[OFBIZ-11784] setPackageInfo process requires ACCOUNTING_VIEW permission to view invoice PDF - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 17.12.03, Trunk, Upcoming Branch
Fix Version/s: None
Component/s: product
Labels:

Description

In the packing process (see [1]) links are shown to the invoice and the PDF thereof. The packer should not have access to the invoice details in accounting, but should be able to view the PDF for the invoice.

However, in order to be able to generate the PDF the packer needs VIEW permissions to the accounting to execute https://demo-stable.ofbiz.apache.org/accounting/control/invoice.pdf?invoiceId=CI1&externalLoginKey=ELa5470e53-ff90-4977-896f-8302be1752b9

This should not be as it provides the packer with access to all accounting sensitive data.

[1] https://demo-stable.ofbiz.apache.org/facility/control/setPackageInfo

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Pierre Smits

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 02/Jun/20 06:15

Updated:: 11/Jan/22 08:48