Pierre Smits created OFBIZ-11784:
------------------------------------
Summary: setPackageInfo process requires ACCOUNTING_VIEW
permission to view invoice PDF
Key: OFBIZ-11784
URL: https://issues.apache.org/jira/browse/OFBIZ-11784
Project: OFBiz
Issue Type: Bug
Components: product
Affects Versions: Trunk, 17.12.03
Reporter: Pierre Smits
In the packing process (see [1]) links are shown to the invoice and the PDF
thereof. The packer should not have access to the invoice details in
accounting, but should be able to view the PDF for the invoice.
However, in order to be able to generate the PDF the packer needs VIEW
permissions to the accounting to execute
https://demo-stable.ofbiz.apache.org/accounting/control/invoice.pdf?invoiceId=CI1&externalLoginKey=ELa5470e53-ff90-4977-896f-8302be1752b9
This should not be as it provides the packer with access to all accounting
sensitive data.
[1] https://demo-stable.ofbiz.apache.org/facility/control/setPackageInfo
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
