[jira] [Commented] (OFBIZ-12893) Screen Security in Party should not show create trigger to user with only VIEW permission.

Jacques Le Roux (Jira) Tue, 06 Feb 2024 00:50:54 -0800


    [ 
https://issues.apache.org/jira/browse/OFBIZ-12893?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17814687#comment-17814687
 ]


Jacques Le Roux commented on OFBIZ-12893:
-----------------------------------------

That sounds reasonable to me indeed, would you provide a patch?

It could be even backported, it's a kind of low severity: 
https://security.apache.org/blog/severityrating/

> Screen Security in Party should not show create trigger to user with only 
> VIEW permission.
> ------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-12893
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12893
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: party
>    Affects Versions: Upcoming Branch
>            Reporter: Pierre Smits
>            Priority: Major
>
> When accessing 
> [https://demo-trunk.ofbiz.apache.org/partymgr/control/FindSecurityGroup] as a 
> user with only VIEW permissions (e.g. userId = auditor) the action trigger to 
> create something is shown.
> This should not be visible to such a user as it leads to an undesired effect 
> and diminished user experience.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (OFBIZ-12893) Screen Security in Party should not show create trigger to user with only VIEW permission.

Reply via email to