[Erp5-users] Please help with of Base Category and Security interplay

bartek bartek at erp5.pl
Wed Feb 28 13:09:22 CET 2007 

chetankumar at vsnl.net wrote:
> Hi all
> Any thoughts from any kind soul?
> Regards,
> Chetan
> 
> ----- Original Message -----
> From: chetankumar at vsnl.net
> Date: Monday, February 26, 2007 1:47 pm
> Subject: [Erp5-users] Please help with of Base Category and	Security	interplay
> To: erp5-users at erp5.org
> 
>> Hi all
>> The utility of base category has not sunk in for me. No amount of 
>> changes/experimentation has not yielded a different output for me 
>> till now.
>> Example
>> user1 (validated) has these settings in an open assignment
>> group = group/ga
>> function = function/funca
>> site = site/sitea
>>
>> I define Assignor local role for person module with categories
>> group/ga
>> function/funca
>> site/sitea
>> (same as above assignment)
>>
>> user1 can access the module (which is expected behaviour)
>>
>> Now I create ERP5Type_getSecurityCategoryMapping
>> ==========================================================
>> return (
>> ('ERP5Type_getSecurityCategoryFromAssignment', ['function'] ),
>> ('ERP5Type_getSecurityCategoryFromAssignment', ['group','site'] ),
>> )
>> ==========================================================
>>
>> user1 can also access the module if
>> 1. category=function/funca
>>     function is returned by ERP5Type_getSecurityCategoryMapping
>> 2. cateogry=site/sitea
>>                      group/ga
>>     site and group are returned by 
>> ERP5Type_getSecurityCategoryMapping
>> The moment I set 
>> 1. base category=function or 
>>    base category = group site
>>    for 1 above, the module is not accessible.
>> 2. base category = function or
>>    base category = group site
>>    for 2 above, the module is not accessible
>>
>> What is base category designed to contribute to the access control?
>> The document on the new security has left me confused (maybe it is 
>> just me)

No, it is not just you - I'd say this is the expected behaviour :) 
Security system in ERP5 is very confusing for a beginner, but wonderful 
when you get it.

The way to understanding it is to see how it really works - I'd advise 
you to use manage_listLocalRoles on the object you are settting security 
  to. If you set Assignor role as you defined, you'd probably see 
something like:

funca_groupa_sitea (Assignor)

which means that the user has to be in funca_groupa_sitea group to have 
Assignor role in context of this object.

The ERP5Type_getSecurityCategoryMapping script is responsible for 
putting together various properties of user to create groups of which he 
is a member. So, if you do like:

('ERP5Type_getSecurityCategoryFromAssignment', ['group','site'] )

the user will be in group groupa_sitea. If you want him to be in 
funca_groupa_sitea, you have to do:
('ERP5Type_getSecurityCategoryFromAssignment', ['group','function','site'] )

You can check if it works by logging running Base_viewSecurity in 
context of the object in question, this will show you what groups are 
you currently a member of and what roles you have in context of the 
object. Just keep in mind that security roles are cached, so it'd be 
good to run a script like this first:

from Products.ERP5Type.Cache import clearCache
clearCache()
print 'ok, cache cleared'
return printed

Bartek

>>
>> Regards,
>> Chetan
>> _______________________________________________
>> Erp5-users mailing list
>> Erp5-users at erp5.org
>> http://erp5.org/mailman/listinfo/erp5-users
>>
> _______________________________________________
> Erp5-users mailing list
> Erp5-users at erp5.org
> http://erp5.org/mailman/listinfo/erp5-users
>

More information about the Erp5-users mailing list