Suraj, Thanks for the detailed description, and it would be nice to have this change. +1 for the proposal, with caution below;
We have actions as VIEW, CREATE, UPDATE, DELETE and ADMIN. And all actions from left to right override others, so while doing so we should try to manage the same. I mean to say that, if we go for ADMIN then other permission checks will be pushed aside by the permission services. Same behavior should be maintain when we do this change. Rishi Solanki Sr Manager, Enterprise Software Development HotWax Systems Pvt. Ltd. Direct: +91-9893287847 http://www.hotwaxsystems.com www.hotwax.co On Thu, Aug 31, 2017 at 4:17 PM, Suraj Khurana < suraj.khur...@hotwaxsystems.com> wrote: > Hello all, > > We use *<if-has-permission* element for checking the specified permission > of logged in party. > There are two supported attributes as well in which *permission *is > mandatory and *action *is optional. > If action is not passed then it looks for specific permission. > > *For Example: * > <if-has-permission permission="LABEL_MANAGER_VIEW"/> > It should be like <if-has-permission permission="LABEL_MANAGER" > action="_VIEW"/> > > - Now if someone has LABEL_MANAGER_ADMIN permission, then that > user won't be granted permission. It should check for _ADMIN permission > as > well. > > > This is properly handled when you pass action attribute, it checks for > specific permission passed and _ADMIN permission as well. > > Proposed solution: > > We must use permission and action attributes at every such code occurrences > to avoid this situation. > > -- > Best Regards, > *Suraj Khurana* | Sr. Enterprise Software Engineer > HotWax Commerce by HotWax Systems > Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010 >