[
https://issues.apache.org/jira/browse/OFBIZ-11786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17281697#comment-17281697
]
Sebastian Berg commented on OFBIZ-11786:
----------------------------------------
In order to edit a Shipment the permission service
'checkCanChangeShipmentStatusDelivered' is called which in succession calls
'facilityGenericPermission' followed by 'checkFacilityRelatedPermission' where
the 'FACILITY' and 'CATALOG' permission in this case for 'UPDATE' is checked.
At the moment only the Party 'system' gets assigned the 'Packer' RoleType.
>From my perspective this seems to be a configuration issue on which
>SecurityPermissions are assigned to a userLogin with the 'Packer' RoleType.
[~pierresmits] can you maybe further describe why there is a problem here?
> Packer can change data on shipment
> ----------------------------------
>
> Key: OFBIZ-11786
> URL: https://issues.apache.org/jira/browse/OFBIZ-11786
> Project: OFBiz
> Issue Type: Bug
> Components: product
> Affects Versions: 17.12.03, Trunk
> Reporter: Pierre Smits
> Assignee: Sebastian Berg
> Priority: Major
> Labels: refactoring, usability
>
> When a shipment has been created (e.g.
> https://demo-stable.ofbiz.apache.org/facility/control/ViewShipment?shipmentId=10005),
> a packer can edit the details via editShipment, including (but not limited
> to) changing the customer and cost involved.
> This should not be possible
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
