are able to see the products of their own country.
> 
> 
> Note that the definition of ERP5Type_getSecurityCategoryMapping is the following:
> 
> return (
> ('ERP5Type_getSecurityCategoryFromAssignmentStrict', ['function']),
> ('ERP5Type_getSecurityCategoryFromAssignmentStrict', ['follow_up']),
> ('ERP5Type_getSecurityCategoryFromAssignmentStrict', ['function', 'follow_up']),
> ('ERP5Type_getSecurityCategoryFromAssignmentStrict', ['group']),
> ('ERP5Type_getSecurityCategoryFromAssignmentStrict', ['site']),
> ('ERP5Type_getSecurityCategoryRoot', ['group']),
> )
> 
> ________________________________________
> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager and delete it from your system; you may not copy this message or disclose its contents to anyone. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Please send us by fax any message containing deadlines as incoming e-mails are not screened for response deadlines. The integrity and security of this message cannot be guaranteed on the Internet. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.


-- 
Yusei TAHARA <yusei at nexedi.com>
Nexedi: Consulting and Development of Free / Open Source Software
http://www.nexedi.co.jp/
ERP5: Full Featured High End Open Source ERP
http://www.erp5.com/
ERP5 Wiki: Developer Zone for ERP5 Community
http://www.erp5.org/

More information about the Erp5-users mailing list