Thanks everyone for your inputs. Here <https://issues.apache.org/jira/browse/OFBIZ-9740> is the Jira ticket created for the same.
-- Best Regards, *Suraj Khurana* | Sr. Enterprise Software Engineer *HotWax Commerce* by *HotWax Systems* Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010 On Sun, Sep 10, 2017 at 1:50 PM, Devanshu Vyas <vyas.devansh...@gmail.com> wrote: > Big +1 for the proposal. > > Thanks & Regards, > Devanshu Vyas. > > On Thu, Aug 31, 2017 at 7:10 PM, Rishi Solanki <rishisolan...@gmail.com> > wrote: > > > Suraj, > > > > Thanks for the detailed description, and it would be nice to have this > > change. > > +1 for the proposal, with caution below; > > > > We have actions as VIEW, CREATE, UPDATE, DELETE and ADMIN. And all > actions > > from left to right override others, so while doing so we should try to > > manage the same. > > > > I mean to say that, if we go for ADMIN then other permission checks will > be > > pushed aside by the permission services. Same behavior should be maintain > > when we do this change. > > > > > > > > > > Rishi Solanki > > Sr Manager, Enterprise Software Development > > HotWax Systems Pvt. Ltd. > > Direct: +91-9893287847 > > http://www.hotwaxsystems.com > > www.hotwax.co > > > > On Thu, Aug 31, 2017 at 4:17 PM, Suraj Khurana < > > suraj.khur...@hotwaxsystems.com> wrote: > > > > > Hello all, > > > > > > We use *<if-has-permission* element for checking the specified > permission > > > of logged in party. > > > There are two supported attributes as well in which *permission *is > > > mandatory and *action *is optional. > > > If action is not passed then it looks for specific permission. > > > > > > *For Example: * > > > <if-has-permission permission="LABEL_MANAGER_VIEW"/> > > > It should be like <if-has-permission permission="LABEL_MANAGER" > > > action="_VIEW"/> > > > > > > - Now if someone has LABEL_MANAGER_ADMIN permission, then that > > > user won't be granted permission. It should check for _ADMIN > > permission > > > as > > > well. > > > > > > > > > This is properly handled when you pass action attribute, it checks for > > > specific permission passed and _ADMIN permission as well. > > > > > > Proposed solution: > > > > > > We must use permission and action attributes at every such code > > occurrences > > > to avoid this situation. > > > > > > -- > > > Best Regards, > > > *Suraj Khurana* | Sr. Enterprise Software Engineer > > > HotWax Commerce by HotWax Systems > > > Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010 > > > > > >