Versions Compared

Old Version 7

changes.mady.by.user Guillaume LEPICARD

Saved on

compared with

New Version 8

changes.mady.by.user Guillaume LEPICARD

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • base_pkgsecurity_view will return a PreparedWhere following user’s given VIEW permissions

  • base_pkgsecurity_update will return a PreparedWhere following user’s given UPDATE permissions

Extend existing bases

It is possible to automatically extend some bases with the ones provided by the plugin:

  1. Set plugin parameter extend_bases to true

  2. Make sure extended_bases references to the coma-separated list of bases you want the plugin to extend (base_list,base_search by default)

  3. Make sure extend_with references the coma-separated list of bases you want to use to extend the extended_bases list of bases (base_pkgsecurity_view by default)

By doing so, you will be instructing the plugin to extend base_list and base_search with base_pkgsecurity_view for each object.

Note

Caveats

This configuration will work well for all objects handled by the plugin in terms of security (all objects marked with a tag pkg/security/secugroup BUT

  • All roles are concerned, meaning that if you are providing access (in terms of security) with other means than the provided plugin macro for some roles, base_pkgsecurity_view will not reflect your specific security configuration

  • If you need to add project specific constraints in security rules, such constraints will not be included in the base.

  • objects not handled by the security plugin will also be filtered, with a fully excluding clause

In order to work around those issues, you can configure extended_bases_config to manage in a better way the configuration: this parameter accepts either null (no config) or a JsonArray to overwrite base extensions settings on objectselector + role context:

Each entry of the JsonArray MUST be a JsonObject that accepts the following properties:

  • objectSelector: A selector for object(s) impacted by the item. If not provided or null, all objects are impacted

  • roles: A JsonArray of String referencing the roles that are impacted by this item. If null or not provided, all roles will be impacted

  • extendedBases: A JsonArray of String referencing the bases (contextnames) for which extension is changed. If null or not provided, the value from plugin parameter extended_bases is used.

  • extendWithBases: A JsonArray of String referencing the bases that should be added to extendedBases to extend them. If null or not provided, the value from plugin parameter extend_with is used.

During the resolution of a base, JsonObjects are processed in given order. If the JsonObject matches the context (objectsSelector, roles from surfer, currentResolvedBase is part of extendedBases, then the bases used for extending the base is redefined to value of extendWithBases)

Examples

Preventing bases for Developers to be extended

Given that

  1. extend_bases = true

  2. extended_bases = base_list,base_search

  3. extend_with = base_pkgsecurity_view

To deactivate the extension for all objects for role 4 (and therefor to be able to see any instance), you can define the config to:

Code Block
[
  {
    "roles": [
      "4"
    ],
    "extendWithBases": []
  }
]

for role 4, you want to redefine extendWithBases to an empty list

Preventing some objects bases to be extended for some roles

This can be quite handy if you don’t want to allow some objects to be accessible to permissions management:

Code Block
[
  {
    "objectsSelector": "user",
    "roles": [
      "27"
    ],
    "extendWithBases": []
  }
]

Make usage of those bases programatically

You can easily make use of those context to augment base_list, base_edit_list, base_search… in your project accordingly:

Code Block
languagejava
import com.noheto.extensions.interfaces.services.AbstractPreparedWhereBusinessService;
import com.noheto.preparedwhere.PreparedWhereService;
import wsnoheto.engine.*;

public class ProjectExtendedBaseList extends AbstractPreparedWhereBusinessService {
  @Override
  public PreparedWhere getPreparedWhere(String contextName, CTSurfer surfer, String objectName, IObjectStructureReadOnly struct, IObjectTableReadOnly table) throws PreparedWhereException {
    PreparedWhere pwProjectConstraints = PreparedWhere.load("");
    // ... your project specific constraint
  
    // retrieve a PreparedWhere compliant with surfer's permission
    // note that if user has no permission OR if the object
    // is not compliant with security, you will get 0=1 constraint
    PreparedWhere pwPackagedSecurity = PreparedWhereService.getInstance()
      .getPreparedWhere("base_pkgsecurity_view", surfer, objectName);
      
    return pwProjectConstraints.and(pwPackagedSecurity);
  }
}

Extending capabilities

Meta statuses definitions

...