Author: hansbak
Date: Mon Jun 25 02:22:58 2012
New Revision: 1353381
URL: http://svn.apache.org/viewvc?rev=1353381&view=rev
Log:
Give ACCOUNTING_ADMIN the same access as PAY_INFO_ADMIN because part of
accounting component
Modified:
ofbiz/trunk/applications/accounting/data/AccountingSecurityGroupDemoData.xml
ofbiz/trunk/applications/accounting/data/AccountingSecurityPermissionSeedData.xml
ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml
ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentMethodServices.java
ofbiz/trunk/applications/accounting/widget/GlScreens.xml
ofbiz/trunk/applications/order/webapp/ordermgr/order/orderpaymentinfo.ftl
ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/actions/HasPartyPermissions.groovy
ofbiz/trunk/applications/party/webapp/partymgr/party/profileblocks/PaymentMethods.ftl
ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceUtil.java
Modified:
ofbiz/trunk/applications/accounting/data/AccountingSecurityGroupDemoData.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/data/AccountingSecurityGroupDemoData.xml?rev=1353381&r1=1353380&r2=1353381&view=diff
==============================================================================
---
ofbiz/trunk/applications/accounting/data/AccountingSecurityGroupDemoData.xml
(original)
+++
ofbiz/trunk/applications/accounting/data/AccountingSecurityGroupDemoData.xml
Mon Jun 25 02:22:58 2012
@@ -26,7 +26,6 @@ under the License.
<SecurityGroupPermission groupId="BIZADMIN" permissionId="PAYPROC_ADMIN"/>
<!-- Payment Information security -->
- <SecurityGroupPermission groupId="FULLADMIN"
permissionId="PAY_INFO_ADMIN"/>
<SecurityGroupPermission groupId="FLEXADMIN"
permissionId="PAY_INFO_CREATE"/>
<SecurityGroupPermission groupId="FLEXADMIN"
permissionId="PAY_INFO_DELETE"/>
<SecurityGroupPermission groupId="FLEXADMIN"
permissionId="PAY_INFO_UPDATE"/>
Modified:
ofbiz/trunk/applications/accounting/data/AccountingSecurityPermissionSeedData.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/data/AccountingSecurityPermissionSeedData.xml?rev=1353381&r1=1353380&r2=1353381&view=diff
==============================================================================
---
ofbiz/trunk/applications/accounting/data/AccountingSecurityPermissionSeedData.xml
(original)
+++
ofbiz/trunk/applications/accounting/data/AccountingSecurityPermissionSeedData.xml
Mon Jun 25 02:22:58 2012
@@ -68,7 +68,6 @@ under the License.
<!-- add admin to SUPER permission group -->
<SecurityGroupPermission groupId="SUPER" permissionId="ACCOUNTING_ADMIN"/>
- <SecurityGroupPermission groupId="SUPER" permissionId="PAY_INFO_ADMIN"/>
<SecurityGroupPermission groupId="SUPER"
permissionId="ACCOUNTING_COMM_VIEW"/>
<SecurityGroupPermission groupId="SUPER"
permissionId="ACCOUNTING_PRINT_CHECKS"/>
<SecurityGroupPermission groupId="SUPER" permissionId="ACCTG_PREF_ADMIN"/>
Modified:
ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml?rev=1353381&r1=1353380&r2=1353381&view=diff
==============================================================================
---
ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml
(original)
+++
ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml
Mon Jun 25 02:22:58 2012
@@ -24,6 +24,7 @@ under the License.
<if>
<condition>
<and>
+ <not><if-has-permission permission="ACCOUNTING"
action="_ADMIN"/></not>
<not><if-has-permission permission="PAY_INFO"
action="_CREATE"/></not>
<not><if-compare-field field="userLogin.partyId"
to-field="parameters.partyIdFrom" operator="equals"/></not>
<not><if-compare-field field="userLogin.partyId"
to-field="parameters.partyIdTo" operator="equals"/></not>
@@ -86,6 +87,7 @@ under the License.
<if>
<condition>
<and>
+ <not><if-has-permission permission="ACCOUNTING"
action="_ADMIN"/></not>
<not><if-has-permission permission="PAY_INFO"
action="_UPDATE"/></not>
<not><if-compare-field field="userLogin.partyId"
to-field="payment.partyIdFrom" operator="equals"/></not>
<not><if-compare-field field="userLogin.partyId" to-field="payment.partyIdTo"
operator="equals"/></not>
Modified:
ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentMethodServices.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentMethodServices.java?rev=1353381&r1=1353380&r2=1353381&view=diff
==============================================================================
---
ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentMethodServices.java
(original)
+++
ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentMethodServices.java
Mon Jun 25 02:22:58 2012
@@ -89,7 +89,7 @@ public class PaymentMethodServices {
// <b>security check</b>: userLogin partyId must equal paymentMethod
partyId, or must have PAY_INFO_DELETE permission
if (paymentMethod.get("partyId") == null ||
!paymentMethod.getString("partyId").equals(userLogin.getString("partyId"))) {
- if (!security.hasEntityPermission("PAY_INFO", "_DELETE",
userLogin)) {
+ if (!security.hasEntityPermission("PAY_INFO", "_DELETE", userLogin) &&
!security.hasEntityPermission("ACCOUNTING", "_ADMIN", userLogin)) {
return
ServiceUtil.returnError(UtilProperties.getMessage(resourceError,
"AccountingPaymentMethodNoPermissionToDelete",
locale));
}
@@ -139,7 +139,7 @@ public class PaymentMethodServices {
Timestamp now = UtilDateTime.nowTimestamp();
- String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, security, context, result,
"PAY_INFO", "_CREATE");
+ String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, security, context, result,
"PAY_INFO", "_CREATE", "ACCOUNTING", "_ADMIN");
if (result.size() > 0) return result;
@@ -260,7 +260,7 @@ public class PaymentMethodServices {
Timestamp now = UtilDateTime.nowTimestamp();
- String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, security, context, result,
"PAY_INFO", "_UPDATE");
+ String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, security, context, result,
"PAY_INFO", "_UPDATE", "ACCOUNTING", "_ADMIN");
if (result.size() > 0) return result;
@@ -286,7 +286,7 @@ public class PaymentMethodServices {
return ServiceUtil.returnError(UtilProperties.getMessage(resource,
"AccountingCreditCardUpdateWithPaymentMethodId", locale) +
paymentMethodId);
}
- if (!paymentMethod.getString("partyId").equals(partyId) &&
!security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin)) {
+ if (!paymentMethod.getString("partyId").equals(partyId) && !security.hasEntityPermission("PAY_INFO",
"_UPDATE", userLogin) && !security.hasEntityPermission("ACCOUNTING", "_ADMIN", userLogin)) {
return ServiceUtil.returnError(UtilProperties.getMessage(resource,
"AccountingCreditCardUpdateWithoutPermission",
UtilMisc.toMap("partyId", partyId,
"paymentMethodId", paymentMethodId), locale));
@@ -488,7 +488,7 @@ public class PaymentMethodServices {
Timestamp now = UtilDateTime.nowTimestamp();
- String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, security, context, result,
"PAY_INFO", "_CREATE");
+ String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, security, context, result,
"PAY_INFO", "_CREATE", "ACCOUNTING", "_ADMIN");
if (result.size() > 0)
return result;
@@ -545,7 +545,7 @@ public class PaymentMethodServices {
Timestamp now = UtilDateTime.nowTimestamp();
- String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, security, context, result,
"PAY_INFO", "_UPDATE");
+ String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, security, context, result,
"PAY_INFO", "_UPDATE", "ACCOUNTING", "_ADMIN");
if (result.size() > 0)
return result;
@@ -574,7 +574,7 @@ public class PaymentMethodServices {
"AccountingGiftCardCannotBeUpdated",
UtilMisc.toMap("errorString", paymentMethodId), locale));
}
- if (!paymentMethod.getString("partyId").equals(partyId) &&
!security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin)) {
+ if (!paymentMethod.getString("partyId").equals(partyId) && !security.hasEntityPermission("PAY_INFO",
"_UPDATE", userLogin) && !security.hasEntityPermission("ACCOUNTING", "_ADMIN", userLogin)) {
return
ServiceUtil.returnError(UtilProperties.getMessage(resourceError,
"AccountingGiftCardPartyNotAuthorized",
UtilMisc.toMap("partyId", partyId, "paymentMethodId",
paymentMethodId), locale));
@@ -679,7 +679,7 @@ public class PaymentMethodServices {
Timestamp now = UtilDateTime.nowTimestamp();
- String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, security, context, result,
"PAY_INFO", "_CREATE");
+ String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, security, context, result,
"PAY_INFO", "_CREATE", "ACCOUNTING", "_ADMIN");
if (result.size() > 0) return result;
@@ -777,7 +777,7 @@ public class PaymentMethodServices {
Timestamp now = UtilDateTime.nowTimestamp();
- String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, security, context, result,
"PAY_INFO", "_UPDATE");
+ String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, security, context, result,
"PAY_INFO", "_UPDATE", "ACCOUNTING", "_ADMIN");
if (result.size() > 0) return result;
@@ -806,7 +806,7 @@ public class PaymentMethodServices {
"AccountingEftAccountCannotBeUpdated",
UtilMisc.toMap("errorString", paymentMethodId), locale));
}
- if (!paymentMethod.getString("partyId").equals(partyId) &&
!security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin)) {
+ if (!paymentMethod.getString("partyId").equals(partyId) && !security.hasEntityPermission("PAY_INFO",
"_UPDATE", userLogin) && !security.hasEntityPermission("ACCOUNTING", "_ADMIN", userLogin)) {
return
ServiceUtil.returnError(UtilProperties.getMessage(resourceError,
"AccountingEftAccountCannotBeUpdated",
UtilMisc.toMap("partyId", partyId, "paymentMethodId",
paymentMethodId), locale));
Modified: ofbiz/trunk/applications/accounting/widget/GlScreens.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/GlScreens.xml?rev=1353381&r1=1353380&r2=1353381&view=diff
==============================================================================
--- ofbiz/trunk/applications/accounting/widget/GlScreens.xml (original)
+++ ofbiz/trunk/applications/accounting/widget/GlScreens.xml Mon Jun 25
02:22:58 2012
@@ -445,7 +445,12 @@ under the License.
<decorator-screen name="CommonAdminChecksDecorator"
location="${parameters.mainDecoratorLocation}">
<decorator-section name="checks-body">
<section>
- <condition><if-has-permission permission="PAY_INFO"
action="_UPDATE"/></condition>
+ <condition>
+ <or>
+ <if-has-permission permission="ACCOUNTING"
action="_ADMIN"/>
+ <if-has-permission permission="PAY_INFO"
action="_UPDATE"/>
+ </or>
+ </condition>
<widgets>
<screenlet
title="${uiLabelMap.AccountingSendChecks}">
<include-form name="ListChecksToSend"
location="component://accounting/widget/PaymentForms.xml"/>
Modified:
ofbiz/trunk/applications/order/webapp/ordermgr/order/orderpaymentinfo.ftl
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/webapp/ordermgr/order/orderpaymentinfo.ftl?rev=1353381&r1=1353380&r2=1353381&view=diff
==============================================================================
--- ofbiz/trunk/applications/order/webapp/ordermgr/order/orderpaymentinfo.ftl
(original)
+++ ofbiz/trunk/applications/order/webapp/ordermgr/order/orderpaymentinfo.ftl
Mon Jun 25 02:22:58 2012
@@ -54,7 +54,7 @@ under the License.
<#assign statusItem = payment.getRelatedOne("StatusItem", false)>
<#assign partyName = delegator.findOne("PartyNameView", {"partyId" :
payment.partyIdTo}, true)>
<tr>
- <#if security.hasPermission("PAY_INFO_VIEW", session) ||
security.hasPermission("PAY_INFO_ADMIN", session)>
+ <#if security.hasEntityPermission("PAY_INFO", "_VIEW", session) ||
security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)>
<td><a
href="/accounting/control/paymentOverview?paymentId=${payment.paymentId}">${payment.paymentId}</a></td>
<#else>
<td>${payment.paymentId}</td>
@@ -342,7 +342,7 @@ under the License.
<#if
creditCard.suffixOnCard?has_content> ${creditCard.suffixOnCard}</#if>
<br />
- <#if security.hasEntityPermission("PAY_INFO", "_VIEW",
session)>
+ <#if security.hasEntityPermission("PAY_INFO", "_VIEW", session) ||
security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)>
${creditCard.cardType}
<@maskSensitiveNumber
cardNumber=creditCard.cardNumber?if_exists/>
${creditCard.expireDate}
@@ -469,7 +469,7 @@ under the License.
<td valign="top" width="60%">
<div>
<#if giftCard?has_content>
- <#if security.hasEntityPermission("PAY_INFO", "_VIEW",
session)>
+ <#if security.hasEntityPermission("PAY_INFO", "_VIEW", session) ||
security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)>
${giftCard.cardNumber?default("N/A")}
[${giftCard.pinNumber?default("N/A")}]
[<#if
oppStatusItem?exists>${oppStatusItem.get("description",locale)}<#else>${orderPaymentPreference.statusId}</#if>]
<#else>
@@ -596,7 +596,7 @@ under the License.
<#if "CREDIT_CARD" == paymentMethod.paymentMethodTypeId>
<#assign creditCard = paymentMethodValueMap.creditCard/>
<#if (creditCard?has_content)>
- <#if security.hasEntityPermission("PAY_INFO", "_VIEW",
session)>
+ <#if security.hasEntityPermission("PAY_INFO", "_VIEW", session) ||
security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)>
${creditCard.cardType?if_exists} <@maskSensitiveNumber
cardNumber=creditCard.cardNumber?if_exists/> ${creditCard.expireDate?if_exists}
<#else>
${Static["org.ofbiz.party.contact.ContactHelper"].formatCreditCard(creditCard)}
Modified:
ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/actions/HasPartyPermissions.groovy
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/actions/HasPartyPermissions.groovy?rev=1353381&r1=1353380&r2=1353381&view=diff
==============================================================================
---
ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/actions/HasPartyPermissions.groovy
(original)
+++
ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/actions/HasPartyPermissions.groovy
Mon Jun 25 02:22:58 2012
@@ -23,7 +23,7 @@ context.hasCreatePermission = security.h
context.hasUpdatePermission = security.hasEntityPermission("PARTYMGR",
"_UPDATE", session);
context.hasDeletePermission = security.hasEntityPermission("PARTYMGR",
"_DELETE", session);
// extended pay_info permissions
-context.hasPayInfoPermission = security.hasEntityPermission("PAY_INFO",
"_VIEW", session);
+context.hasPayInfoPermission = security.hasEntityPermission("PAY_INFO", "_VIEW", session) ||
security.hasEntityPermission("ACCOUNTING", "_ADMIN", session);
// extended pcm (party contact mechanism) permissions
context.hasPcmCreatePermission = security.hasEntityPermission("PARTYMGR_PCM",
"_CREATE", session);
context.hasPcmUpdatePermission = security.hasEntityPermission("PARTYMGR_PCM",
"_UPDATE", session);
Modified:
ofbiz/trunk/applications/party/webapp/partymgr/party/profileblocks/PaymentMethods.ftl
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/webapp/partymgr/party/profileblocks/PaymentMethods.ftl?rev=1353381&r1=1353380&r2=1353381&view=diff
==============================================================================
---
ofbiz/trunk/applications/party/webapp/partymgr/party/profileblocks/PaymentMethods.ftl
(original)
+++
ofbiz/trunk/applications/party/webapp/partymgr/party/profileblocks/PaymentMethods.ftl
Mon Jun 25 02:22:58 2012
@@ -38,7 +38,7 @@ under the License.
<div class="screenlet-title-bar">
<ul>
<li class="h3">${uiLabelMap.PartyPaymentMethodInformation}</li>
- <#if security.hasEntityPermission("PAY_INFO", "_CREATE", session)>
+ <#if security.hasEntityPermission("PAY_INFO", "_CREATE", session) ||
security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)>
<li><a
href="<@ofbizUrl>editeftaccount?partyId=${partyId}</@ofbizUrl>">${uiLabelMap.AccountingCreateNewEftAccount}</a></li>
<li><a
href="<@ofbizUrl>editgiftcard?partyId=${partyId}</@ofbizUrl>">${uiLabelMap.AccountingCreateNewGiftCard}</a></li>
<li><a
href="<@ofbizUrl>editcreditcard?partyId=${partyId}</@ofbizUrl>">${uiLabelMap.AccountingCreateNewCreditCard}</a></li>
@@ -67,7 +67,7 @@ under the License.
${creditCard.lastNameOnCard}
<#if
creditCard.suffixOnCard?has_content> ${creditCard.suffixOnCard}</#if>
-
- <#if security.hasEntityPermission("PAY_INFO", "_VIEW",
session)>
+ <#if security.hasEntityPermission("PAY_INFO", "_VIEW", session) ||
security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)>
${creditCard.cardType}
<@maskSensitiveNumber
cardNumber=creditCard.cardNumber?if_exists/>
${creditCard.expireDate}
@@ -83,7 +83,7 @@ under the License.
<#if security.hasEntityPermission("MANUAL", "_PAYMENT",
session)>
<a
href="/accounting/control/manualETx?paymentMethodId=${paymentMethod.paymentMethodId}${externalKeyParam}">${uiLabelMap.PartyManualTx}</a>
</#if>
- <#if security.hasEntityPermission("PAY_INFO", "_UPDATE",
session)>
+ <#if security.hasEntityPermission("PAY_INFO", "_UPDATE", session) ||
security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)>
<a
href="<@ofbizUrl>editcreditcard?partyId=${partyId}&paymentMethodId=${paymentMethod.paymentMethodId}</@ofbizUrl>">${uiLabelMap.CommonUpdate}</a>
</#if>
<#-- </td> -->
@@ -93,7 +93,7 @@ under the License.
${uiLabelMap.AccountingGiftCard}
</td>
<td>
- <#if security.hasEntityPermission("PAY_INFO", "_VIEW",
session)>
+ <#if security.hasEntityPermission("PAY_INFO", "_VIEW", session) ||
security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)>
${giftCard.cardNumber?default("N/A")}
[${giftCard.pinNumber?default("N/A")}]
<#else>
<@maskSensitiveNumber
cardNumber=giftCard.cardNumber?if_exists/>
@@ -105,7 +105,7 @@ under the License.
<#if
paymentMethod.thruDate?has_content><b>(${uiLabelMap.PartyContactEffectiveThru}: ${paymentMethod.thruDate.toString()}</b></#if>
</td>
<td class="button-col">
- <#if security.hasEntityPermission("PAY_INFO", "_UPDATE",
session)>
+ <#if security.hasEntityPermission("PAY_INFO", "_UPDATE", session) ||
security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)>
<a
href="<@ofbizUrl>editgiftcard?partyId=${partyId}&paymentMethodId=${paymentMethod.paymentMethodId}</@ofbizUrl>">${uiLabelMap.CommonUpdate}</a>
</#if>
<#-- </td> -->
@@ -121,7 +121,7 @@ under the License.
<#if
paymentMethod.thruDate?has_content><b>(${uiLabelMap.PartyContactEffectiveThru}: ${paymentMethod.thruDate.toString()}</#if>
</td>
<td class="button-col">
- <#if security.hasEntityPermission("PAY_INFO", "_UPDATE",
session)>
+ <#if security.hasEntityPermission("PAY_INFO", "_UPDATE", session) ||
security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)>
<a
href="<@ofbizUrl>editeftaccount?partyId=${partyId}&paymentMethodId=${paymentMethod.paymentMethodId}</@ofbizUrl>">${uiLabelMap.CommonUpdate}</a>
</#if>
<#-- </td> -->
@@ -143,7 +143,7 @@ under the License.
<td class="button-col">
</#if>
- <#if security.hasEntityPermission("PAY_INFO", "_DELETE",
session)>
+ <#if security.hasEntityPermission("PAY_INFO", "_DELETE", session) ||
security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)>
<a
href="<@ofbizUrl>deletePaymentMethod/viewprofile?partyId=${partyId}&paymentMethodId=${paymentMethod.paymentMethodId}</@ofbizUrl>">${uiLabelMap.CommonExpire}</a>
<#else>
Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceUtil.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceUtil.java?rev=1353381&r1=1353380&r2=1353381&view=diff
==============================================================================
--- ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceUtil.java
(original)
+++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceUtil.java Mon
Jun 25 02:22:58 2012
@@ -184,6 +184,9 @@ public class ServiceUtil {
*<b>security check</b>: userLogin partyId must equal partyId, or must
have [secEntity][secOperation] permission
*/
public static String getPartyIdCheckSecurity(GenericValue userLogin, Security
security, Map<String, ? extends Object> context, Map<String, Object> result,
String secEntity, String secOperation) {
+ return getPartyIdCheckSecurity(userLogin, security, context, result,
secEntity, secOperation, null, null);
+ }
+ public static String getPartyIdCheckSecurity(GenericValue userLogin, Security
security, Map<String, ? extends Object> context, Map<String, Object> result,
String secEntity, String secOperation, String adminSecEntity, String adminSecOperation) {
String partyId = (String) context.get("partyId");
Locale locale = getLocale(context);
if (UtilValidate.isEmpty(partyId)) {
@@ -198,9 +201,9 @@ public class ServiceUtil {
return partyId;
}
- // <b>security check</b>: userLogin partyId must equal partyId, or
must have PARTYMGR_CREATE permission
+ // <b>security check</b>: userLogin partyId must equal partyId, or
must have either of the two permissions
if (!partyId.equals(userLogin.getString("partyId"))) {
- if (!security.hasEntityPermission(secEntity, secOperation,
userLogin)) {
+ if (!security.hasEntityPermission(secEntity, secOperation, userLogin) &&
!(adminSecEntity != null && adminSecOperation != null &&
security.hasEntityPermission(adminSecEntity, adminSecOperation, userLogin))) {
result.put(ModelService.RESPONSE_MESSAGE,
ModelService.RESPOND_ERROR);
String errMsg = UtilProperties.getMessage(ServiceUtil.resource,
"serviceUtil.no_permission_to_operation", locale) + ".";
result.put(ModelService.ERROR_MESSAGE, errMsg);