[OFBIZ-9740] Proper use of if-has-permission - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Duplicate
Affects Version/s: None
Fix Version/s: 17.12.01
Component/s: ALL COMPONENTS
Labels:
None

Description

As per discussion on dev mailing list (http://markmail.org/message/avn27zxog3giapvb):
We use <if-has-permission element for checking the specified permission of logged in party.
There are two supported attributes as well in which permission is mandatory and action is optional.
If action is not passed then it looks for specific permission.

For Example:
<if-has-permission permission="LABEL_MANAGER_VIEW"/>
It should be like <if-has-permission permission="LABEL_MANAGER" action="_VIEW"/>
Now if someone has LABEL_MANAGER_ADMIN permission, then that user won't be granted permission. It should check for _ADMIN permission as well.

This is properly handled when you pass action attribute, it checks for specific permission passed and _ADMIN permission as well.

Proposed solution:

We must use permission and action attributes at every such code occurrences to avoid this situation.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

OFBIZ-9740.patch
23/Sep/17 08:30
26 kB
Suraj Khurana
OFBIZ-9740_plugin.patch
23/Sep/17 08:30
24 kB
Suraj Khurana

Activity

People

Assignee:: Deepak Dixit

Reporter:: Suraj Khurana

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 23/Sep/17 05:03

Updated:: 23/Oct/17 08:39

Resolved:: 17/Oct/17 10:12