[
https://issues.apache.org/jira/browse/OFBIZ-12384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17445310#comment-17445310
]
Pierre Smits commented on OFBIZ-12384:
--------------------------------------
Ahh. Ok.
Why not. Because available to a user with only 'VIEW' permissions, there are
these overviews:
* [https://demo-trunk.ofbiz.apache.org/accounting/control/findInvoices]
* [https://demo-trunk.ofbiz.apache.org/accounting/control/findPayments]
* for each party a financial overview regarding invoices and payments, e.g
[https://demo-trunk.ofbiz.apache.org/partymgr/control/PartyFinancialHistory?partyId=EuroCustomer]
So there are ample ways for such a user (including an auditor) to get insights,
even with the changes in the PR.
IMO, for an MVP I would say: the improvement works.
Can you work with that? Or do *you* want it in? I could do that via a new
ticket...
> User with only 'VIEW' permissions should not editable fields and request
> triggers re invoice payments
> -----------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-12384
> URL: https://issues.apache.org/jira/browse/OFBIZ-12384
> Project: OFBiz
> Issue Type: Improvement
> Components: accounting
> Affects Versions: Trunk
> Reporter: Pierre Smits
> Priority: Major
> Labels: invoice, usability
>
> Currently, a user with only 'VIEW' permissions, as demonstrated in trunk demo
> with userId = auditor, accessing the payments screen on an invoice sees
> fields editable and triggers to requests reserved for users with 'CREATE' or
> 'UPDATE' permissions.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
