Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
17.12.03, Trunk, Upcoming Branch
-
None
Description
In the packing process (see [1]) links are shown to the invoice and the PDF thereof. The packer should not have access to the invoice details in accounting, but should be able to view the PDF for the invoice.
However, in order to be able to generate the PDF the packer needs VIEW permissions to the accounting to execute https://demo-stable.ofbiz.apache.org/accounting/control/invoice.pdf?invoiceId=CI1&externalLoginKey=ELa5470e53-ff90-4977-896f-8302be1752b9
This should not be as it provides the packer with access to all accounting sensitive data.
[1] https://demo-stable.ofbiz.apache.org/facility/control/setPackageInfo