Hi Hans, I think that the intended meaning is the following:
ACCOUNTING_<ACTION>: global permission to all parts of the Accounting application when performing the <ACTION> ACCOUNTING_ADMIN: global permission to all parts of the Accounting application when performing all the actions So for example: ACCOUNTING_CREATE: global permission to CREATE all records in the Accounting application In other words: ACCOUNTING_ADMIN = ACCOUNTING_CREATE + ACCOUNTING_UPDATE + ACCOUNTING_DELETE + ACCOUNTING_VIEW (and it is not more than this). Jacopo On Jun 25, 2012, at 9:46 PM, Hans Bakker wrote: > Hi Jacopo, > > thanks for reviewing this commit, my compliments for your work in this area. > > The question here is do you really want to allow access for ACCOUNTING_CREATE > to have the same access as PAY_INFO_CREATE ? Perhaps the intention here was > that, by creating a separate action PAY_INFO the ACCOUNTING_CREATE should not > have access. > > The reason of my commit is that ACCOUNTING_ADMIN should really, as the > description states, have full access to the complete accounting component and > I did not want to change the other permissions. > > Personally i am fine with your suggestion and sure yes, we can do it that > way..... > > Regards, > Hans > > > On 06/25/2012 09:27 PM, Jacopo Cappellato wrote: >> Hi Hans, >> >> I understand the issue you are fixing in this commit (and at least another >> one of last week) but I disagree with the approach. >> We should never add permission checks on the *_ADMIN permissions: we should >> instead always use one of the fine grained _CREATE, _UPDATE, _DELETE; the >> _ADMIN permission will be automatically checked by the framework if the fine >> grained ones fail. >> So instead of (for example): >> >>> @@ -24,6 +24,7 @@ under the License. >>> <if> >>> <condition> >>> <and> >>> + <not><if-has-permission permission="ACCOUNTING" >>> action="_ADMIN"/></not> >>> <not><if-has-permission permission="PAY_INFO" >>> action="_CREATE"/></not> >>> <not><if-compare-field field="userLogin.partyId" >>> to-field="parameters.partyIdFrom" operator="equals"/></not> >>> <not><if-compare-field field="userLogin.partyId" >>> to-field="parameters.partyIdTo" operator="equals"/></not> >> you should have: >> >>> @@ -24,6 +24,7 @@ under the License. >>> <if> >>> <condition> >>> <and> >>> + <not><if-has-permission permission="ACCOUNTING" >>> action="_CREATE"/></not> >>> <not><if-has-permission permission="PAY_INFO" >>> action="_CREATE"/></not> >>> <not><if-compare-field field="userLogin.partyId" >>> to-field="parameters.partyIdFrom" operator="equals"/></not> >>> <not><if-compare-field field="userLogin.partyId" >>> to-field="parameters.partyIdTo" operator="equals"/></not> >> >> >> The code above will grant access to users having at least one of the >> following: >> PAYINFO_CREATE >> PAYINFO_ADMIN >> ACCOUNTING_CREATE >> ACCOUNTING_ADMIN >> >> Kind regards, >> >> Jacopo >> >> >> On Jun 25, 2012, at 4:23 AM, hans...@apache.org wrote: >> >>> Author: hansbak >>> Date: Mon Jun 25 02:22:58 2012 >>> New Revision: 1353381 >>> >>> URL: http://svn.apache.org/viewvc?rev=1353381&view=rev >>> Log: >>> Give ACCOUNTING_ADMIN the same access as PAY_INFO_ADMIN because part of >>> accounting component >>> >>> Modified: >>> >>> ofbiz/trunk/applications/accounting/data/AccountingSecurityGroupDemoData.xml >>> >>> ofbiz/trunk/applications/accounting/data/AccountingSecurityPermissionSeedData.xml >>> >>> ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml >>> >>> ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentMethodServices.java >>> ofbiz/trunk/applications/accounting/widget/GlScreens.xml >>> ofbiz/trunk/applications/order/webapp/ordermgr/order/orderpaymentinfo.ftl >>> >>> ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/actions/HasPartyPermissions.groovy >>> >>> ofbiz/trunk/applications/party/webapp/partymgr/party/profileblocks/PaymentMethods.ftl >>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceUtil.java >>> >>> Modified: >>> ofbiz/trunk/applications/accounting/data/AccountingSecurityGroupDemoData.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/data/AccountingSecurityGroupDemoData.xml?rev=1353381&r1=1353380&r2=1353381&view=diff >>> ============================================================================== >>> --- >>> ofbiz/trunk/applications/accounting/data/AccountingSecurityGroupDemoData.xml >>> (original) >>> +++ >>> ofbiz/trunk/applications/accounting/data/AccountingSecurityGroupDemoData.xml >>> Mon Jun 25 02:22:58 2012 >>> @@ -26,7 +26,6 @@ under the License. >>> <SecurityGroupPermission groupId="BIZADMIN" >>> permissionId="PAYPROC_ADMIN"/> >>> >>> <!-- Payment Information security --> >>> - <SecurityGroupPermission groupId="FULLADMIN" >>> permissionId="PAY_INFO_ADMIN"/> >>> <SecurityGroupPermission groupId="FLEXADMIN" >>> permissionId="PAY_INFO_CREATE"/> >>> <SecurityGroupPermission groupId="FLEXADMIN" >>> permissionId="PAY_INFO_DELETE"/> >>> <SecurityGroupPermission groupId="FLEXADMIN" >>> permissionId="PAY_INFO_UPDATE"/> >>> >>> Modified: >>> ofbiz/trunk/applications/accounting/data/AccountingSecurityPermissionSeedData.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/data/AccountingSecurityPermissionSeedData.xml?rev=1353381&r1=1353380&r2=1353381&view=diff >>> ============================================================================== >>> --- >>> ofbiz/trunk/applications/accounting/data/AccountingSecurityPermissionSeedData.xml >>> (original) >>> +++ >>> ofbiz/trunk/applications/accounting/data/AccountingSecurityPermissionSeedData.xml >>> Mon Jun 25 02:22:58 2012 >>> @@ -68,7 +68,6 @@ under the License. >>> >>> <!-- add admin to SUPER permission group --> >>> <SecurityGroupPermission groupId="SUPER" >>> permissionId="ACCOUNTING_ADMIN"/> >>> - <SecurityGroupPermission groupId="SUPER" >>> permissionId="PAY_INFO_ADMIN"/> >>> <SecurityGroupPermission groupId="SUPER" >>> permissionId="ACCOUNTING_COMM_VIEW"/> >>> <SecurityGroupPermission groupId="SUPER" >>> permissionId="ACCOUNTING_PRINT_CHECKS"/> >>> <SecurityGroupPermission groupId="SUPER" >>> permissionId="ACCTG_PREF_ADMIN"/> >>> >>> Modified: >>> ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml?rev=1353381&r1=1353380&r2=1353381&view=diff >>> ============================================================================== >>> --- >>> ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml >>> (original) >>> +++ >>> ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml >>> Mon Jun 25 02:22:58 2012 >>> @@ -24,6 +24,7 @@ under the License. >>> <if> >>> <condition> >>> <and> >>> + <not><if-has-permission permission="ACCOUNTING" >>> action="_ADMIN"/></not> >>> <not><if-has-permission permission="PAY_INFO" >>> action="_CREATE"/></not> >>> <not><if-compare-field field="userLogin.partyId" >>> to-field="parameters.partyIdFrom" operator="equals"/></not> >>> <not><if-compare-field field="userLogin.partyId" >>> to-field="parameters.partyIdTo" operator="equals"/></not> >>> @@ -86,6 +87,7 @@ under the License. >>> <if> >>> <condition> >>> <and> >>> + <not><if-has-permission permission="ACCOUNTING" >>> action="_ADMIN"/></not> >>> <not><if-has-permission permission="PAY_INFO" >>> action="_UPDATE"/></not> >>> <not><if-compare-field field="userLogin.partyId" >>> to-field="payment.partyIdFrom" operator="equals"/></not> >>> <not><if-compare-field field="userLogin.partyId" >>> to-field="payment.partyIdTo" operator="equals"/></not> >>> >>> Modified: >>> ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentMethodServices.java >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentMethodServices.java?rev=1353381&r1=1353380&r2=1353381&view=diff >>> ============================================================================== >>> --- >>> ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentMethodServices.java >>> (original) >>> +++ >>> ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentMethodServices.java >>> Mon Jun 25 02:22:58 2012 >>> @@ -89,7 +89,7 @@ public class PaymentMethodServices { >>> >>> // <b>security check</b>: userLogin partyId must equal >>> paymentMethod partyId, or must have PAY_INFO_DELETE permission >>> if (paymentMethod.get("partyId") == null || >>> !paymentMethod.getString("partyId").equals(userLogin.getString("partyId"))) >>> { >>> - if (!security.hasEntityPermission("PAY_INFO", "_DELETE", >>> userLogin)) { >>> + if (!security.hasEntityPermission("PAY_INFO", "_DELETE", >>> userLogin) && !security.hasEntityPermission("ACCOUNTING", "_ADMIN", >>> userLogin)) { >>> return >>> ServiceUtil.returnError(UtilProperties.getMessage(resourceError, >>> "AccountingPaymentMethodNoPermissionToDelete", >>> locale)); >>> } >>> @@ -139,7 +139,7 @@ public class PaymentMethodServices { >>> >>> Timestamp now = UtilDateTime.nowTimestamp(); >>> >>> - String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>> security, context, result, "PAY_INFO", "_CREATE"); >>> + String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>> security, context, result, "PAY_INFO", "_CREATE", "ACCOUNTING", "_ADMIN"); >>> >>> if (result.size() > 0) return result; >>> >>> @@ -260,7 +260,7 @@ public class PaymentMethodServices { >>> >>> Timestamp now = UtilDateTime.nowTimestamp(); >>> >>> - String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>> security, context, result, "PAY_INFO", "_UPDATE"); >>> + String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>> security, context, result, "PAY_INFO", "_UPDATE", "ACCOUNTING", "_ADMIN"); >>> >>> if (result.size() > 0) return result; >>> >>> @@ -286,7 +286,7 @@ public class PaymentMethodServices { >>> return >>> ServiceUtil.returnError(UtilProperties.getMessage(resource, >>> "AccountingCreditCardUpdateWithPaymentMethodId", >>> locale) + paymentMethodId); >>> } >>> - if (!paymentMethod.getString("partyId").equals(partyId) && >>> !security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin)) { >>> + if (!paymentMethod.getString("partyId").equals(partyId) && >>> !security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin) && >>> !security.hasEntityPermission("ACCOUNTING", "_ADMIN", userLogin)) { >>> return >>> ServiceUtil.returnError(UtilProperties.getMessage(resource, >>> "AccountingCreditCardUpdateWithoutPermission", >>> UtilMisc.toMap("partyId", partyId, >>> "paymentMethodId", paymentMethodId), locale)); >>> @@ -488,7 +488,7 @@ public class PaymentMethodServices { >>> >>> Timestamp now = UtilDateTime.nowTimestamp(); >>> >>> - String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>> security, context, result, "PAY_INFO", "_CREATE"); >>> + String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>> security, context, result, "PAY_INFO", "_CREATE", "ACCOUNTING", "_ADMIN"); >>> >>> if (result.size() > 0) >>> return result; >>> @@ -545,7 +545,7 @@ public class PaymentMethodServices { >>> >>> Timestamp now = UtilDateTime.nowTimestamp(); >>> >>> - String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>> security, context, result, "PAY_INFO", "_UPDATE"); >>> + String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>> security, context, result, "PAY_INFO", "_UPDATE", "ACCOUNTING", "_ADMIN"); >>> >>> if (result.size() > 0) >>> return result; >>> @@ -574,7 +574,7 @@ public class PaymentMethodServices { >>> "AccountingGiftCardCannotBeUpdated", >>> UtilMisc.toMap("errorString", paymentMethodId), >>> locale)); >>> } >>> - if (!paymentMethod.getString("partyId").equals(partyId) && >>> !security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin)) { >>> + if (!paymentMethod.getString("partyId").equals(partyId) && >>> !security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin) && >>> !security.hasEntityPermission("ACCOUNTING", "_ADMIN", userLogin)) { >>> return >>> ServiceUtil.returnError(UtilProperties.getMessage(resourceError, >>> "AccountingGiftCardPartyNotAuthorized", >>> UtilMisc.toMap("partyId", partyId, "paymentMethodId", >>> paymentMethodId), locale)); >>> @@ -679,7 +679,7 @@ public class PaymentMethodServices { >>> >>> Timestamp now = UtilDateTime.nowTimestamp(); >>> >>> - String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>> security, context, result, "PAY_INFO", "_CREATE"); >>> + String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>> security, context, result, "PAY_INFO", "_CREATE", "ACCOUNTING", "_ADMIN"); >>> >>> if (result.size() > 0) return result; >>> >>> @@ -777,7 +777,7 @@ public class PaymentMethodServices { >>> >>> Timestamp now = UtilDateTime.nowTimestamp(); >>> >>> - String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>> security, context, result, "PAY_INFO", "_UPDATE"); >>> + String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>> security, context, result, "PAY_INFO", "_UPDATE", "ACCOUNTING", "_ADMIN"); >>> >>> if (result.size() > 0) return result; >>> >>> @@ -806,7 +806,7 @@ public class PaymentMethodServices { >>> "AccountingEftAccountCannotBeUpdated", >>> UtilMisc.toMap("errorString", paymentMethodId), >>> locale)); >>> } >>> - if (!paymentMethod.getString("partyId").equals(partyId) && >>> !security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin)) { >>> + if (!paymentMethod.getString("partyId").equals(partyId) && >>> !security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin) && >>> !security.hasEntityPermission("ACCOUNTING", "_ADMIN", userLogin)) { >>> return >>> ServiceUtil.returnError(UtilProperties.getMessage(resourceError, >>> "AccountingEftAccountCannotBeUpdated", >>> UtilMisc.toMap("partyId", partyId, "paymentMethodId", >>> paymentMethodId), locale)); >>> >>> Modified: ofbiz/trunk/applications/accounting/widget/GlScreens.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/GlScreens.xml?rev=1353381&r1=1353380&r2=1353381&view=diff >>> ============================================================================== >>> --- ofbiz/trunk/applications/accounting/widget/GlScreens.xml (original) >>> +++ ofbiz/trunk/applications/accounting/widget/GlScreens.xml Mon Jun 25 >>> 02:22:58 2012 >>> @@ -445,7 +445,12 @@ under the License. >>> <decorator-screen name="CommonAdminChecksDecorator" >>> location="${parameters.mainDecoratorLocation}"> >>> <decorator-section name="checks-body"> >>> <section> >>> - <condition><if-has-permission >>> permission="PAY_INFO" action="_UPDATE"/></condition> >>> + <condition> >>> + <or> >>> + <if-has-permission permission="ACCOUNTING" >>> action="_ADMIN"/> >>> + <if-has-permission permission="PAY_INFO" >>> action="_UPDATE"/> >>> + </or> >>> + </condition> >>> <widgets> >>> <screenlet >>> title="${uiLabelMap.AccountingSendChecks}"> >>> <include-form name="ListChecksToSend" >>> location="component://accounting/widget/PaymentForms.xml"/> >>> >>> Modified: >>> ofbiz/trunk/applications/order/webapp/ordermgr/order/orderpaymentinfo.ftl >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/webapp/ordermgr/order/orderpaymentinfo.ftl?rev=1353381&r1=1353380&r2=1353381&view=diff >>> ============================================================================== >>> --- >>> ofbiz/trunk/applications/order/webapp/ordermgr/order/orderpaymentinfo.ftl >>> (original) >>> +++ >>> ofbiz/trunk/applications/order/webapp/ordermgr/order/orderpaymentinfo.ftl >>> Mon Jun 25 02:22:58 2012 >>> @@ -54,7 +54,7 @@ under the License. >>> <#assign statusItem = payment.getRelatedOne("StatusItem", false)> >>> <#assign partyName = delegator.findOne("PartyNameView", >>> {"partyId" : payment.partyIdTo}, true)> >>> <tr> >>> - <#if security.hasPermission("PAY_INFO_VIEW", session) || >>> security.hasPermission("PAY_INFO_ADMIN", session)> >>> + <#if security.hasEntityPermission("PAY_INFO", "_VIEW", >>> session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> >>> <td><a >>> href="/accounting/control/paymentOverview?paymentId=${payment.paymentId}">${payment.paymentId}</a></td> >>> <#else> >>> <td>${payment.paymentId}</td> >>> @@ -342,7 +342,7 @@ under the License. >>> <#if >>> creditCard.suffixOnCard?has_content> ${creditCard.suffixOnCard}</#if> >>> <br /> >>> >>> - <#if security.hasEntityPermission("PAY_INFO", >>> "_VIEW", session)> >>> + <#if security.hasEntityPermission("PAY_INFO", >>> "_VIEW", session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", >>> session)> >>> ${creditCard.cardType} >>> <@maskSensitiveNumber >>> cardNumber=creditCard.cardNumber?if_exists/> >>> ${creditCard.expireDate} >>> @@ -469,7 +469,7 @@ under the License. >>> <td valign="top" width="60%"> >>> <div> >>> <#if giftCard?has_content> >>> - <#if security.hasEntityPermission("PAY_INFO", >>> "_VIEW", session)> >>> + <#if security.hasEntityPermission("PAY_INFO", >>> "_VIEW", session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", >>> session)> >>> ${giftCard.cardNumber?default("N/A")} >>> [${giftCard.pinNumber?default("N/A")}] >>> [<#if >>> oppStatusItem?exists>${oppStatusItem.get("description",locale)}<#else>${orderPaymentPreference.statusId}</#if>] >>> <#else> >>> @@ -596,7 +596,7 @@ under the License. >>> <#if "CREDIT_CARD" == paymentMethod.paymentMethodTypeId> >>> <#assign creditCard = paymentMethodValueMap.creditCard/> >>> <#if (creditCard?has_content)> >>> - <#if security.hasEntityPermission("PAY_INFO", "_VIEW", >>> session)> >>> + <#if security.hasEntityPermission("PAY_INFO", "_VIEW", >>> session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> >>> ${creditCard.cardType?if_exists} <@maskSensitiveNumber >>> cardNumber=creditCard.cardNumber?if_exists/> >>> ${creditCard.expireDate?if_exists} >>> <#else> >>> >>> ${Static["org.ofbiz.party.contact.ContactHelper"].formatCreditCard(creditCard)} >>> >>> Modified: >>> ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/actions/HasPartyPermissions.groovy >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/actions/HasPartyPermissions.groovy?rev=1353381&r1=1353380&r2=1353381&view=diff >>> ============================================================================== >>> --- >>> ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/actions/HasPartyPermissions.groovy >>> (original) >>> +++ >>> ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/actions/HasPartyPermissions.groovy >>> Mon Jun 25 02:22:58 2012 >>> @@ -23,7 +23,7 @@ context.hasCreatePermission = security.h >>> context.hasUpdatePermission = security.hasEntityPermission("PARTYMGR", >>> "_UPDATE", session); >>> context.hasDeletePermission = security.hasEntityPermission("PARTYMGR", >>> "_DELETE", session); >>> // extended pay_info permissions >>> -context.hasPayInfoPermission = security.hasEntityPermission("PAY_INFO", >>> "_VIEW", session); >>> +context.hasPayInfoPermission = security.hasEntityPermission("PAY_INFO", >>> "_VIEW", session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", >>> session); >>> // extended pcm (party contact mechanism) permissions >>> context.hasPcmCreatePermission = >>> security.hasEntityPermission("PARTYMGR_PCM", "_CREATE", session); >>> context.hasPcmUpdatePermission = >>> security.hasEntityPermission("PARTYMGR_PCM", "_UPDATE", session); >>> >>> Modified: >>> ofbiz/trunk/applications/party/webapp/partymgr/party/profileblocks/PaymentMethods.ftl >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/webapp/partymgr/party/profileblocks/PaymentMethods.ftl?rev=1353381&r1=1353380&r2=1353381&view=diff >>> ============================================================================== >>> --- >>> ofbiz/trunk/applications/party/webapp/partymgr/party/profileblocks/PaymentMethods.ftl >>> (original) >>> +++ >>> ofbiz/trunk/applications/party/webapp/partymgr/party/profileblocks/PaymentMethods.ftl >>> Mon Jun 25 02:22:58 2012 >>> @@ -38,7 +38,7 @@ under the License. >>> <div class="screenlet-title-bar"> >>> <ul> >>> <li class="h3">${uiLabelMap.PartyPaymentMethodInformation}</li> >>> - <#if security.hasEntityPermission("PAY_INFO", "_CREATE", session)> >>> + <#if security.hasEntityPermission("PAY_INFO", "_CREATE", session) >>> || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> >>> <li><a >>> href="<@ofbizUrl>editeftaccount?partyId=${partyId}</@ofbizUrl>">${uiLabelMap.AccountingCreateNewEftAccount}</a></li> >>> <li><a >>> href="<@ofbizUrl>editgiftcard?partyId=${partyId}</@ofbizUrl>">${uiLabelMap.AccountingCreateNewGiftCard}</a></li> >>> <li><a >>> href="<@ofbizUrl>editcreditcard?partyId=${partyId}</@ofbizUrl>">${uiLabelMap.AccountingCreateNewCreditCard}</a></li> >>> @@ -67,7 +67,7 @@ under the License. >>> ${creditCard.lastNameOnCard} >>> <#if >>> creditCard.suffixOnCard?has_content> ${creditCard.suffixOnCard}</#if> >>> - >>> - <#if security.hasEntityPermission("PAY_INFO", "_VIEW", >>> session)> >>> + <#if security.hasEntityPermission("PAY_INFO", "_VIEW", >>> session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> >>> ${creditCard.cardType} >>> <@maskSensitiveNumber >>> cardNumber=creditCard.cardNumber?if_exists/> >>> ${creditCard.expireDate} >>> @@ -83,7 +83,7 @@ under the License. >>> <#if security.hasEntityPermission("MANUAL", "_PAYMENT", >>> session)> >>> <a >>> href="/accounting/control/manualETx?paymentMethodId=${paymentMethod.paymentMethodId}${externalKeyParam}">${uiLabelMap.PartyManualTx}</a> >>> </#if> >>> - <#if security.hasEntityPermission("PAY_INFO", "_UPDATE", >>> session)> >>> + <#if security.hasEntityPermission("PAY_INFO", "_UPDATE", >>> session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> >>> <a >>> href="<@ofbizUrl>editcreditcard?partyId=${partyId}&paymentMethodId=${paymentMethod.paymentMethodId}</@ofbizUrl>">${uiLabelMap.CommonUpdate}</a> >>> </#if> >>> <#-- </td> --> >>> @@ -93,7 +93,7 @@ under the License. >>> ${uiLabelMap.AccountingGiftCard} >>> </td> >>> <td> >>> - <#if security.hasEntityPermission("PAY_INFO", "_VIEW", >>> session)> >>> + <#if security.hasEntityPermission("PAY_INFO", "_VIEW", >>> session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> >>> ${giftCard.cardNumber?default("N/A")} >>> [${giftCard.pinNumber?default("N/A")}] >>> <#else> >>> <@maskSensitiveNumber >>> cardNumber=giftCard.cardNumber?if_exists/> >>> @@ -105,7 +105,7 @@ under the License. >>> <#if >>> paymentMethod.thruDate?has_content><b>(${uiLabelMap.PartyContactEffectiveThru}: ${paymentMethod.thruDate.toString()}</b></#if> >>> </td> >>> <td class="button-col"> >>> - <#if security.hasEntityPermission("PAY_INFO", "_UPDATE", >>> session)> >>> + <#if security.hasEntityPermission("PAY_INFO", "_UPDATE", >>> session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> >>> <a >>> href="<@ofbizUrl>editgiftcard?partyId=${partyId}&paymentMethodId=${paymentMethod.paymentMethodId}</@ofbizUrl>">${uiLabelMap.CommonUpdate}</a> >>> </#if> >>> <#-- </td> --> >>> @@ -121,7 +121,7 @@ under the License. >>> <#if >>> paymentMethod.thruDate?has_content><b>(${uiLabelMap.PartyContactEffectiveThru}: ${paymentMethod.thruDate.toString()}</#if> >>> </td> >>> <td class="button-col"> >>> - <#if security.hasEntityPermission("PAY_INFO", "_UPDATE", >>> session)> >>> + <#if security.hasEntityPermission("PAY_INFO", "_UPDATE", >>> session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> >>> <a >>> href="<@ofbizUrl>editeftaccount?partyId=${partyId}&paymentMethodId=${paymentMethod.paymentMethodId}</@ofbizUrl>">${uiLabelMap.CommonUpdate}</a> >>> </#if> >>> <#-- </td> --> >>> @@ -143,7 +143,7 @@ under the License. >>> <td class="button-col"> >>> >>> </#if> >>> - <#if security.hasEntityPermission("PAY_INFO", "_DELETE", >>> session)> >>> + <#if security.hasEntityPermission("PAY_INFO", "_DELETE", >>> session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> >>> <a >>> href="<@ofbizUrl>deletePaymentMethod/viewprofile?partyId=${partyId}&paymentMethodId=${paymentMethod.paymentMethodId}</@ofbizUrl>">${uiLabelMap.CommonExpire}</a> >>> <#else> >>> >>> >>> Modified: >>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceUtil.java >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceUtil.java?rev=1353381&r1=1353380&r2=1353381&view=diff >>> ============================================================================== >>> --- ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceUtil.java >>> (original) >>> +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceUtil.java >>> Mon Jun 25 02:22:58 2012 >>> @@ -184,6 +184,9 @@ public class ServiceUtil { >>> *<b>security check</b>: userLogin partyId must equal partyId, or must >>> have [secEntity][secOperation] permission >>> */ >>> public static String getPartyIdCheckSecurity(GenericValue userLogin, >>> Security security, Map<String, ? extends Object> context, Map<String, >>> Object> result, String secEntity, String secOperation) { >>> + return getPartyIdCheckSecurity(userLogin, security, context, >>> result, secEntity, secOperation, null, null); >>> + } >>> + public static String getPartyIdCheckSecurity(GenericValue userLogin, >>> Security security, Map<String, ? extends Object> context, Map<String, >>> Object> result, String secEntity, String secOperation, String >>> adminSecEntity, String adminSecOperation) { >>> String partyId = (String) context.get("partyId"); >>> Locale locale = getLocale(context); >>> if (UtilValidate.isEmpty(partyId)) { >>> @@ -198,9 +201,9 @@ public class ServiceUtil { >>> return partyId; >>> } >>> >>> - // <b>security check</b>: userLogin partyId must equal partyId, or >>> must have PARTYMGR_CREATE permission >>> + // <b>security check</b>: userLogin partyId must equal partyId, or >>> must have either of the two permissions >>> if (!partyId.equals(userLogin.getString("partyId"))) { >>> - if (!security.hasEntityPermission(secEntity, secOperation, >>> userLogin)) { >>> + if (!security.hasEntityPermission(secEntity, secOperation, >>> userLogin) && !(adminSecEntity != null && adminSecOperation != null && >>> security.hasEntityPermission(adminSecEntity, adminSecOperation, >>> userLogin))) { >>> result.put(ModelService.RESPONSE_MESSAGE, >>> ModelService.RESPOND_ERROR); >>> String errMsg = >>> UtilProperties.getMessage(ServiceUtil.resource, >>> "serviceUtil.no_permission_to_operation", locale) + "."; >>> result.put(ModelService.ERROR_MESSAGE, errMsg); >>> >>> > >
