Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-11784

setPackageInfo process requires ACCOUNTING_VIEW permission to view invoice PDF

    XMLWordPrintableJSON

    Details

      Description

      In the packing process (see [1]) links are shown to the invoice and the PDF thereof. The packer should not have access to the invoice details in accounting, but should be able to view the PDF for the invoice.

      However, in order to be able to generate the PDF the packer needs VIEW permissions to the accounting to execute https://demo-stable.ofbiz.apache.org/accounting/control/invoice.pdf?invoiceId=CI1&externalLoginKey=ELa5470e53-ff90-4977-896f-8302be1752b9

      This should not be as it provides the packer with access to all accounting sensitive data.

      [1] https://demo-stable.ofbiz.apache.org/facility/control/setPackageInfo

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              pierresmits Pierre Smits
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated: