[ https://issues.apache.org/jira/browse/OFBIZ-1532?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-1532. ---------------------------------- Resolution: Fixed Fix Version/s: SVN trunk Adrian, I looked at the code and wondered why you asked me to look at it. Then I remebered that you posted a message on dev ML on this topic. Here it is : One more thing to keep in mind with the GL posting SECAs - I changed the permissions a little in the accounting component. When I worked on converting permission checking to the permission service, I kept all permissions the same except two. One of them was called ACCOUNTING_ATX_POST or something like that. There was a note in the seed data that the permission was used to allow other applications to post GL transactions without having to give the user full access to the accounting component. What concerned me was, someone using OFBiz could assign this permission to a user without fully understanding the implications. With that permission, a user could post ANY GL transaction - not just the intended one. So I removed the permission from the seed data and updated the notes in the seed data file. I checked to see if the permission was actually being used in the project, but I couldn't find it anywhere - so I assumed removing it wouldn't break anything. The best way to handle GL posting permissions (in my opinion) is to keep the GL posting services locked down with the ACCTG_ATX_* permissions - so that only an accountant is given those permissions. External apps that need to post to GL can have permission service SECAs that analyze their particular transaction to see if the user is allowed to post that transaction. Ideally, external apps posting to GL wouldn't need to assign any additional permissions to the user. The permission SECAs decision would be based on the validity of the data in the transaction, not on the user's permissions. -Adrian I understand but in my case it's much more convenient and understandable to use a system userLogin with admin right when calling the serice. So I finally commited my (slightly reformated) changes in trunk. rev. 606625 This is not the only place where a such trick is used, see also OrderServices.java[1157] and CheckOutHelper.java[627] I will open a new issue for the "The question [Gift Card Number:] requires a valid gift-card number." problem. > Run GiftCertificateServices.createTransaction as system user > ------------------------------------------------------------ > > Key: OFBIZ-1532 > URL: https://issues.apache.org/jira/browse/OFBIZ-1532 > Project: OFBiz > Issue Type: Bug > Components: accounting > Affects Versions: SVN trunk > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Fix For: SVN trunk > > Attachments: GiftCertificateServices.java.patch > > > To be able to run GiftCertificateServices.createTransaction (to create a Gift > Certificate from eCommerce : Gift Card Activation) we have to run as system > user (it needs ACCTG_ATX_CREATE) -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.