(0021969)
|
mtaal
|
2009-11-18 14:22
|
|
Added these comments from an email conversation, the solution has been done as discussed here:
Hi Ismael,
Hmm, currently admin mode is just setting a flag which disables security
checks. It keeps the current user context as it can make sense to still
know who made the changes also for other things it can make sense to
keep the context as it is (and just disable security) like the client
and organization.
Let me know if that's fine to (or not ofcourse :-) .
I agree that instead of using user="0" the ant tasks should set
admincontext, so that part is clear. And it should solve the issue also
(so then there is no need to change the admin mode behavior).
gr. Martin
Ismael Ciordia, Openbravo wrote:
> > Martin,
> >
> > imo setAdminMode should set user=0, role=0 in the context and ignore if
user
> > 0 is granted to use role 0. Then ant tasks and other "admin" actions
should
> > use setAdminMode.
> >
> > I think that privileges should only depend on the role in the context, and
> > adminMode should not be an exception.
> >
> > Ismael
> >
> > -----Mensaje original-----
> > De: team.platform-bounces@openbravo.com
> > [mailto:team.platform-bounces@openbravo.com]En nombre de Martin Taal
> > Enviado el: martes, 17 de noviembre de 2009 13:04
> > Para: team.platform@openbravo.com
> > Asunto: [team.platform] User "0" as admin user (in addition to role "0")
> >
> >
> > Hi,
> > The DAL assumes that the role with id "0" is the admin role and will not
> > perform security checks if the user has this role. However, there are
> > some cases in the system where the "0" user is used directly. For
> > example certain ant tasks. This is done with the assumption that the
> > user "0" will have the "0" role as the default role.
> >
> > There are however sometimes customers who (accidentally) change the
> > default role of the "0" user. This results in failing ant tasks as the
> > "0" user then does not have enough authorizations.
> >
> > So the proposal is to extend the admin mode meaning to:
> > user == "0" || role == "0" --> adminMode
> >
> > Let me know if you have any comments/remarks about this.
> >
> > If I hear no comments then I will do this (small) change late wednesday
> > or thursday. |
|