Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: Upcoming Release
    • Component/s: ALL COMPONENTS
    • Labels:
      None

      Description

      As per discussion on dev mailing list (http://markmail.org/message/avn27zxog3giapvb):
      We use <if-has-permission element for checking the specified permission of logged in party.
      There are two supported attributes as well in which permission is mandatory and action is optional.
      If action is not passed then it looks for specific permission.

      For Example:
      <if-has-permission permission="LABEL_MANAGER_VIEW"/>
      It should be like <if-has-permission permission="LABEL_MANAGER" action="_VIEW"/>
      Now if someone has LABEL_MANAGER_ADMIN permission, then that user won't be granted permission. It should check for _ADMIN permission as well.

      This is properly handled when you pass action attribute, it checks for specific permission passed and _ADMIN permission as well.

      Proposed solution:

      We must use permission and action attributes at every such code occurrences to avoid this situation.

      1. OFBIZ-9740.patch
        26 kB
        Suraj Khurana
      2. OFBIZ-9740_plugin.patch
        24 kB
        Suraj Khurana

        Activity

        Hide
        suraj.khurana Suraj Khurana added a comment -

        Attaching patch with the proper fix.
        Created separate patch for plugins directory.

        Please review the patch.

        Show
        suraj.khurana Suraj Khurana added a comment - Attaching patch with the proper fix. Created separate patch for plugins directory. Please review the patch.
        Hide
        deepak.dixit Deepak Dixit added a comment -

        Thanks Suraj Khurana for your contribution, A slightly modified patch has been committed at
        ofbiz-framework trunk at r#1812381 and ofbiz-plugins trunk at r#1812382

        If any if-has-permission tag uses _ADMIN permission, then its good to use
        <if-has-permission permission=""
        instead
        <if-has-permission permission="" action="">
        as there is not sense to check _ADMIN permission additionally. As second pattern additionally check for _ADMIN permission

        Show
        deepak.dixit Deepak Dixit added a comment - Thanks Suraj Khurana for your contribution, A slightly modified patch has been committed at ofbiz-framework trunk at r#1812381 and ofbiz-plugins trunk at r#1812382 If any if-has-permission tag uses _ADMIN permission, then its good to use <if-has-permission permission="" instead <if-has-permission permission="" action=""> as there is not sense to check _ADMIN permission additionally. As second pattern additionally check for _ADMIN permission

          People

          • Assignee:
            deepak.dixit Deepak Dixit
            Reporter:
            suraj.khurana Suraj Khurana
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development