[ https://issues.apache.org/jira/browse/OFBIZ-9740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16207251#comment-16207251 ]
Deepak Dixit commented on OFBIZ-9740: ------------------------------------- Thanks Suraj Khurana for your contribution, A slightly modified patch has been committed at ofbiz-framework trunk at r#1812381 and ofbiz-plugins trunk at r#1812382 If any if-has-permission tag uses _ADMIN permission, then its good to use <if-has-permission permission="" instead <if-has-permission permission="" action=""> as there is not sense to check _ADMIN permission additionally. As second pattern additionally check for _ADMIN permission > Proper use of if-has-permission > ------------------------------- > > Key: OFBIZ-9740 > URL: https://issues.apache.org/jira/browse/OFBIZ-9740 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS > Reporter: Suraj Khurana > Assignee: Deepak Dixit > Fix For: Upcoming Release > > Attachments: OFBIZ-9740.patch, OFBIZ-9740_plugin.patch > > > As per discussion in dev mailing list: > We use <if-has-permission element for checking the specified permission of > logged in party. > There are two supported attributes as well in which permission is mandatory > and action is optional. > If action is not passed then it looks for specific permission. > For Example: > <if-has-permission permission="LABEL_MANAGER_VIEW"/> > It should be like <if-has-permission permission="LABEL_MANAGER" > action="_VIEW"/> > Now if someone has LABEL_MANAGER_ADMIN permission, then that user won't be > granted permission. It should check for _ADMIN permission as well. > This is properly handled when you pass action attribute, it checks for > specific permission passed and _ADMIN permission as well. > Proposed solution: > We must use permission and action attributes at every such code occurrences > to avoid this situation. -- This message was sent by Atlassian JIRA (v6.4.14#64029)