OFBiz OFBiz - Notifications

[jira] [Commented] (OFBIZ-11786) Packer can change data on shipment

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Nicolas Malin (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-11786) Packer can change data on shipment

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-11786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17281697#comment-17281697 ]

Sebastian Berg commented on OFBIZ-11786:
----------------------------------------

In order to edit a Shipment the permission service 'checkCanChangeShipmentStatusDelivered' is called which in succession calls 'facilityGenericPermission' followed by 'checkFacilityRelatedPermission' where the 'FACILITY' and 'CATALOG' permission in this case for 'UPDATE' is checked. 

At the moment only the Party 'system' gets assigned the 'Packer' RoleType.

From my perspective this seems to be a configuration issue on which SecurityPermissions are assigned to a userLogin with the 'Packer' RoleType.

[~pierresmits] can you maybe further describe why there is a problem here?

> Packer can change data on shipment
> ----------------------------------
>
>                 Key: OFBIZ-11786
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11786
>             Project: OFBiz
>          Issue Type: Bug
>          Components: product
>    Affects Versions: 17.12.03, Trunk
>            Reporter: Pierre Smits
>            Assignee: Sebastian Berg
>            Priority: Major
>              Labels: refactoring, usability
>
> When a shipment has been created (e.g. https://demo-stable.ofbiz.apache.org/facility/control/ViewShipment?shipmentId=10005), a packer can edit the details via editShipment, including (but not limited to) changing the customer and cost involved.
> This should not be possible



--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Free forum by Nabble Edit this page