KwaMoja

Thursday 2 May 2013

KwaMoja/webERP security

This question came up recently on the webERP forum:

I'm new to webERP and naturally have some questions. I've created a role called "Inventory" in Access Permission Maintenance, then a user for this role and limited access to just "Display Inventory" module in User Maintenance. But I'd like to further limit access so my inventory user can NOT see pages in this range:

• Inventory Valuation Report
...
• List Negative Stocks
• Stock Transfer Note[/align]

The webERP Manual is vague on this. Is there a doc I can read to find out can I restrict a user, for example, to just Inventory.Maintenance.View or Update Prices Based On Costs?

Unfortunately the advice the poster was given was complex and not really correct, and the administrator of the forum has blocked me from helping people there. However, there is a much simpler answer which doesn't involve setting up phantom security tokens, and other complexities. This is to go to each of the reports they want removed in the "Page Security Settings" option in the setup module, and from there just give it a security token of a higher level than the inventory user. For instance set it to "General Ledger Reports/Inquiries" which makes more sense for something like an Inventory Valuation report. Then the report will be gone from the users screen the next time they log in. It's as simple as that!

However that led me to thinking that a lot of people (including it seems the current webERP project developer) who don't really understand the security system within KwaMoja/webERP so I thought it might be good to explain how it works.

Every user has a security role. These roles are meant to mirror their real life roles. So for instance we may have a role of an inventory clerk, and a role of an accountant. There can be any number of inventory clerks, and any number of accountants, all having the same role. As many roles as are wanted can be created.

Each role is given a number of security tokens. Each of these tokens permits the user with that role to perform different functions. There are a number of predefined tokens:

Main Index Page

Order Entry/Inquiries customer access only

Basic Reports and Inquiries with selection options

Credit notes and AR management

Purchasing data/PO Entry/Reorder Levels

Accounts Payable

Petty Cash

Bank Reconciliations

General ledger reports/inquiries

Supplier centre - Supplier access only

General Ledger Maintenance, stock valuation & Configuration

Inventory Management and Pricing

User Management and System Administration

When a user tries to access a function, the security token for that functionality is looked up in a database table called scripts and it is then compared with the array of security tokens that is owned by the role allotted to that user. If the token is in that array, the functionality can be accessed, if not, then access is denied.

This lookup is also performed when displaying the menus, and if the security token is not there, the menu option will not be displayed.

This system is simple elegant and flexible. It can be made as simple or as complex as an organisation requires. For instance a one person business only needs one security token, and one role, whereas a large business with hundreds of employees will have a very complex structure.

I hope this helps provide some insight into how the system works.

Thursday 25 April 2013

Phil Daintree's shameless lies - Part 6

Saturday 20 April 2013

Now can we all move on?

Saturday 13 April 2013

Phil Daintree's shameless lies - Part 5

Phil's claim to own the copyright of all the webERP code.

The Berne convention asserts that the copyright is owned by the author of a work unless they have explicitly handed over that ownership to a second party. It further states that no copyright message is needed to assert this right, and that proof of authorship is sufficient. Some free software projects (most notably the GNU project) ask that the copyright on all contributions be physically signed over to them. This has never been done with webERP and given that as he himself has said he has fallen out with most contributors it is unlikely that he would retrospectively given this permission.

In September 2012 Phil Daintree unilaterally took the decision to alter the footer on webERP to state that the copyright to all the code was owned by weberp.org, a domain name owned by himself. This was, in the words of Fred Schuettler (a contributor to webERP) an adolescent attempt by Phil Daintree to goad me into an argument on the subject.

However it is important to those of us who have contribute significantly to webERP (my contribution can be found by following the link Phil Daintree suggests in this email). Phil has suggested in the past that he wished to change the license to the Apache license, which would mean that anybody could take my code and turn it into a commercial closed source application. I am certainly not alone in the world of Free software by being opposed to my code being licensed in this way as a simple Google search will show you. Phil Daintree says he will swear in court to the fact that "Tim is violently opposed to this for his own reasons". This implies that:

1 - I have been violent on the subject. Even in writing I have merely stated that I don't like permissive licenses. Can Phil Daintree produce any example of violence, or would this be perjury if he swore to it in court?
2 - That my reasons are somehow devious. Is he stating that the libreoffice developers antipathy to the apache license devious?

When I queried why Phil Daintree had decided to make this change without speaking to any of the other contributors, he initially claimed that he was not the owner of weberp.org and that weberp.org was owned and controlled by all the contributors. However while trying to get the launchpad site set up by Zhiguo Yuan removed he asserts that "I am the owner of the weberp domain.". Also a simple whois search shows that Phil Daintree is the owner of weberp.org. If the contributors have any control of weberp.org then how come Phil Daintree has asserted that only content that he agrees with will be included? How come only he gets to decide who can help people on the forum? Come on Phil get real!

I then pointed out that weberp.org did not exist as a legal entity and so could not own the copyright. Phil countered here by saying that "weberp.org did exist as a legal entity by vitue of the statement ol intent". However his recent statement on this issue says "To even suggest that a domain name could actually own anything is foolishness in any event". Who is the fool Phil? It appears that he has done a 180 degree turn on this and still ended up pointing the same way!!

In English law there is a concept (and most countries have a similar concept in their law) called the man on the Clapham omnibus. This basically asks what the ordinary reasonable person approaching an issue would think. I assert that any reasonable person on viewing webERP would believe that the copyright is owned by weberp.org, and on looking up that domain name would believe it was owned by Phil Daintree, and thus the copyright was owned by Phil Daintree.

Phil Daintree now asserts that when he is saying that weberp.org owns the copyright then "any idiot" would see that he meant that the copyright was owned by the contributors. Obviously I am not an idiot then!! If this is what Phil Daintree means then why the subterfuge? Why not just say that? All I have ever asked him to do is to clarify his motives for making that change at that point in time.

Phil Daintree likes to pretend that the only person who is upset by his claims to own the copyright of all the code. Not so. This has been an going issue with other developers since that start of the project.

So I say, "Come on Phil tell us the reason you made this change".

+Phil Daintree

that he creates a COPYRIGHT.txt file in webERP he clearly lays out that the copyright of the contributions belongs to the author of those contributions, which if he wants he can then link to from the footer of every page. +Phil Daintree refuses to even consider this. People can decide for themselves why he will not make a clear and unequivocal statement like this>

Sunday 7 April 2013

Who does he think he is punishing?

Programming the KwaMoja API - Error codes

In the last couple of parts of this tutorial which can be found here

API Client Part 1 and API Client Part 2

we produced a simple client application where a user selected a location, typed in a part code and the application fetched the info about how much stock was available from that location from our KwaMoja implementation.

This code can be fetched from here:

http://www.kwamoja.com/documentation/xml-rpc_tutorial.zip

However we did not touch on what would happen if something goes wrong. Load up the application, and you should see a screen similar to this one:

Now load index.php into our editor and change the password on line 38 from 'kwamoja' to 'wrong'. Now if we reload index.php we get this screen.

As you can see it cannot fetch any locations as the authentication does not work on this kwamoja instance. However it provides us with no information about why this has happened. If you recall from the tutorials regarding the writing of the client, the XML-RPC call returns an array containing two elements, the first - $Response[0] in our client - contains an integer code, and the second the result of the inquiry, if one is expected. If the integer code is zero, this indicates success. Any other code indicates an error. These error code can be found listed here. As you can see error code 1 indicates 'NoAuthorisation' which will be the error returned if the user name or password is incorrect.

To catch the errors we create a session variable (not the best way I know, but convenient for this tutorial) to hold any error messages that happen, so that we can show the to the user. So the initialisation code at the top of index.php becomes:

<?php
    include 'xmlrpc/lib/xmlrpc.inc';
    $xmlrpc_internalencoding='UTF-8';
    include 'xmlrpc/lib/xmlrpcs.inc';
    $_SESSION['Errors'] = array();
?>

and then at the bottom of the output we have a loop to output these errors:

foreach ($_SESSION['Errors'] as $Error) {
    echo $Error;
}

Now we just need to capture that error. We need to put this code at the bottom of the GetLocations() function so that it now reads:

if ($ReturnValue[0] == 0) {
    return $ReturnValue[1];
} elseif ($ReturnValue[0] == 1) {
    $_SESSION['Errors'][] = 'Incorrect login/password credentials used';
}

Now run the index.php script again in your browser and you should get out put similar to this:

We just need to put this code at the bottom of our other functions, and then they will all be able to catch this error.

Now if we put the proper password back in index.php should work as before.

Now try entering a stock code that you know doesn't exist and see what happens. I entered a part code called 'wrong' and this is what I see.

This is not very helpful output so we need catch this error. A quick look here shows that error code 1047 is 'StockCodeDoesntExist' and this should be returned if the code we entered is wrong. So we need to capture error 1047 in the GetStockQuantity() function. The code at the end of this function now becomes:

} elseif ($ReturnValue[0] == 1) {
$_SESSION['Errors'][] = 'Incorrect login/password credentials used';
} elseif ($ReturnValue[0] == 1047) {
$_SESSION['Errors'][] = 'The stock code you entered does not exist';
}

So now the function is checking that the user/password is correct and also checking that the stock code is correct and providing useful feedback in the case of any problems. We could go on and check for other errors but this should be enough for now.

I have uploaded the new tutorial files to here.

Next time I will have a look at debugging the application when an error we haven't caught occurs.

Thursday 4 April 2013

An open letter to Phil Daintree of webERP

This page is written in response to the lies that +Phil Daintree has written about me, and spread on the internet. Despite years of searching he has been unable to find anything I have written that is untrue, and he has had to resort to vague generalities, faked emails, and badly fabricated screenshots (you can see the joins if you zoom in using any bit mapped image editor). +Phil Daintree is welcome to make any comments to these pages, as he has done in the past. If I agree with what he says I will amend my writings, if I do not agree I have allowed his comments to stand next to mine so that people can make their own judgements. I have every confidence in the intelligence of readers to make a sensible judgement based on the facts. +Phil Daintree will not allow me the right of reply to any of the lies he has told about me. It seems to me significant that he realises that if people see both sides of the argument they will see through his lies.

As with anything I publish, anybody (except the viagara salesmen) can comment on my blog. I make a public commitment that I will not attempt to forge or censor any posts, as goes on in all the communication channels on webERP. If +Phil Daintree wishes to dispute anything in this blog he is free to do so. If I am wrong I will alter my post. I trust in the common sense and intelligence of people to read the facts and to make up their own minds.

Phil Daintree was forced into issuing a public apology for his lies regarding me on the webERP developers list. I tried to post a reply to the mailing list but as always happens to my posts it was immediately rejected. I believe it makes some valid points so I publish it in full here:

Phil,
Thanks for the apology, which I accept in the spirit that it was sent.
I do think you are wrong on one matter though. You say "It is a sad reflection of the state of our relationship that I automatically assume the worst". I would rather say that "It is a sad reflection on
your perception of the state of our relationship that you
automatically assume the worst". You see every action of mine (and
anyone who has disagreed with something you have said) through a prism
of hatred that means you only want to assume that the action was in
some way aimed to get at you. It is not. There is no conspiracy to get
at you. No conspiracy to make your life hard. In all the cases where
you have read this into someone's actions there is a much simpler
explanation than that, as was the case here.
All I want is to be able to develop software in a community where
anything can be discussed without fear of threats or abuse if I say
something you don't agree with. I just want to develop software in a
community where the ownership rights of contributors are honoured. I
want to develop software in a community where all contributors are
treated with respect, not where they will be publicly belittled for
weeks when you don't like their contributions. A community where if
their contributions need improving, then they are politely helped to
improve so that they can get better.
You seem to have made it clear that this is not the sort of community
you want, and there is nothing I can do about that. You control all
the means of communication in the community and you have shown that
you are determined to use that control to eliminate any dissent. That
is why I also contribute to other projects, where the community is
more like the one I talked about above.
When I feel that the work is not going to be controversial I also
include it in webERP, and all other work is immediately available for
you to decide for yourself.
You have said before that your banning me means you no longer have to
defend your decisions. I think this is wrong. I think as the leader of
the community you have an obligation to defend your decisions if
members of the community ask for reasons.
In conclusion Phil, there are no plots or counter plots. There never
were. The state of our relationship is only within you, and you are
the only one who can break that cycle.

Thanks
Tim