OFBiz OFBiz - Notifications

[jira] [Created] (OFBIZ-11784) setPackageInfo process requires ACCOUNTING_VIEW permission to view invoice PDF

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Nicolas Malin (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Created] (OFBIZ-11784) setPackageInfo process requires ACCOUNTING_VIEW permission to view invoice PDF

Nicolas Malin (Jira)
Pierre Smits created OFBIZ-11784:
------------------------------------

             Summary: setPackageInfo process requires ACCOUNTING_VIEW permission to view invoice PDF
                 Key: OFBIZ-11784
                 URL: https://issues.apache.org/jira/browse/OFBIZ-11784
             Project: OFBiz
          Issue Type: Bug
          Components: product
    Affects Versions: Trunk, 17.12.03
            Reporter: Pierre Smits


In the packing process (see [1]) links are shown to the invoice and the PDF thereof. The packer should not have access to the invoice details in accounting, but should be able to view the PDF for the invoice.

However, in order to be able to generate the PDF the packer needs VIEW permissions to the accounting to execute https://demo-stable.ofbiz.apache.org/accounting/control/invoice.pdf?invoiceId=CI1&externalLoginKey=ELa5470e53-ff90-4977-896f-8302be1752b9

This should not be as it provides the packer with access to all accounting sensitive data.

[1] https://demo-stable.ofbiz.apache.org/facility/control/setPackageInfo



--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Free forum by Nabble Edit this page