Hi Hans, I understand the issue you are fixing in this commit (and at least another one of last week) but I disagree with the approach. We should never add permission checks on the *_ADMIN permissions: we should instead always use one of the fine grained _CREATE, _UPDATE, _DELETE; the _ADMIN permission will be automatically checked by the framework if the fine grained ones fail. So instead of (for example):
> @@ -24,6 +24,7 @@ under the License. > <if> > <condition> > <and> > + <not><if-has-permission permission="ACCOUNTING" > action="_ADMIN"/></not> > <not><if-has-permission permission="PAY_INFO" > action="_CREATE"/></not> > <not><if-compare-field field="userLogin.partyId" > to-field="parameters.partyIdFrom" operator="equals"/></not> > <not><if-compare-field field="userLogin.partyId" > to-field="parameters.partyIdTo" operator="equals"/></not> you should have: > @@ -24,6 +24,7 @@ under the License. > <if> > <condition> > <and> > + <not><if-has-permission permission="ACCOUNTING" > action="_CREATE"/></not> > <not><if-has-permission permission="PAY_INFO" > action="_CREATE"/></not> > <not><if-compare-field field="userLogin.partyId" > to-field="parameters.partyIdFrom" operator="equals"/></not> > <not><if-compare-field field="userLogin.partyId" > to-field="parameters.partyIdTo" operator="equals"/></not> The code above will grant access to users having at least one of the following: PAYINFO_CREATE PAYINFO_ADMIN ACCOUNTING_CREATE ACCOUNTING_ADMIN Kind regards, Jacopo On Jun 25, 2012, at 4:23 AM, hans...@apache.org wrote: > Author: hansbak > Date: Mon Jun 25 02:22:58 2012 > New Revision: 1353381 > > URL: http://svn.apache.org/viewvc?rev=1353381&view=rev > Log: > Give ACCOUNTING_ADMIN the same access as PAY_INFO_ADMIN because part of > accounting component > > Modified: > > ofbiz/trunk/applications/accounting/data/AccountingSecurityGroupDemoData.xml > > ofbiz/trunk/applications/accounting/data/AccountingSecurityPermissionSeedData.xml > > ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml > > ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentMethodServices.java > ofbiz/trunk/applications/accounting/widget/GlScreens.xml > ofbiz/trunk/applications/order/webapp/ordermgr/order/orderpaymentinfo.ftl > > ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/actions/HasPartyPermissions.groovy > > ofbiz/trunk/applications/party/webapp/partymgr/party/profileblocks/PaymentMethods.ftl > ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceUtil.java > > Modified: > ofbiz/trunk/applications/accounting/data/AccountingSecurityGroupDemoData.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/data/AccountingSecurityGroupDemoData.xml?rev=1353381&r1=1353380&r2=1353381&view=diff > ============================================================================== > --- > ofbiz/trunk/applications/accounting/data/AccountingSecurityGroupDemoData.xml > (original) > +++ > ofbiz/trunk/applications/accounting/data/AccountingSecurityGroupDemoData.xml > Mon Jun 25 02:22:58 2012 > @@ -26,7 +26,6 @@ under the License. > <SecurityGroupPermission groupId="BIZADMIN" permissionId="PAYPROC_ADMIN"/> > > <!-- Payment Information security --> > - <SecurityGroupPermission groupId="FULLADMIN" > permissionId="PAY_INFO_ADMIN"/> > <SecurityGroupPermission groupId="FLEXADMIN" > permissionId="PAY_INFO_CREATE"/> > <SecurityGroupPermission groupId="FLEXADMIN" > permissionId="PAY_INFO_DELETE"/> > <SecurityGroupPermission groupId="FLEXADMIN" > permissionId="PAY_INFO_UPDATE"/> > > Modified: > ofbiz/trunk/applications/accounting/data/AccountingSecurityPermissionSeedData.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/data/AccountingSecurityPermissionSeedData.xml?rev=1353381&r1=1353380&r2=1353381&view=diff > ============================================================================== > --- > ofbiz/trunk/applications/accounting/data/AccountingSecurityPermissionSeedData.xml > (original) > +++ > ofbiz/trunk/applications/accounting/data/AccountingSecurityPermissionSeedData.xml > Mon Jun 25 02:22:58 2012 > @@ -68,7 +68,6 @@ under the License. > > <!-- add admin to SUPER permission group --> > <SecurityGroupPermission groupId="SUPER" permissionId="ACCOUNTING_ADMIN"/> > - <SecurityGroupPermission groupId="SUPER" permissionId="PAY_INFO_ADMIN"/> > <SecurityGroupPermission groupId="SUPER" > permissionId="ACCOUNTING_COMM_VIEW"/> > <SecurityGroupPermission groupId="SUPER" > permissionId="ACCOUNTING_PRINT_CHECKS"/> > <SecurityGroupPermission groupId="SUPER" permissionId="ACCTG_PREF_ADMIN"/> > > Modified: > ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml?rev=1353381&r1=1353380&r2=1353381&view=diff > ============================================================================== > --- > ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml > (original) > +++ > ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml > Mon Jun 25 02:22:58 2012 > @@ -24,6 +24,7 @@ under the License. > <if> > <condition> > <and> > + <not><if-has-permission permission="ACCOUNTING" > action="_ADMIN"/></not> > <not><if-has-permission permission="PAY_INFO" > action="_CREATE"/></not> > <not><if-compare-field field="userLogin.partyId" > to-field="parameters.partyIdFrom" operator="equals"/></not> > <not><if-compare-field field="userLogin.partyId" > to-field="parameters.partyIdTo" operator="equals"/></not> > @@ -86,6 +87,7 @@ under the License. > <if> > <condition> > <and> > + <not><if-has-permission permission="ACCOUNTING" > action="_ADMIN"/></not> > <not><if-has-permission permission="PAY_INFO" > action="_UPDATE"/></not> > <not><if-compare-field field="userLogin.partyId" > to-field="payment.partyIdFrom" operator="equals"/></not> > <not><if-compare-field field="userLogin.partyId" > to-field="payment.partyIdTo" operator="equals"/></not> > > Modified: > ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentMethodServices.java > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentMethodServices.java?rev=1353381&r1=1353380&r2=1353381&view=diff > ============================================================================== > --- > ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentMethodServices.java > (original) > +++ > ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentMethodServices.java > Mon Jun 25 02:22:58 2012 > @@ -89,7 +89,7 @@ public class PaymentMethodServices { > > // <b>security check</b>: userLogin partyId must equal paymentMethod > partyId, or must have PAY_INFO_DELETE permission > if (paymentMethod.get("partyId") == null || > !paymentMethod.getString("partyId").equals(userLogin.getString("partyId"))) { > - if (!security.hasEntityPermission("PAY_INFO", "_DELETE", > userLogin)) { > + if (!security.hasEntityPermission("PAY_INFO", "_DELETE", > userLogin) && !security.hasEntityPermission("ACCOUNTING", "_ADMIN", > userLogin)) { > return > ServiceUtil.returnError(UtilProperties.getMessage(resourceError, > "AccountingPaymentMethodNoPermissionToDelete", > locale)); > } > @@ -139,7 +139,7 @@ public class PaymentMethodServices { > > Timestamp now = UtilDateTime.nowTimestamp(); > > - String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, > security, context, result, "PAY_INFO", "_CREATE"); > + String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, > security, context, result, "PAY_INFO", "_CREATE", "ACCOUNTING", "_ADMIN"); > > if (result.size() > 0) return result; > > @@ -260,7 +260,7 @@ public class PaymentMethodServices { > > Timestamp now = UtilDateTime.nowTimestamp(); > > - String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, > security, context, result, "PAY_INFO", "_UPDATE"); > + String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, > security, context, result, "PAY_INFO", "_UPDATE", "ACCOUNTING", "_ADMIN"); > > if (result.size() > 0) return result; > > @@ -286,7 +286,7 @@ public class PaymentMethodServices { > return > ServiceUtil.returnError(UtilProperties.getMessage(resource, > "AccountingCreditCardUpdateWithPaymentMethodId", locale) > + paymentMethodId); > } > - if (!paymentMethod.getString("partyId").equals(partyId) && > !security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin)) { > + if (!paymentMethod.getString("partyId").equals(partyId) && > !security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin) && > !security.hasEntityPermission("ACCOUNTING", "_ADMIN", userLogin)) { > return > ServiceUtil.returnError(UtilProperties.getMessage(resource, > "AccountingCreditCardUpdateWithoutPermission", > UtilMisc.toMap("partyId", partyId, > "paymentMethodId", paymentMethodId), locale)); > @@ -488,7 +488,7 @@ public class PaymentMethodServices { > > Timestamp now = UtilDateTime.nowTimestamp(); > > - String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, > security, context, result, "PAY_INFO", "_CREATE"); > + String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, > security, context, result, "PAY_INFO", "_CREATE", "ACCOUNTING", "_ADMIN"); > > if (result.size() > 0) > return result; > @@ -545,7 +545,7 @@ public class PaymentMethodServices { > > Timestamp now = UtilDateTime.nowTimestamp(); > > - String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, > security, context, result, "PAY_INFO", "_UPDATE"); > + String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, > security, context, result, "PAY_INFO", "_UPDATE", "ACCOUNTING", "_ADMIN"); > > if (result.size() > 0) > return result; > @@ -574,7 +574,7 @@ public class PaymentMethodServices { > "AccountingGiftCardCannotBeUpdated", > UtilMisc.toMap("errorString", paymentMethodId), locale)); > } > - if (!paymentMethod.getString("partyId").equals(partyId) && > !security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin)) { > + if (!paymentMethod.getString("partyId").equals(partyId) && > !security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin) && > !security.hasEntityPermission("ACCOUNTING", "_ADMIN", userLogin)) { > return > ServiceUtil.returnError(UtilProperties.getMessage(resourceError, > "AccountingGiftCardPartyNotAuthorized", > UtilMisc.toMap("partyId", partyId, "paymentMethodId", > paymentMethodId), locale)); > @@ -679,7 +679,7 @@ public class PaymentMethodServices { > > Timestamp now = UtilDateTime.nowTimestamp(); > > - String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, > security, context, result, "PAY_INFO", "_CREATE"); > + String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, > security, context, result, "PAY_INFO", "_CREATE", "ACCOUNTING", "_ADMIN"); > > if (result.size() > 0) return result; > > @@ -777,7 +777,7 @@ public class PaymentMethodServices { > > Timestamp now = UtilDateTime.nowTimestamp(); > > - String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, > security, context, result, "PAY_INFO", "_UPDATE"); > + String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, > security, context, result, "PAY_INFO", "_UPDATE", "ACCOUNTING", "_ADMIN"); > > if (result.size() > 0) return result; > > @@ -806,7 +806,7 @@ public class PaymentMethodServices { > "AccountingEftAccountCannotBeUpdated", > UtilMisc.toMap("errorString", paymentMethodId), locale)); > } > - if (!paymentMethod.getString("partyId").equals(partyId) && > !security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin)) { > + if (!paymentMethod.getString("partyId").equals(partyId) && > !security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin) && > !security.hasEntityPermission("ACCOUNTING", "_ADMIN", userLogin)) { > return > ServiceUtil.returnError(UtilProperties.getMessage(resourceError, > "AccountingEftAccountCannotBeUpdated", > UtilMisc.toMap("partyId", partyId, "paymentMethodId", > paymentMethodId), locale)); > > Modified: ofbiz/trunk/applications/accounting/widget/GlScreens.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/GlScreens.xml?rev=1353381&r1=1353380&r2=1353381&view=diff > ============================================================================== > --- ofbiz/trunk/applications/accounting/widget/GlScreens.xml (original) > +++ ofbiz/trunk/applications/accounting/widget/GlScreens.xml Mon Jun 25 > 02:22:58 2012 > @@ -445,7 +445,12 @@ under the License. > <decorator-screen name="CommonAdminChecksDecorator" > location="${parameters.mainDecoratorLocation}"> > <decorator-section name="checks-body"> > <section> > - <condition><if-has-permission permission="PAY_INFO" > action="_UPDATE"/></condition> > + <condition> > + <or> > + <if-has-permission permission="ACCOUNTING" > action="_ADMIN"/> > + <if-has-permission permission="PAY_INFO" > action="_UPDATE"/> > + </or> > + </condition> > <widgets> > <screenlet > title="${uiLabelMap.AccountingSendChecks}"> > <include-form name="ListChecksToSend" > location="component://accounting/widget/PaymentForms.xml"/> > > Modified: > ofbiz/trunk/applications/order/webapp/ordermgr/order/orderpaymentinfo.ftl > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/webapp/ordermgr/order/orderpaymentinfo.ftl?rev=1353381&r1=1353380&r2=1353381&view=diff > ============================================================================== > --- ofbiz/trunk/applications/order/webapp/ordermgr/order/orderpaymentinfo.ftl > (original) > +++ ofbiz/trunk/applications/order/webapp/ordermgr/order/orderpaymentinfo.ftl > Mon Jun 25 02:22:58 2012 > @@ -54,7 +54,7 @@ under the License. > <#assign statusItem = payment.getRelatedOne("StatusItem", false)> > <#assign partyName = delegator.findOne("PartyNameView", {"partyId" > : payment.partyIdTo}, true)> > <tr> > - <#if security.hasPermission("PAY_INFO_VIEW", session) || > security.hasPermission("PAY_INFO_ADMIN", session)> > + <#if security.hasEntityPermission("PAY_INFO", "_VIEW", session) > || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> > <td><a > href="/accounting/control/paymentOverview?paymentId=${payment.paymentId}">${payment.paymentId}</a></td> > <#else> > <td>${payment.paymentId}</td> > @@ -342,7 +342,7 @@ under the License. > <#if > creditCard.suffixOnCard?has_content> ${creditCard.suffixOnCard}</#if> > <br /> > > - <#if security.hasEntityPermission("PAY_INFO", "_VIEW", > session)> > + <#if security.hasEntityPermission("PAY_INFO", "_VIEW", > session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> > ${creditCard.cardType} > <@maskSensitiveNumber > cardNumber=creditCard.cardNumber?if_exists/> > ${creditCard.expireDate} > @@ -469,7 +469,7 @@ under the License. > <td valign="top" width="60%"> > <div> > <#if giftCard?has_content> > - <#if security.hasEntityPermission("PAY_INFO", "_VIEW", > session)> > + <#if security.hasEntityPermission("PAY_INFO", "_VIEW", > session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> > ${giftCard.cardNumber?default("N/A")} > [${giftCard.pinNumber?default("N/A")}] > [<#if > oppStatusItem?exists>${oppStatusItem.get("description",locale)}<#else>${orderPaymentPreference.statusId}</#if>] > <#else> > @@ -596,7 +596,7 @@ under the License. > <#if "CREDIT_CARD" == paymentMethod.paymentMethodTypeId> > <#assign creditCard = paymentMethodValueMap.creditCard/> > <#if (creditCard?has_content)> > - <#if security.hasEntityPermission("PAY_INFO", "_VIEW", > session)> > + <#if security.hasEntityPermission("PAY_INFO", "_VIEW", > session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> > ${creditCard.cardType?if_exists} <@maskSensitiveNumber > cardNumber=creditCard.cardNumber?if_exists/> > ${creditCard.expireDate?if_exists} > <#else> > > ${Static["org.ofbiz.party.contact.ContactHelper"].formatCreditCard(creditCard)} > > Modified: > ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/actions/HasPartyPermissions.groovy > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/actions/HasPartyPermissions.groovy?rev=1353381&r1=1353380&r2=1353381&view=diff > ============================================================================== > --- > ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/actions/HasPartyPermissions.groovy > (original) > +++ > ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/actions/HasPartyPermissions.groovy > Mon Jun 25 02:22:58 2012 > @@ -23,7 +23,7 @@ context.hasCreatePermission = security.h > context.hasUpdatePermission = security.hasEntityPermission("PARTYMGR", > "_UPDATE", session); > context.hasDeletePermission = security.hasEntityPermission("PARTYMGR", > "_DELETE", session); > // extended pay_info permissions > -context.hasPayInfoPermission = security.hasEntityPermission("PAY_INFO", > "_VIEW", session); > +context.hasPayInfoPermission = security.hasEntityPermission("PAY_INFO", > "_VIEW", session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", > session); > // extended pcm (party contact mechanism) permissions > context.hasPcmCreatePermission = security.hasEntityPermission("PARTYMGR_PCM", > "_CREATE", session); > context.hasPcmUpdatePermission = security.hasEntityPermission("PARTYMGR_PCM", > "_UPDATE", session); > > Modified: > ofbiz/trunk/applications/party/webapp/partymgr/party/profileblocks/PaymentMethods.ftl > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/webapp/partymgr/party/profileblocks/PaymentMethods.ftl?rev=1353381&r1=1353380&r2=1353381&view=diff > ============================================================================== > --- > ofbiz/trunk/applications/party/webapp/partymgr/party/profileblocks/PaymentMethods.ftl > (original) > +++ > ofbiz/trunk/applications/party/webapp/partymgr/party/profileblocks/PaymentMethods.ftl > Mon Jun 25 02:22:58 2012 > @@ -38,7 +38,7 @@ under the License. > <div class="screenlet-title-bar"> > <ul> > <li class="h3">${uiLabelMap.PartyPaymentMethodInformation}</li> > - <#if security.hasEntityPermission("PAY_INFO", "_CREATE", session)> > + <#if security.hasEntityPermission("PAY_INFO", "_CREATE", session) || > security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> > <li><a > href="<@ofbizUrl>editeftaccount?partyId=${partyId}</@ofbizUrl>">${uiLabelMap.AccountingCreateNewEftAccount}</a></li> > <li><a > href="<@ofbizUrl>editgiftcard?partyId=${partyId}</@ofbizUrl>">${uiLabelMap.AccountingCreateNewGiftCard}</a></li> > <li><a > href="<@ofbizUrl>editcreditcard?partyId=${partyId}</@ofbizUrl>">${uiLabelMap.AccountingCreateNewCreditCard}</a></li> > @@ -67,7 +67,7 @@ under the License. > ${creditCard.lastNameOnCard} > <#if > creditCard.suffixOnCard?has_content> ${creditCard.suffixOnCard}</#if> > - > - <#if security.hasEntityPermission("PAY_INFO", "_VIEW", > session)> > + <#if security.hasEntityPermission("PAY_INFO", "_VIEW", > session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> > ${creditCard.cardType} > <@maskSensitiveNumber > cardNumber=creditCard.cardNumber?if_exists/> > ${creditCard.expireDate} > @@ -83,7 +83,7 @@ under the License. > <#if security.hasEntityPermission("MANUAL", "_PAYMENT", > session)> > <a > href="/accounting/control/manualETx?paymentMethodId=${paymentMethod.paymentMethodId}${externalKeyParam}">${uiLabelMap.PartyManualTx}</a> > </#if> > - <#if security.hasEntityPermission("PAY_INFO", "_UPDATE", > session)> > + <#if security.hasEntityPermission("PAY_INFO", "_UPDATE", > session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> > <a > href="<@ofbizUrl>editcreditcard?partyId=${partyId}&paymentMethodId=${paymentMethod.paymentMethodId}</@ofbizUrl>">${uiLabelMap.CommonUpdate}</a> > </#if> > <#-- </td> --> > @@ -93,7 +93,7 @@ under the License. > ${uiLabelMap.AccountingGiftCard} > </td> > <td> > - <#if security.hasEntityPermission("PAY_INFO", "_VIEW", > session)> > + <#if security.hasEntityPermission("PAY_INFO", "_VIEW", > session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> > ${giftCard.cardNumber?default("N/A")} > [${giftCard.pinNumber?default("N/A")}] > <#else> > <@maskSensitiveNumber > cardNumber=giftCard.cardNumber?if_exists/> > @@ -105,7 +105,7 @@ under the License. > <#if > paymentMethod.thruDate?has_content><b>(${uiLabelMap.PartyContactEffectiveThru}: ${paymentMethod.thruDate.toString()}</b></#if> > </td> > <td class="button-col"> > - <#if security.hasEntityPermission("PAY_INFO", "_UPDATE", > session)> > + <#if security.hasEntityPermission("PAY_INFO", "_UPDATE", > session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> > <a > href="<@ofbizUrl>editgiftcard?partyId=${partyId}&paymentMethodId=${paymentMethod.paymentMethodId}</@ofbizUrl>">${uiLabelMap.CommonUpdate}</a> > </#if> > <#-- </td> --> > @@ -121,7 +121,7 @@ under the License. > <#if > paymentMethod.thruDate?has_content><b>(${uiLabelMap.PartyContactEffectiveThru}: ${paymentMethod.thruDate.toString()}</#if> > </td> > <td class="button-col"> > - <#if security.hasEntityPermission("PAY_INFO", "_UPDATE", > session)> > + <#if security.hasEntityPermission("PAY_INFO", "_UPDATE", > session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> > <a > href="<@ofbizUrl>editeftaccount?partyId=${partyId}&paymentMethodId=${paymentMethod.paymentMethodId}</@ofbizUrl>">${uiLabelMap.CommonUpdate}</a> > </#if> > <#-- </td> --> > @@ -143,7 +143,7 @@ under the License. > <td class="button-col"> > > </#if> > - <#if security.hasEntityPermission("PAY_INFO", "_DELETE", > session)> > + <#if security.hasEntityPermission("PAY_INFO", "_DELETE", > session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> > <a > href="<@ofbizUrl>deletePaymentMethod/viewprofile?partyId=${partyId}&paymentMethodId=${paymentMethod.paymentMethodId}</@ofbizUrl>">${uiLabelMap.CommonExpire}</a> > <#else> > > > Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceUtil.java > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceUtil.java?rev=1353381&r1=1353380&r2=1353381&view=diff > ============================================================================== > --- ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceUtil.java > (original) > +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceUtil.java Mon > Jun 25 02:22:58 2012 > @@ -184,6 +184,9 @@ public class ServiceUtil { > *<b>security check</b>: userLogin partyId must equal partyId, or must > have [secEntity][secOperation] permission > */ > public static String getPartyIdCheckSecurity(GenericValue userLogin, > Security security, Map<String, ? extends Object> context, Map<String, Object> > result, String secEntity, String secOperation) { > + return getPartyIdCheckSecurity(userLogin, security, context, result, > secEntity, secOperation, null, null); > + } > + public static String getPartyIdCheckSecurity(GenericValue userLogin, > Security security, Map<String, ? extends Object> context, Map<String, Object> > result, String secEntity, String secOperation, String adminSecEntity, String > adminSecOperation) { > String partyId = (String) context.get("partyId"); > Locale locale = getLocale(context); > if (UtilValidate.isEmpty(partyId)) { > @@ -198,9 +201,9 @@ public class ServiceUtil { > return partyId; > } > > - // <b>security check</b>: userLogin partyId must equal partyId, or > must have PARTYMGR_CREATE permission > + // <b>security check</b>: userLogin partyId must equal partyId, or > must have either of the two permissions > if (!partyId.equals(userLogin.getString("partyId"))) { > - if (!security.hasEntityPermission(secEntity, secOperation, > userLogin)) { > + if (!security.hasEntityPermission(secEntity, secOperation, > userLogin) && !(adminSecEntity != null && adminSecOperation != null && > security.hasEntityPermission(adminSecEntity, adminSecOperation, userLogin))) { > result.put(ModelService.RESPONSE_MESSAGE, > ModelService.RESPOND_ERROR); > String errMsg = > UtilProperties.getMessage(ServiceUtil.resource, > "serviceUtil.no_permission_to_operation", locale) + "."; > result.put(ModelService.ERROR_MESSAGE, errMsg); > >
