ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aditya Sharma (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (OFBIZ-9740) Proper use of if-has-permission
Date Mon, 23 Oct 2017 08:40:02 GMT

     [ https://issues.apache.org/jira/browse/OFBIZ-9740?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Aditya Sharma updated OFBIZ-9740:
---------------------------------
    Description: 
As per discussion on dev mailing list ([http://markmail.org/message/avn27zxog3giapvb]):
We use <if-has-permission element for checking the specified permission of logged in party.
There are two supported attributes as well in which permission is mandatory and action is
optional.
If action is not passed then it looks for specific permission.

For Example: 
<if-has-permission permission="LABEL_MANAGER_VIEW"/>
It should be like <if-has-permission permission="LABEL_MANAGER" action="_VIEW"/>
Now if someone has LABEL_MANAGER_ADMIN permission, then that user won't be granted permission.
It should check for _ADMIN permission as well. 

This is properly handled when you pass action attribute, it checks for specific permission
passed and _ADMIN permission as well.

Proposed solution:

We must use permission and action attributes at every such code occurrences to avoid this
situation.

  was:
As per discussion in dev mailing list:
We use <if-has-permission element for checking the specified permission of logged in party.
There are two supported attributes as well in which permission is mandatory and action is
optional.
If action is not passed then it looks for specific permission.

For Example: 
<if-has-permission permission="LABEL_MANAGER_VIEW"/>
It should be like <if-has-permission permission="LABEL_MANAGER" action="_VIEW"/>
Now if someone has LABEL_MANAGER_ADMIN permission, then that user won't be granted permission.
It should check for _ADMIN permission as well. 

This is properly handled when you pass action attribute, it checks for specific permission
passed and _ADMIN permission as well.

Proposed solution:

We must use permission and action attributes at every such code occurrences to avoid this
situation.


> Proper use of if-has-permission
> -------------------------------
>
>                 Key: OFBIZ-9740
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9740
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL COMPONENTS
>            Reporter: Suraj Khurana
>            Assignee: Deepak Dixit
>             Fix For: Upcoming Release
>
>         Attachments: OFBIZ-9740.patch, OFBIZ-9740_plugin.patch
>
>
> As per discussion on dev mailing list ([http://markmail.org/message/avn27zxog3giapvb]):
> We use <if-has-permission element for checking the specified permission of logged
in party.
> There are two supported attributes as well in which permission is mandatory and action
is optional.
> If action is not passed then it looks for specific permission.
> For Example: 
> <if-has-permission permission="LABEL_MANAGER_VIEW"/>
> It should be like <if-has-permission permission="LABEL_MANAGER" action="_VIEW"/>
> Now if someone has LABEL_MANAGER_ADMIN permission, then that user won't be granted permission.
It should check for _ADMIN permission as well. 
> This is properly handled when you pass action attribute, it checks for specific permission
passed and _ADMIN permission as well.
> Proposed solution:
> We must use permission and action attributes at every such code occurrences to avoid
this situation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message