webERP Forum
Out-of-the-Box Security - Needs Work? - Printable Version

+- webERP Forum (http://www.weberp.org/forum)
+-- Forum: webERP Discussion (/forumdisplay.php?fid=1)
+--- Forum: Problems / Bugs? (/forumdisplay.php?fid=8)
+--- Thread: Out-of-the-Box Security - Needs Work? (/showthread.php?tid=7954)

Pages: 1 2


Out-of-the-Box Security - Needs Work? - VortecCPI - 12-05-2017 12:32 AM

I just noticed the out-of-the-box security settings for Contract are associated with the Petty Cash Security Token. We are not using Contracts so I have not checked this and it was just a sort of curiosity question.

[attachment=591]

Same for Sales Graph and Select Contract:

[attachment=592]
[attachment=593]

Does this seem right and, if not, should it be changed in the trunk?


RE: Out-of-the-Box Security - Contract - phil - 12-05-2017 05:11 AM

Good point Paul - agree probably needs it's own


RE: Out-of-the-Box Security - Contract - VortecCPI - 12-05-2017 05:14 AM

Thanks Phil - Just wanted to be sure I understood what I was seeing.
A few other observations:

[attachment=594]

[attachment=595]

[attachment=596]


Perhaps somebody with much more webERP knowledge than I possess at this point can go through the ACL quickly as a sanity check? It almost seems as if a PKey-FKey relationship has gone sideways.... Checking older versions...


RE: Out-of-the-Box Security - Contract - VortecCPI - 12-05-2017 07:01 AM

I added script.description to the TD title attribute to better see what is going on in PageSecurity.php:

<td title="' . $myrow['description'] . '">' . $myrow['script'] . '</td>

[attachment=597]


RE: Out-of-the-Box Security - Contract - falkoner - 12-05-2017 08:49 AM

Although the defaults should be better I would always recommend in any implementation that a lot of time is given over to full planning of the security profile. It is very flexible and gives fine grain control over who can do what, but only if it is properly planned.

In my experience every organisation is different and requires a different security profile.

Tim


RE: Out-of-the-Box Security - Contract - VortecCPI - 12-05-2017 09:19 AM

(12-05-2017 08:49 AM)falkoner Wrote:  Although the defaults should be better I would always recommend in any implementation that a lot of time is given over to full planning of the security profile. It is very flexible and gives fine grain control over who can do what, but only if it is properly planned.

In my experience every organisation is different and requires a different security profile.

Tim

Tim,

I do not, and can not disagree with the end user working out the final ACL on his or her own. However... I have never worked with an application, OS or not, that did not come with suitable out-of-the-box ACL setup/settings. If the webERP ACL is incomplete or has errors it should be either repaired or removed. Since the demo data is very useful for what-if scenarios and training I believe it should be repaired. Of course that is just my opinion!
The FrontAccounting fork has in interesting take on a more-simplified ACL, at least from the user's perspective.
I made a spreadsheet of a join of PageSecurity and Tokens and the more I look at it the more I believe something got shifted around at some point. There are many entries that are very obviously mismatched.


RE: Out-of-the-Box Security - Contract - falkoner - 12-05-2017 07:20 PM

Hi Paul, I don't disagree that we need the defaults sorting out. I think many if not most of these errors you are finding are old and have just been carried forward.

The page security setting used to be hard coded into each script, and then were moved into the database mush later on. Taking one of the scripts you have found Z_CreateChartDetails.php it can be seen here (https://sourceforge.net/p/web-erp/code/39/tree/trunk/Z_CreateChartDetails.php) that it was given a security token of 9 right back in May 2004. It is probable that back then token 9 had a completely different meaning than it now does - indeed the meaning of any of the tokens can be changed. Then here (https://sourceforge.net/p/web-erp/code/4454/#diff-17) that security token gets carried over into the database table.

What is required is somebody to go through the entire table and put in sane tokens for each script. Maybe your spreadsheet is good starting point for this exercise?

Tim


RE: Out-of-the-Box Security - Contract - VortecCPI - 12-05-2017 09:39 PM

If I was intimately familiar with webERP I would do it without hesitation. However, I am NOT so I am not the person to be doing such a thing. i feel I would just make it worse because I would have to make many assumptions and that is not what we (or our users) need.

When I developed the ACL for the last ECi M1 implementation it took many days to unravel and document the entire system and we ended up with a more-complete schema definition and understanding than ECi had. In fact, we uncovered many errors in their ACL and related documentation during the process.

It would seem to me one of our expert contributors could go through this in a very small amount of time and get it to 99%-100% the first time around.

I will share my spreadsheet... Cells highlighted red are in question but I gave up after I kept finding more and more so it is incomplete...

[attachment=598]


RE: Out-of-the-Box Security - Contract - falkoner - 12-05-2017 09:44 PM

Sharing your spreadsheet so someone could go through it was what I meant Smile


RE: Out-of-the-Box Security - Contract - VortecCPI - 12-05-2017 09:50 PM

(12-05-2017 09:44 PM)falkoner Wrote:  Sharing your spreadsheet so someone could go through it was what I meant Smile

Done... See post above...

Any help is greatly appreciated!