Suraj Khurana created OFBIZ-9740:
------------------------------------
Summary: Proper use of if-has-permission
Key: OFBIZ-9740
URL: https://issues.apache.org/jira/browse/OFBIZ-9740
Project: OFBiz
Issue Type: Improvement
Components: ALL COMPONENTS
Reporter: Suraj Khurana
As per discussion in dev mailing list:
We use <if-has-permission element for checking the specified permission of
logged in party.
There are two supported attributes as well in which permission is mandatory and
action is optional.
If action is not passed then it looks for specific permission.
For Example:
<if-has-permission permission="LABEL_MANAGER_VIEW"/>
It should be like <if-has-permission permission="LABEL_MANAGER" action="_VIEW"/>
Now if someone has LABEL_MANAGER_ADMIN permission, then that user won't be
granted permission. It should check for _ADMIN permission as well.
This is properly handled when you pass action attribute, it checks for specific
permission passed and _ADMIN permission as well.
Proposed solution:
We must use permission and action attributes at every such code occurrences to
avoid this situation.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
