[Erp5-users] ERP5 new security model

Jose F. Maldonado jmaldonado at securiport.com
Thu Jan 9 13:43:30 CET 2014


Hi. I have read several pages about ERP5 security model (http://www.erp5.org/HowTo/HowToUseNewSecurity, http://en.wikibooks.org/wiki/ERP5_Handbook/Magic_Security and http://copilotco.com/mail-archives/erp5.2007/msg00137.html, but I'm still unable to implement a role that allows to users to only see content from his own country.


In portal_categories/sites, I defined two sites: France and Spain.


In Persons, I created two users: french_user (with an assignment of group=my_group, function=manager and site=france) and spanish_user (with an assignment of group=my_group, function=manager and site=spain).


Then I logged with french_user and I created 3 products, and after that I used spanish_user to create another 3 products (I'm trying to implement the security for the Products module).


Finally, in portal_types/Module, I modified the default role:

  *   Roles:Assignor, Assignee, Associate, Auditor, Author
  *   Base categories:
  *   Base category script:
  *   Categories: group/my_group

Into:

  *   Roles:Assignor, Assignee, Associate, Auditor, Author
  *   Base categories: site
  *   Base category script: ERP5Type_getSecurityCategoryMapping
  *   Categories: group/my_group

However both spanish_user and french_user can see and modify all the products (even the ones created by the other user), and I want that they only are able to see the products of their own country.


Note that the definition of ERP5Type_getSecurityCategoryMapping is the following:

return (
('ERP5Type_getSecurityCategoryFromAssignmentStrict', ['function']),
('ERP5Type_getSecurityCategoryFromAssignmentStrict', ['follow_up']),
('ERP5Type_getSecurityCategoryFromAssignmentStrict', ['function', 'follow_up']),
('ERP5Type_getSecurityCategoryFromAssignmentStrict', ['group']),
('ERP5Type_getSecurityCategoryFromAssignmentStrict', ['site']),
('ERP5Type_getSecurityCategoryRoot', ['group']),
)

________________________________________
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager and delete it from your system; you may not copy this message or disclose its contents to anyone. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Please send us by fax any message containing deadlines as incoming e-mails are not screened for response deadlines. The integrity and security of this message cannot be guaranteed on the Internet. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.tiolive.com/pipermail/erp5-users/attachments/20140109/ea681fec/attachment.htm>


More information about the Erp5-users mailing list