Thursday, 2 May 2013

KwaMoja/webERP security

This question came up recently on the webERP forum:

I'm new to webERP and naturally have some questions. I've created a role called "Inventory" in Access Permission Maintenance, then a user for this role and limited access to just "Display Inventory" module in User Maintenance. But I'd like to further limit access so my inventory user can NOT see pages in this range:

• Inventory Valuation Report
...
• List Negative Stocks
• Stock Transfer Note[/align]

The webERP Manual is vague on this. Is there a doc I can read to find out can I restrict a user, for example, to just Inventory.Maintenance.View or Update Prices Based On Costs?


Unfortunately the advice the poster was given was complex and not really correct, and the administrator of the forum has blocked me from helping people there. However, there is a much simpler answer which doesn't involve setting up phantom security tokens, and other complexities. This is to go to each of the reports they want removed in the "Page Security Settings" option in the setup module, and from there just give it a security token of a higher level than the inventory user. For instance set it to "General Ledger Reports/Inquiries" which makes more sense for something like an Inventory Valuation report. Then the report will be gone from the users screen the next time they log in. It's as simple as that!

However that led me to thinking that a lot of people (including it seems the current webERP project developer) who don't really understand the security system within KwaMoja/webERP so I thought it might be good to explain how it works.

Every user has a security role. These roles are meant to mirror their real life roles. So for instance we may have a role of an inventory clerk, and a role of an accountant. There can be any number of inventory clerks, and any number of accountants, all having the same role. As many roles as are wanted can be created.

Each role is given a number of security tokens. Each of these tokens permits the user with that role to perform different functions. There are a number of predefined tokens:


0 Main Index Page

1 Order Entry/Inquiries customer access only

2 Basic Reports and Inquiries with selection options

3 Credit notes and AR management

4 Purchasing data/PO Entry/Reorder Levels

5 Accounts Payable

6 Petty Cash

7 Bank Reconciliations

8 General ledger reports/inquiries

9 Supplier centre - Supplier access only

10 General Ledger Maintenance, stock valuation & Configuration

11 Inventory Management and Pricing

15
User Management and System Administration

When a user tries to access a function, the security token for that functionality is looked up in a database table called scripts and it is then compared with the array of security tokens that is owned by the role allotted to that user. If the token is in that array, the functionality can be accessed, if not, then access is denied.

This lookup is also performed when displaying the menus, and if the security token is not there, the menu option will not be displayed.

This system is simple elegant and flexible. It can be made as simple or as complex as an organisation requires. For instance a one person business only needs one security token, and one role, whereas a large business with hundreds of employees will have a very complex structure.

I hope this helps provide some insight into how the system works.

Thursday, 25 April 2013

Phil Daintree's shameless lies - Part 6

This page is written in response to the lies that +Phil Daintree  has written about me, and spread on the internet. Despite years of searching he has been unable to find anything I have written that is untrue, and he has had to resort to vague generalities, faked emails, and badly fabricated screenshots (you can see the joins if you zoom in using any bit mapped image editor). +Phil Daintree is welcome to make any comments to these pages, as he has done in the past. If I agree with what he says I will amend my writings, if I do not agree I have allowed his comments to stand next to mine so that people can make their own judgements. I have every confidence in the intelligence of readers to make a sensible judgement based on the facts. +Phil Daintree will not allow me the right of reply to any of the lies he has told about me. It seems to me significant that he realises that if people see both sides of the argument they will see through his lies.

Well it seems our hopes for a resolution to this were premature. No sooner have the lawyers of one hosting company forced Phil Daintree to remove his lies about me, he moves to another. The lawyers of that hosting company force him out and he moves to another. With the help of those lawyers we are seeking a world wide blacklisting for him to stop him owning any domains, and remove any he currently owns from his control.

Funny that he will never discuss these points. He has the chance on here - I have publicly committed to non interference with his comments, and will happily submit to third party checking of that claim. He doesn't allow me the right to comment on his page though. I am sure readers will form their own opinions about why he is so scared to resolve these issues by discussion.

Most of his page consists of a post I have allegedly made. I have searched via Bing, Google, and Yahoo, and have failed to find this post anywhere, except on pages posted by Phil Daintree. Funny this.... I am sure readers will form their own opinions about why he is so afraid to resolve these issues by normal discussion.

Lastly on the subject in my previous post on the subject of copyright. Phil Daintree for some reason thinks that it is important that under his instructions when I had just joined the project that I had put the copyright notice on to webERP. I then took legal advice discovered it was wrong and after consultation with Phil Daintree I removed the earlier bug I had done. Can someone tell me why this supports his case to own the copyright of my work?

The bible tells us:
Thou shalt not bear false witness against thy neighbour.

Phil would do well to remember this teaching

Saturday, 20 April 2013

Now can we all move on?

This page is written in response to the lies that +Phil Daintree has written about me, and spread on the internet. Despite years of searching he has been unable to find anything I have written that is untrue, and he has had to resort to vague generalities, faked emails, and badly fabricated screenshots (you can see the joins if you zoom in using any bit mapped image editor). +Phil Daintree  is welcome to make any comments to these pages, as he has done in the past. If I agree with what he says I will amend my writings, if I do not agree I have allowed his comments to stand next to mine so that people can make their own judgements. I have every confidence in the intelligence of readers to make a sensible judgement based on the facts. +Phil Daintree will not allow me the right of reply to any of the lies he has told about me. It seems to me significant that he realises that if people see both sides of the argument they will see through his lies.


Phil Daintree has now been forced to take down his "untrue, offensive, slanderous, harassing" web page about me. Let us hope that he can now move on with what he is good at, that is developing webERP code. This can only be good for his state of mind.

I agree with Mu, that as an act of atonement for all the lies and misinformation he has spread about me and others, the decent thing to do would be to redirect traffic from kwamoja.org to the project site at kwamoja.com.

To take another projects web site in pursuit of a nasty personal vendetta, offends all the notions of etiquette in open source. Open source is about all working together.

Saturday, 13 April 2013

Phil Daintree's shameless lies - Part 5

This page is written in response to the lies that +Phil Daintree has written about me, and spread on the internet. Despite years of searching he has been unable to find anything I have written that is untrue, and he has had to resort to vague generalities, faked emails, and badly fabricated screenshots (you can see the joins if you zoom in using any bit mapped image editor). +Phil Daintree is welcome to make any comments to these pages, as he has done in the past. If I agree with what he says I will amend my writings, if I do not agree I have allowed his comments to stand next to mine so that people can make their own judgements. I have every confidence in the intelligence of readers to make a sensible judgement based on the facts. +Phil Daintree will not allow me the right of reply to any of the lies he has told about me. It seems to me significant that he realises that if people see both sides of the argument they will see through his lies.


Phil's claim to own the copyright of all the webERP code.

The Berne convention asserts that the copyright is owned by the author of a work unless they have explicitly handed over that ownership to a second party. It further states that no copyright message is needed to assert this right, and that proof of authorship is sufficient. Some free software projects (most notably the GNU project) ask that the copyright on all contributions be physically signed over to them. This has never been done with webERP and given that as he himself has said he has fallen out with most contributors it is unlikely that he would retrospectively given this permission.

In September 2012 Phil Daintree unilaterally took the decision to alter the footer on webERP to state that the copyright to all the code was owned by weberp.org, a domain name owned by himself. This was, in the words of Fred Schuettler (a contributor to webERP) an adolescent attempt by Phil Daintree to goad me into an argument on the subject.

However it is important to those of us who have contribute significantly to webERP (my contribution can be found by following the link Phil Daintree suggests in this email). Phil has suggested in the past that he wished to change the license to the Apache license, which would mean that anybody could take my code and turn it into a commercial closed source application. I am certainly not alone in the world of Free software by being opposed to my code being licensed in this way as a simple Google search will show you. Phil Daintree says he will swear in court to the fact that "Tim is violently opposed to this for his own reasons". This implies that:

1 - I have been violent on the subject. Even in writing I have merely stated that I don't like permissive licenses. Can Phil Daintree produce any example of violence, or would this be perjury if he swore to it in court?
2 - That my reasons are somehow devious. Is he stating that the libreoffice developers antipathy to the apache license devious?

When I queried why Phil Daintree had decided to make this change without speaking to any of the other contributors, he initially claimed that he was not the owner of weberp.org and that weberp.org was owned and controlled by all the contributors. However while trying to get the launchpad site set up by Zhiguo Yuan removed he asserts that "I am the owner of the weberp domain.". Also a simple whois search shows that Phil Daintree is the owner of weberp.org. If the contributors have any control of weberp.org then how come Phil Daintree has asserted that only content that he agrees with will be included? How come only he gets to decide who can help people on the forum? Come on Phil get real!

I then pointed out that weberp.org did not exist as a legal entity and so could not own the copyright. Phil countered here by saying that "weberp.org did exist as a legal entity by vitue of the statement ol intent". However his recent statement on this issue says "To even suggest that a domain name could actually own anything is foolishness in any event". Who is the fool Phil? It appears that he has done a 180 degree turn on this and still ended up pointing the same way!!

In English law there is a concept (and most countries have a similar concept in their law) called the man on the Clapham omnibus. This basically asks what the ordinary reasonable person approaching an issue would think. I assert that any reasonable person on viewing webERP would believe that the copyright is owned by weberp.org, and on looking up that domain name would believe it was owned by Phil Daintree, and thus the copyright was owned by Phil Daintree.

Phil Daintree now asserts that when he is saying that weberp.org owns the copyright then "any idiot" would see that he meant that the copyright was owned by the contributors. Obviously I am not an idiot then!! If this is what Phil Daintree means then why the subterfuge? Why not just say that? All I have ever asked him to do is to clarify his motives for making that change at that point in time.

Phil Daintree likes to pretend that the only person who is upset by his claims to own the copyright of all the code. Not so. This has been an going issue with other developers since that start of the project.

So I say, "Come on Phil tell us the reason you made this change".

+Phil Daintree
that he creates a COPYRIGHT.txt file in webERP he clearly lays out that the copyright of the contributions belongs to the author of those contributions, which if he wants he can then link to from the footer of every page. +Phil Daintree refuses to even consider this. People can decide for themselves why he will not make a clear and unequivocal statement like this>

Sunday, 7 April 2013

Who does he think he is punishing?

This page is written in response to the lies that +Phil Daintree has written about me, and spread on the internet. Despite years of searching he has been unable to find anything I have written that is untrue, and he has had to resort to vague generalities, faked emails, and badly fabricated screenshots (you can see the joins if you zoom in using any bit mapped image editor). +Phil Daintree is welcome to make any comments to these pages, as he has done in the past. If I agree with what he says I will amend my writings, if I do not agree I have allowed his comments to stand next to mine so that people can make their own judgements. I have every confidence in the intelligence of readers to make a sensible judgement based on the facts. +Phil Daintree will not allow me the right of reply to any of the lies he has told about me. It seems to me significant that he realises that if people see both sides of the argument they will see through his lies.


+Phil Daintree  has announced that ...as punishment for exposing his lies in this blog he has withdrawn my svn access and he will no longer accept code from me and he says that as further punishment my forum account is terminated to try to force me to stop helping people on the forums...
So I can no longer spend my time helping users on the forums and users can no longer use my code.
Who is this punishing Phil?
There is already a bug reported here that I have fixed and sent to Phil but +Phil Daintree  is refusing to apply this fix, so users of webERP have to put up with this bug.
As has happened frequently throughout history, it's not the lies that have been Phil Daintree's undoing, but the the attempts at covering them up.

Programming the KwaMoja API - Error codes

In the last couple of parts of this tutorial which can be found here

API Client Part 1 and API Client Part 2

we produced a simple client application where a user selected a location, typed in a part code and the application fetched the info about how much stock was available from that location from our KwaMoja implementation.

This code can be fetched from here:

http://www.kwamoja.com/documentation/xml-rpc_tutorial.zip


However we did not touch on what would happen if something goes wrong. Load up the application, and you should see a screen similar to this one:


Now load index.php into our editor and change the password on line 38 from 'kwamoja' to 'wrong'. Now if we reload index.php we get this screen.

As you can see it cannot fetch any locations as the authentication does not work on this kwamoja instance. However it provides us with no information about why this has happened. If you recall from the tutorials regarding the writing of the client, the XML-RPC call returns an array containing two elements, the first - $Response[0] in our client - contains an integer code, and the second the result of the inquiry, if one is expected. If the integer code is zero, this indicates success. Any other code indicates an error. These error code can be found listed here.  As you can see error code 1 indicates 'NoAuthorisation' which will be the error returned if the user name or password is incorrect.

To catch the errors we create a session variable (not the best way I know, but convenient for this tutorial) to hold any error messages that happen, so that we can show the to the user. So the initialisation code at the top of index.php becomes:

<?php
    include 'xmlrpc/lib/xmlrpc.inc';
    $xmlrpc_internalencoding='UTF-8';
    include 'xmlrpc/lib/xmlrpcs.inc';
    $_SESSION['Errors'] = array();
?>


and then at the bottom of the output we have a loop to output these errors:

foreach ($_SESSION['Errors'] as $Error) {
    echo $Error;
}


Now we just need to capture that error. We need to put this code at the bottom of the GetLocations() function so that it now reads:

if ($ReturnValue[0] == 0) {
    return $ReturnValue[1];
} elseif ($ReturnValue[0] == 1) {
    $_SESSION['Errors'][] = 'Incorrect login/password credentials used';
}


Now run the index.php script again in your browser and you should get out put similar to this:

We just need to put this code at the bottom of our other functions, and then they will all be able to catch this error.

Now if we put the proper password back in index.php should work as before.

Now try entering a stock code that you know doesn't exist and see what happens. I entered a part code called 'wrong' and this is what I see.

This is not very helpful output so we need catch this error. A quick look here shows that error code 1047 is 'StockCodeDoesntExist' and this should be returned if the code we entered is wrong. So we need to capture error 1047 in the GetStockQuantity() function. The code at the end of this function now becomes:

} elseif ($ReturnValue[0] == 1) {
    $_SESSION['Errors'][] = 'Incorrect login/password credentials used';
} elseif ($ReturnValue[0] == 1047) {
    $_SESSION['Errors'][] = 'The stock code you entered does not exist';
}


So now the function is checking that the user/password is correct and also checking that the stock code is correct and providing useful feedback in the case of any problems. We could go on and check for other errors but this should be enough for now.

I have uploaded the new tutorial files to here.

Next time I will have a look at debugging the application when an error we haven't caught occurs.

Thursday, 4 April 2013

An open letter to Phil Daintree of webERP

This page is written in response to the lies that +Phil Daintree has written about me, and spread on the internet. Despite years of searching he has been unable to find anything I have written that is untrue, and he has had to resort to vague generalities, faked emails, and badly fabricated screenshots (you can see the joins if you zoom in using any bit mapped image editor). +Phil Daintree is welcome to make any comments to these pages, as he has done in the past. If I agree with what he says I will amend my writings, if I do not agree I have allowed his comments to stand next to mine so that people can make their own judgements. I have every confidence in the intelligence of readers to make a sensible judgement based on the facts. +Phil Daintree will not allow me the right of reply to any of the lies he has told about me. It seems to me significant that he realises that if people see both sides of the argument they will see through his lies.

As with anything I publish, anybody (except the viagara  salesmen) can comment on my blog. I make a public commitment that I will not attempt to forge or censor any posts, as goes on in all the communication channels on webERP. If +Phil Daintree wishes to dispute anything in this blog he is free to do so. If I am wrong I will alter my post. I trust in the common sense and intelligence of people to read the facts and to make up their own minds.

Phil Daintree was forced into issuing a public apology for his lies regarding me on the webERP developers list. I tried to post a reply to the mailing list but as always happens to my posts it was immediately rejected. I believe it makes some valid points so I publish it in full here:

Phil,
Thanks for the apology, which I accept in the spirit that it was sent.

I do think you are wrong on one matter though. You say "It is a sad
reflection of the state of our relationship that I automatically assume the worst". I would rather say that "It is a sad reflection on
your perception of the state of our relationship that you
automatically assume the worst". You see every action of mine (and
anyone who has disagreed with something you have said) through a prism
of hatred that means you only want to assume that the action was in
some way aimed to get at you. It is not. There is no conspiracy to get
at you. No conspiracy to make your life hard. In all the cases where
you have read this into someone's actions there is a much simpler
explanation than that, as was the case here.

All I want is to be able to develop software in a community where
anything can be discussed without fear of threats or abuse if I say
something you don't agree with. I just want to develop software in a
community where the ownership rights of contributors are honoured. I
want to develop software in a community where all contributors are
treated with respect, not where they will be publicly belittled for
weeks when you don't like their contributions. A community where if
their contributions need improving, then they are politely helped to
improve so that they can get better.

You seem to have made it clear that this is not the sort of community
you want, and there is nothing I can do about that. You control all
the means of communication in the community and you have shown that
you are determined to use that control to eliminate any dissent. That
is why I also contribute to other projects, where the community is
more like the one I talked about above.

When I feel that the work is not going to be controversial I also
include it in webERP, and all other work is immediately available for
you to decide for yourself.

You have said before that your banning me means you no longer have to
defend your decisions. I think this is wrong. I think as the leader of
the community you have an obligation to defend your decisions if
members of the community ask for reasons.

In conclusion Phil, there are no plots or counter plots. There never
were. The state of our relationship is only within you, and you are
the only one who can break that cycle.


Thanks
Tim