If I had to guess I would think your proposition would be reversed: PAY_INFO should grant limited access to ACCOUNTING functionality. On 26/06/2012, at 12:01 PM, Hans Bakker wrote:
> Yes Jacopo, I know all that, but the question is as I wrote: > > The question here is do you really want to allow access for ACCOUNTING_CREATE > to have the same access as PAY_INFO_CREATE ? Perhaps the intention here was > that, by creating a separate action PAY_INFO the ACCOUNTING_CREATE should not > have access. > > Regards, > Hans > > On 06/26/2012 03:54 AM, Jacopo Cappellato wrote: >> Hi Hans, >> >> I think that the intended meaning is the following: >> >> ACCOUNTING_<ACTION>: global permission to all parts of the Accounting >> application when performing the <ACTION> >> ACCOUNTING_ADMIN: global permission to all parts of the Accounting >> application when performing all the actions >> >> So for example: >> >> ACCOUNTING_CREATE: global permission to CREATE all records in the Accounting >> application >> >> In other words: >> >> ACCOUNTING_ADMIN = ACCOUNTING_CREATE + ACCOUNTING_UPDATE + ACCOUNTING_DELETE >> + ACCOUNTING_VIEW >> >> (and it is not more than this). >> >> Jacopo >> >> >> On Jun 25, 2012, at 9:46 PM, Hans Bakker wrote: >> >>> Hi Jacopo, >>> >>> thanks for reviewing this commit, my compliments for your work in this area. >>> >>> The question here is do you really want to allow access for >>> ACCOUNTING_CREATE to have the same access as PAY_INFO_CREATE ? Perhaps the >>> intention here was that, by creating a separate action PAY_INFO the >>> ACCOUNTING_CREATE should not have access. >>> >>> The reason of my commit is that ACCOUNTING_ADMIN should really, as the >>> description states, have full access to the complete accounting component >>> and I did not want to change the other permissions. >>> >>> Personally i am fine with your suggestion and sure yes, we can do it that >>> way..... >>> >>> Regards, >>> Hans >>> >>> >>> On 06/25/2012 09:27 PM, Jacopo Cappellato wrote: >>>> Hi Hans, >>>> >>>> I understand the issue you are fixing in this commit (and at least another >>>> one of last week) but I disagree with the approach. >>>> We should never add permission checks on the *_ADMIN permissions: we >>>> should instead always use one of the fine grained _CREATE, _UPDATE, >>>> _DELETE; the _ADMIN permission will be automatically checked by the >>>> framework if the fine grained ones fail. >>>> So instead of (for example): >>>> >>>>> @@ -24,6 +24,7 @@ under the License. >>>>> <if> >>>>> <condition> >>>>> <and> >>>>> + <not><if-has-permission permission="ACCOUNTING" >>>>> action="_ADMIN"/></not> >>>>> <not><if-has-permission permission="PAY_INFO" >>>>> action="_CREATE"/></not> >>>>> <not><if-compare-field field="userLogin.partyId" >>>>> to-field="parameters.partyIdFrom" operator="equals"/></not> >>>>> <not><if-compare-field field="userLogin.partyId" >>>>> to-field="parameters.partyIdTo" operator="equals"/></not> >>>> you should have: >>>> >>>>> @@ -24,6 +24,7 @@ under the License. >>>>> <if> >>>>> <condition> >>>>> <and> >>>>> + <not><if-has-permission permission="ACCOUNTING" >>>>> action="_CREATE"/></not> >>>>> <not><if-has-permission permission="PAY_INFO" >>>>> action="_CREATE"/></not> >>>>> <not><if-compare-field field="userLogin.partyId" >>>>> to-field="parameters.partyIdFrom" operator="equals"/></not> >>>>> <not><if-compare-field field="userLogin.partyId" >>>>> to-field="parameters.partyIdTo" operator="equals"/></not> >>>> >>>> The code above will grant access to users having at least one of the >>>> following: >>>> PAYINFO_CREATE >>>> PAYINFO_ADMIN >>>> ACCOUNTING_CREATE >>>> ACCOUNTING_ADMIN >>>> >>>> Kind regards, >>>> >>>> Jacopo >>>> >>>> >>>> On Jun 25, 2012, at 4:23 AM, hans...@apache.org wrote: >>>> >>>>> Author: hansbak >>>>> Date: Mon Jun 25 02:22:58 2012 >>>>> New Revision: 1353381 >>>>> >>>>> URL: http://svn.apache.org/viewvc?rev=1353381&view=rev >>>>> Log: >>>>> Give ACCOUNTING_ADMIN the same access as PAY_INFO_ADMIN because part of >>>>> accounting component >>>>> >>>>> Modified: >>>>> >>>>> ofbiz/trunk/applications/accounting/data/AccountingSecurityGroupDemoData.xml >>>>> >>>>> ofbiz/trunk/applications/accounting/data/AccountingSecurityPermissionSeedData.xml >>>>> >>>>> ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml >>>>> >>>>> ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentMethodServices.java >>>>> ofbiz/trunk/applications/accounting/widget/GlScreens.xml >>>>> >>>>> ofbiz/trunk/applications/order/webapp/ordermgr/order/orderpaymentinfo.ftl >>>>> >>>>> ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/actions/HasPartyPermissions.groovy >>>>> >>>>> ofbiz/trunk/applications/party/webapp/partymgr/party/profileblocks/PaymentMethods.ftl >>>>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceUtil.java >>>>> >>>>> Modified: >>>>> ofbiz/trunk/applications/accounting/data/AccountingSecurityGroupDemoData.xml >>>>> URL: >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/data/AccountingSecurityGroupDemoData.xml?rev=1353381&r1=1353380&r2=1353381&view=diff >>>>> ============================================================================== >>>>> --- >>>>> ofbiz/trunk/applications/accounting/data/AccountingSecurityGroupDemoData.xml >>>>> (original) >>>>> +++ >>>>> ofbiz/trunk/applications/accounting/data/AccountingSecurityGroupDemoData.xml >>>>> Mon Jun 25 02:22:58 2012 >>>>> @@ -26,7 +26,6 @@ under the License. >>>>> <SecurityGroupPermission groupId="BIZADMIN" >>>>> permissionId="PAYPROC_ADMIN"/> >>>>> >>>>> <!-- Payment Information security --> >>>>> - <SecurityGroupPermission groupId="FULLADMIN" >>>>> permissionId="PAY_INFO_ADMIN"/> >>>>> <SecurityGroupPermission groupId="FLEXADMIN" >>>>> permissionId="PAY_INFO_CREATE"/> >>>>> <SecurityGroupPermission groupId="FLEXADMIN" >>>>> permissionId="PAY_INFO_DELETE"/> >>>>> <SecurityGroupPermission groupId="FLEXADMIN" >>>>> permissionId="PAY_INFO_UPDATE"/> >>>>> >>>>> Modified: >>>>> ofbiz/trunk/applications/accounting/data/AccountingSecurityPermissionSeedData.xml >>>>> URL: >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/data/AccountingSecurityPermissionSeedData.xml?rev=1353381&r1=1353380&r2=1353381&view=diff >>>>> ============================================================================== >>>>> --- >>>>> ofbiz/trunk/applications/accounting/data/AccountingSecurityPermissionSeedData.xml >>>>> (original) >>>>> +++ >>>>> ofbiz/trunk/applications/accounting/data/AccountingSecurityPermissionSeedData.xml >>>>> Mon Jun 25 02:22:58 2012 >>>>> @@ -68,7 +68,6 @@ under the License. >>>>> >>>>> <!-- add admin to SUPER permission group --> >>>>> <SecurityGroupPermission groupId="SUPER" >>>>> permissionId="ACCOUNTING_ADMIN"/> >>>>> - <SecurityGroupPermission groupId="SUPER" >>>>> permissionId="PAY_INFO_ADMIN"/> >>>>> <SecurityGroupPermission groupId="SUPER" >>>>> permissionId="ACCOUNTING_COMM_VIEW"/> >>>>> <SecurityGroupPermission groupId="SUPER" >>>>> permissionId="ACCOUNTING_PRINT_CHECKS"/> >>>>> <SecurityGroupPermission groupId="SUPER" >>>>> permissionId="ACCTG_PREF_ADMIN"/> >>>>> >>>>> Modified: >>>>> ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml >>>>> URL: >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml?rev=1353381&r1=1353380&r2=1353381&view=diff >>>>> ============================================================================== >>>>> --- >>>>> ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml >>>>> (original) >>>>> +++ >>>>> ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml >>>>> Mon Jun 25 02:22:58 2012 >>>>> @@ -24,6 +24,7 @@ under the License. >>>>> <if> >>>>> <condition> >>>>> <and> >>>>> + <not><if-has-permission permission="ACCOUNTING" >>>>> action="_ADMIN"/></not> >>>>> <not><if-has-permission permission="PAY_INFO" >>>>> action="_CREATE"/></not> >>>>> <not><if-compare-field field="userLogin.partyId" >>>>> to-field="parameters.partyIdFrom" operator="equals"/></not> >>>>> <not><if-compare-field field="userLogin.partyId" >>>>> to-field="parameters.partyIdTo" operator="equals"/></not> >>>>> @@ -86,6 +87,7 @@ under the License. >>>>> <if> >>>>> <condition> >>>>> <and> >>>>> + <not><if-has-permission permission="ACCOUNTING" >>>>> action="_ADMIN"/></not> >>>>> <not><if-has-permission permission="PAY_INFO" >>>>> action="_UPDATE"/></not> >>>>> <not><if-compare-field field="userLogin.partyId" >>>>> to-field="payment.partyIdFrom" operator="equals"/></not> >>>>> <not><if-compare-field field="userLogin.partyId" >>>>> to-field="payment.partyIdTo" operator="equals"/></not> >>>>> >>>>> Modified: >>>>> ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentMethodServices.java >>>>> URL: >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentMethodServices.java?rev=1353381&r1=1353380&r2=1353381&view=diff >>>>> ============================================================================== >>>>> --- >>>>> ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentMethodServices.java >>>>> (original) >>>>> +++ >>>>> ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentMethodServices.java >>>>> Mon Jun 25 02:22:58 2012 >>>>> @@ -89,7 +89,7 @@ public class PaymentMethodServices { >>>>> >>>>> // <b>security check</b>: userLogin partyId must equal >>>>> paymentMethod partyId, or must have PAY_INFO_DELETE permission >>>>> if (paymentMethod.get("partyId") == null || >>>>> !paymentMethod.getString("partyId").equals(userLogin.getString("partyId"))) >>>>> { >>>>> - if (!security.hasEntityPermission("PAY_INFO", "_DELETE", >>>>> userLogin)) { >>>>> + if (!security.hasEntityPermission("PAY_INFO", "_DELETE", >>>>> userLogin) && !security.hasEntityPermission("ACCOUNTING", "_ADMIN", >>>>> userLogin)) { >>>>> return >>>>> ServiceUtil.returnError(UtilProperties.getMessage(resourceError, >>>>> "AccountingPaymentMethodNoPermissionToDelete", >>>>> locale)); >>>>> } >>>>> @@ -139,7 +139,7 @@ public class PaymentMethodServices { >>>>> >>>>> Timestamp now = UtilDateTime.nowTimestamp(); >>>>> >>>>> - String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>>>> security, context, result, "PAY_INFO", "_CREATE"); >>>>> + String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>>>> security, context, result, "PAY_INFO", "_CREATE", "ACCOUNTING", "_ADMIN"); >>>>> >>>>> if (result.size() > 0) return result; >>>>> >>>>> @@ -260,7 +260,7 @@ public class PaymentMethodServices { >>>>> >>>>> Timestamp now = UtilDateTime.nowTimestamp(); >>>>> >>>>> - String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>>>> security, context, result, "PAY_INFO", "_UPDATE"); >>>>> + String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>>>> security, context, result, "PAY_INFO", "_UPDATE", "ACCOUNTING", "_ADMIN"); >>>>> >>>>> if (result.size() > 0) return result; >>>>> >>>>> @@ -286,7 +286,7 @@ public class PaymentMethodServices { >>>>> return >>>>> ServiceUtil.returnError(UtilProperties.getMessage(resource, >>>>> "AccountingCreditCardUpdateWithPaymentMethodId", >>>>> locale) + paymentMethodId); >>>>> } >>>>> - if (!paymentMethod.getString("partyId").equals(partyId) && >>>>> !security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin)) { >>>>> + if (!paymentMethod.getString("partyId").equals(partyId) && >>>>> !security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin) && >>>>> !security.hasEntityPermission("ACCOUNTING", "_ADMIN", userLogin)) { >>>>> return >>>>> ServiceUtil.returnError(UtilProperties.getMessage(resource, >>>>> "AccountingCreditCardUpdateWithoutPermission", >>>>> UtilMisc.toMap("partyId", partyId, >>>>> "paymentMethodId", paymentMethodId), locale)); >>>>> @@ -488,7 +488,7 @@ public class PaymentMethodServices { >>>>> >>>>> Timestamp now = UtilDateTime.nowTimestamp(); >>>>> >>>>> - String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>>>> security, context, result, "PAY_INFO", "_CREATE"); >>>>> + String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>>>> security, context, result, "PAY_INFO", "_CREATE", "ACCOUNTING", "_ADMIN"); >>>>> >>>>> if (result.size() > 0) >>>>> return result; >>>>> @@ -545,7 +545,7 @@ public class PaymentMethodServices { >>>>> >>>>> Timestamp now = UtilDateTime.nowTimestamp(); >>>>> >>>>> - String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>>>> security, context, result, "PAY_INFO", "_UPDATE"); >>>>> + String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>>>> security, context, result, "PAY_INFO", "_UPDATE", "ACCOUNTING", "_ADMIN"); >>>>> >>>>> if (result.size() > 0) >>>>> return result; >>>>> @@ -574,7 +574,7 @@ public class PaymentMethodServices { >>>>> "AccountingGiftCardCannotBeUpdated", >>>>> UtilMisc.toMap("errorString", paymentMethodId), >>>>> locale)); >>>>> } >>>>> - if (!paymentMethod.getString("partyId").equals(partyId) && >>>>> !security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin)) { >>>>> + if (!paymentMethod.getString("partyId").equals(partyId) && >>>>> !security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin) && >>>>> !security.hasEntityPermission("ACCOUNTING", "_ADMIN", userLogin)) { >>>>> return >>>>> ServiceUtil.returnError(UtilProperties.getMessage(resourceError, >>>>> "AccountingGiftCardPartyNotAuthorized", >>>>> UtilMisc.toMap("partyId", partyId, "paymentMethodId", >>>>> paymentMethodId), locale)); >>>>> @@ -679,7 +679,7 @@ public class PaymentMethodServices { >>>>> >>>>> Timestamp now = UtilDateTime.nowTimestamp(); >>>>> >>>>> - String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>>>> security, context, result, "PAY_INFO", "_CREATE"); >>>>> + String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>>>> security, context, result, "PAY_INFO", "_CREATE", "ACCOUNTING", "_ADMIN"); >>>>> >>>>> if (result.size() > 0) return result; >>>>> >>>>> @@ -777,7 +777,7 @@ public class PaymentMethodServices { >>>>> >>>>> Timestamp now = UtilDateTime.nowTimestamp(); >>>>> >>>>> - String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>>>> security, context, result, "PAY_INFO", "_UPDATE"); >>>>> + String partyId = ServiceUtil.getPartyIdCheckSecurity(userLogin, >>>>> security, context, result, "PAY_INFO", "_UPDATE", "ACCOUNTING", "_ADMIN"); >>>>> >>>>> if (result.size() > 0) return result; >>>>> >>>>> @@ -806,7 +806,7 @@ public class PaymentMethodServices { >>>>> "AccountingEftAccountCannotBeUpdated", >>>>> UtilMisc.toMap("errorString", paymentMethodId), >>>>> locale)); >>>>> } >>>>> - if (!paymentMethod.getString("partyId").equals(partyId) && >>>>> !security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin)) { >>>>> + if (!paymentMethod.getString("partyId").equals(partyId) && >>>>> !security.hasEntityPermission("PAY_INFO", "_UPDATE", userLogin) && >>>>> !security.hasEntityPermission("ACCOUNTING", "_ADMIN", userLogin)) { >>>>> return >>>>> ServiceUtil.returnError(UtilProperties.getMessage(resourceError, >>>>> "AccountingEftAccountCannotBeUpdated", >>>>> UtilMisc.toMap("partyId", partyId, "paymentMethodId", >>>>> paymentMethodId), locale)); >>>>> >>>>> Modified: ofbiz/trunk/applications/accounting/widget/GlScreens.xml >>>>> URL: >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/GlScreens.xml?rev=1353381&r1=1353380&r2=1353381&view=diff >>>>> ============================================================================== >>>>> --- ofbiz/trunk/applications/accounting/widget/GlScreens.xml (original) >>>>> +++ ofbiz/trunk/applications/accounting/widget/GlScreens.xml Mon Jun 25 >>>>> 02:22:58 2012 >>>>> @@ -445,7 +445,12 @@ under the License. >>>>> <decorator-screen name="CommonAdminChecksDecorator" >>>>> location="${parameters.mainDecoratorLocation}"> >>>>> <decorator-section name="checks-body"> >>>>> <section> >>>>> - <condition><if-has-permission >>>>> permission="PAY_INFO" action="_UPDATE"/></condition> >>>>> + <condition> >>>>> + <or> >>>>> + <if-has-permission >>>>> permission="ACCOUNTING" action="_ADMIN"/> >>>>> + <if-has-permission permission="PAY_INFO" >>>>> action="_UPDATE"/> >>>>> + </or> >>>>> + </condition> >>>>> <widgets> >>>>> <screenlet >>>>> title="${uiLabelMap.AccountingSendChecks}"> >>>>> <include-form name="ListChecksToSend" >>>>> location="component://accounting/widget/PaymentForms.xml"/> >>>>> >>>>> Modified: >>>>> ofbiz/trunk/applications/order/webapp/ordermgr/order/orderpaymentinfo.ftl >>>>> URL: >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/webapp/ordermgr/order/orderpaymentinfo.ftl?rev=1353381&r1=1353380&r2=1353381&view=diff >>>>> ============================================================================== >>>>> --- >>>>> ofbiz/trunk/applications/order/webapp/ordermgr/order/orderpaymentinfo.ftl >>>>> (original) >>>>> +++ >>>>> ofbiz/trunk/applications/order/webapp/ordermgr/order/orderpaymentinfo.ftl >>>>> Mon Jun 25 02:22:58 2012 >>>>> @@ -54,7 +54,7 @@ under the License. >>>>> <#assign statusItem = payment.getRelatedOne("StatusItem", >>>>> false)> >>>>> <#assign partyName = delegator.findOne("PartyNameView", >>>>> {"partyId" : payment.partyIdTo}, true)> >>>>> <tr> >>>>> - <#if security.hasPermission("PAY_INFO_VIEW", session) || >>>>> security.hasPermission("PAY_INFO_ADMIN", session)> >>>>> + <#if security.hasEntityPermission("PAY_INFO", "_VIEW", >>>>> session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> >>>>> <td><a >>>>> href="/accounting/control/paymentOverview?paymentId=${payment.paymentId}">${payment.paymentId}</a></td> >>>>> <#else> >>>>> <td>${payment.paymentId}</td> >>>>> @@ -342,7 +342,7 @@ under the License. >>>>> <#if >>>>> creditCard.suffixOnCard?has_content> ${creditCard.suffixOnCard}</#if> >>>>> <br /> >>>>> >>>>> - <#if security.hasEntityPermission("PAY_INFO", >>>>> "_VIEW", session)> >>>>> + <#if security.hasEntityPermission("PAY_INFO", >>>>> "_VIEW", session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", >>>>> session)> >>>>> ${creditCard.cardType} >>>>> <@maskSensitiveNumber >>>>> cardNumber=creditCard.cardNumber?if_exists/> >>>>> ${creditCard.expireDate} >>>>> @@ -469,7 +469,7 @@ under the License. >>>>> <td valign="top" width="60%"> >>>>> <div> >>>>> <#if giftCard?has_content> >>>>> - <#if security.hasEntityPermission("PAY_INFO", >>>>> "_VIEW", session)> >>>>> + <#if security.hasEntityPermission("PAY_INFO", >>>>> "_VIEW", session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", >>>>> session)> >>>>> ${giftCard.cardNumber?default("N/A")} >>>>> [${giftCard.pinNumber?default("N/A")}] >>>>> [<#if >>>>> oppStatusItem?exists>${oppStatusItem.get("description",locale)}<#else>${orderPaymentPreference.statusId}</#if>] >>>>> <#else> >>>>> @@ -596,7 +596,7 @@ under the License. >>>>> <#if "CREDIT_CARD" == paymentMethod.paymentMethodTypeId> >>>>> <#assign creditCard = paymentMethodValueMap.creditCard/> >>>>> <#if (creditCard?has_content)> >>>>> - <#if security.hasEntityPermission("PAY_INFO", >>>>> "_VIEW", session)> >>>>> + <#if security.hasEntityPermission("PAY_INFO", >>>>> "_VIEW", session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", >>>>> session)> >>>>> ${creditCard.cardType?if_exists} >>>>> <@maskSensitiveNumber cardNumber=creditCard.cardNumber?if_exists/> >>>>> ${creditCard.expireDate?if_exists} >>>>> <#else> >>>>> >>>>> ${Static["org.ofbiz.party.contact.ContactHelper"].formatCreditCard(creditCard)} >>>>> >>>>> Modified: >>>>> ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/actions/HasPartyPermissions.groovy >>>>> URL: >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/actions/HasPartyPermissions.groovy?rev=1353381&r1=1353380&r2=1353381&view=diff >>>>> ============================================================================== >>>>> --- >>>>> ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/actions/HasPartyPermissions.groovy >>>>> (original) >>>>> +++ >>>>> ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/actions/HasPartyPermissions.groovy >>>>> Mon Jun 25 02:22:58 2012 >>>>> @@ -23,7 +23,7 @@ context.hasCreatePermission = security.h >>>>> context.hasUpdatePermission = security.hasEntityPermission("PARTYMGR", >>>>> "_UPDATE", session); >>>>> context.hasDeletePermission = security.hasEntityPermission("PARTYMGR", >>>>> "_DELETE", session); >>>>> // extended pay_info permissions >>>>> -context.hasPayInfoPermission = security.hasEntityPermission("PAY_INFO", >>>>> "_VIEW", session); >>>>> +context.hasPayInfoPermission = security.hasEntityPermission("PAY_INFO", >>>>> "_VIEW", session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", >>>>> session); >>>>> // extended pcm (party contact mechanism) permissions >>>>> context.hasPcmCreatePermission = >>>>> security.hasEntityPermission("PARTYMGR_PCM", "_CREATE", session); >>>>> context.hasPcmUpdatePermission = >>>>> security.hasEntityPermission("PARTYMGR_PCM", "_UPDATE", session); >>>>> >>>>> Modified: >>>>> ofbiz/trunk/applications/party/webapp/partymgr/party/profileblocks/PaymentMethods.ftl >>>>> URL: >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/webapp/partymgr/party/profileblocks/PaymentMethods.ftl?rev=1353381&r1=1353380&r2=1353381&view=diff >>>>> ============================================================================== >>>>> --- >>>>> ofbiz/trunk/applications/party/webapp/partymgr/party/profileblocks/PaymentMethods.ftl >>>>> (original) >>>>> +++ >>>>> ofbiz/trunk/applications/party/webapp/partymgr/party/profileblocks/PaymentMethods.ftl >>>>> Mon Jun 25 02:22:58 2012 >>>>> @@ -38,7 +38,7 @@ under the License. >>>>> <div class="screenlet-title-bar"> >>>>> <ul> >>>>> <li class="h3">${uiLabelMap.PartyPaymentMethodInformation}</li> >>>>> - <#if security.hasEntityPermission("PAY_INFO", "_CREATE", >>>>> session)> >>>>> + <#if security.hasEntityPermission("PAY_INFO", "_CREATE", >>>>> session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> >>>>> <li><a >>>>> href="<@ofbizUrl>editeftaccount?partyId=${partyId}</@ofbizUrl>">${uiLabelMap.AccountingCreateNewEftAccount}</a></li> >>>>> <li><a >>>>> href="<@ofbizUrl>editgiftcard?partyId=${partyId}</@ofbizUrl>">${uiLabelMap.AccountingCreateNewGiftCard}</a></li> >>>>> <li><a >>>>> href="<@ofbizUrl>editcreditcard?partyId=${partyId}</@ofbizUrl>">${uiLabelMap.AccountingCreateNewCreditCard}</a></li> >>>>> @@ -67,7 +67,7 @@ under the License. >>>>> ${creditCard.lastNameOnCard} >>>>> <#if >>>>> creditCard.suffixOnCard?has_content> ${creditCard.suffixOnCard}</#if> >>>>> - >>>>> - <#if security.hasEntityPermission("PAY_INFO", "_VIEW", >>>>> session)> >>>>> + <#if security.hasEntityPermission("PAY_INFO", "_VIEW", >>>>> session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> >>>>> ${creditCard.cardType} >>>>> <@maskSensitiveNumber >>>>> cardNumber=creditCard.cardNumber?if_exists/> >>>>> ${creditCard.expireDate} >>>>> @@ -83,7 +83,7 @@ under the License. >>>>> <#if security.hasEntityPermission("MANUAL", "_PAYMENT", >>>>> session)> >>>>> <a >>>>> href="/accounting/control/manualETx?paymentMethodId=${paymentMethod.paymentMethodId}${externalKeyParam}">${uiLabelMap.PartyManualTx}</a> >>>>> </#if> >>>>> - <#if security.hasEntityPermission("PAY_INFO", >>>>> "_UPDATE", session)> >>>>> + <#if security.hasEntityPermission("PAY_INFO", >>>>> "_UPDATE", session) || security.hasEntityPermission("ACCOUNTING", >>>>> "_ADMIN", session)> >>>>> <a >>>>> href="<@ofbizUrl>editcreditcard?partyId=${partyId}&paymentMethodId=${paymentMethod.paymentMethodId}</@ofbizUrl>">${uiLabelMap.CommonUpdate}</a> >>>>> </#if> >>>>> <#-- </td> --> >>>>> @@ -93,7 +93,7 @@ under the License. >>>>> ${uiLabelMap.AccountingGiftCard} >>>>> </td> >>>>> <td> >>>>> - <#if security.hasEntityPermission("PAY_INFO", "_VIEW", >>>>> session)> >>>>> + <#if security.hasEntityPermission("PAY_INFO", "_VIEW", >>>>> session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> >>>>> ${giftCard.cardNumber?default("N/A")} >>>>> [${giftCard.pinNumber?default("N/A")}] >>>>> <#else> >>>>> <@maskSensitiveNumber >>>>> cardNumber=giftCard.cardNumber?if_exists/> >>>>> @@ -105,7 +105,7 @@ under the License. >>>>> <#if >>>>> paymentMethod.thruDate?has_content><b>(${uiLabelMap.PartyContactEffectiveThru}: ${paymentMethod.thruDate.toString()}</b></#if> >>>>> </td> >>>>> <td class="button-col"> >>>>> - <#if security.hasEntityPermission("PAY_INFO", >>>>> "_UPDATE", session)> >>>>> + <#if security.hasEntityPermission("PAY_INFO", >>>>> "_UPDATE", session) || security.hasEntityPermission("ACCOUNTING", >>>>> "_ADMIN", session)> >>>>> <a >>>>> href="<@ofbizUrl>editgiftcard?partyId=${partyId}&paymentMethodId=${paymentMethod.paymentMethodId}</@ofbizUrl>">${uiLabelMap.CommonUpdate}</a> >>>>> </#if> >>>>> <#-- </td> --> >>>>> @@ -121,7 +121,7 @@ under the License. >>>>> <#if >>>>> paymentMethod.thruDate?has_content><b>(${uiLabelMap.PartyContactEffectiveThru}: ${paymentMethod.thruDate.toString()}</#if> >>>>> </td> >>>>> <td class="button-col"> >>>>> - <#if security.hasEntityPermission("PAY_INFO", >>>>> "_UPDATE", session)> >>>>> + <#if security.hasEntityPermission("PAY_INFO", >>>>> "_UPDATE", session) || security.hasEntityPermission("ACCOUNTING", >>>>> "_ADMIN", session)> >>>>> <a >>>>> href="<@ofbizUrl>editeftaccount?partyId=${partyId}&paymentMethodId=${paymentMethod.paymentMethodId}</@ofbizUrl>">${uiLabelMap.CommonUpdate}</a> >>>>> </#if> >>>>> <#-- </td> --> >>>>> @@ -143,7 +143,7 @@ under the License. >>>>> <td class="button-col"> >>>>> >>>>> </#if> >>>>> - <#if security.hasEntityPermission("PAY_INFO", "_DELETE", >>>>> session)> >>>>> + <#if security.hasEntityPermission("PAY_INFO", "_DELETE", >>>>> session) || security.hasEntityPermission("ACCOUNTING", "_ADMIN", session)> >>>>> <a >>>>> href="<@ofbizUrl>deletePaymentMethod/viewprofile?partyId=${partyId}&paymentMethodId=${paymentMethod.paymentMethodId}</@ofbizUrl>">${uiLabelMap.CommonExpire}</a> >>>>> <#else> >>>>> >>>>> >>>>> Modified: >>>>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceUtil.java >>>>> URL: >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceUtil.java?rev=1353381&r1=1353380&r2=1353381&view=diff >>>>> ============================================================================== >>>>> --- ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceUtil.java >>>>> (original) >>>>> +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceUtil.java >>>>> Mon Jun 25 02:22:58 2012 >>>>> @@ -184,6 +184,9 @@ public class ServiceUtil { >>>>> *<b>security check</b>: userLogin partyId must equal partyId, or >>>>> must have [secEntity][secOperation] permission >>>>> */ >>>>> public static String getPartyIdCheckSecurity(GenericValue userLogin, >>>>> Security security, Map<String, ? extends Object> context, Map<String, >>>>> Object> result, String secEntity, String secOperation) { >>>>> + return getPartyIdCheckSecurity(userLogin, security, context, >>>>> result, secEntity, secOperation, null, null); >>>>> + } >>>>> + public static String getPartyIdCheckSecurity(GenericValue userLogin, >>>>> Security security, Map<String, ? extends Object> context, Map<String, >>>>> Object> result, String secEntity, String secOperation, String >>>>> adminSecEntity, String adminSecOperation) { >>>>> String partyId = (String) context.get("partyId"); >>>>> Locale locale = getLocale(context); >>>>> if (UtilValidate.isEmpty(partyId)) { >>>>> @@ -198,9 +201,9 @@ public class ServiceUtil { >>>>> return partyId; >>>>> } >>>>> >>>>> - // <b>security check</b>: userLogin partyId must equal partyId, >>>>> or must have PARTYMGR_CREATE permission >>>>> + // <b>security check</b>: userLogin partyId must equal partyId, >>>>> or must have either of the two permissions >>>>> if (!partyId.equals(userLogin.getString("partyId"))) { >>>>> - if (!security.hasEntityPermission(secEntity, secOperation, >>>>> userLogin)) { >>>>> + if (!security.hasEntityPermission(secEntity, secOperation, >>>>> userLogin) && !(adminSecEntity != null && adminSecOperation != null && >>>>> security.hasEntityPermission(adminSecEntity, adminSecOperation, >>>>> userLogin))) { >>>>> result.put(ModelService.RESPONSE_MESSAGE, >>>>> ModelService.RESPOND_ERROR); >>>>> String errMsg = >>>>> UtilProperties.getMessage(ServiceUtil.resource, >>>>> "serviceUtil.no_permission_to_operation", locale) + "."; >>>>> result.put(ModelService.ERROR_MESSAGE, errMsg); >>>>> >>>>> >>> > >
