[ https://issues.apache.org/jira/browse/OFBIZ-12893?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17814687#comment-17814687 ]
Jacques Le Roux commented on OFBIZ-12893: ----------------------------------------- That sounds reasonable to me indeed, would you provide a patch? It could be even backported, it's a kind of low severity: https://security.apache.org/blog/severityrating/ > Screen Security in Party should not show create trigger to user with only > VIEW permission. > ------------------------------------------------------------------------------------------ > > Key: OFBIZ-12893 > URL: https://issues.apache.org/jira/browse/OFBIZ-12893 > Project: OFBiz > Issue Type: Improvement > Components: party > Affects Versions: Upcoming Branch > Reporter: Pierre Smits > Priority: Major > > When accessing > [https://demo-trunk.ofbiz.apache.org/partymgr/control/FindSecurityGroup] as a > user with only VIEW permissions (e.g. userId = auditor) the action trigger to > create something is shown. > This should not be visible to such a user as it leads to an undesired effect > and diminished user experience. -- This message was sent by Atlassian Jira (v8.20.10#820010)