You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2007/12/23 23:06:43 UTC
[jira] Closed: (OFBIZ-1532) Run
GiftCertificateServices.createTransaction as system user
[ https://issues.apache.org/jira/browse/OFBIZ-1532?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-1532.
----------------------------------
Resolution: Fixed
Fix Version/s: SVN trunk
Adrian,
I looked at the code and wondered why you asked me to look at it. Then I remebered that you posted a message on dev ML on this topic. Here it is :
One more thing to keep in mind with the GL posting SECAs - I changed the permissions a little in the
accounting component.
When I worked on converting permission checking to the permission service, I kept all permissions
the same except two. One of them was called ACCOUNTING_ATX_POST or something like that. There was a
note in the seed data that the permission was used to allow other applications to post GL
transactions without having to give the user full access to the accounting component. What concerned
me was, someone using OFBiz could assign this permission to a user without fully understanding the
implications. With that permission, a user could post ANY GL transaction - not just the intended
one. So I removed the permission from the seed data and updated the notes in the seed data file. I
checked to see if the permission was actually being used in the project, but I couldn't find it
anywhere - so I assumed removing it wouldn't break anything.
The best way to handle GL posting permissions (in my opinion) is to keep the GL posting services
locked down with the ACCTG_ATX_* permissions - so that only an accountant is given those
permissions. External apps that need to post to GL can have permission service SECAs that analyze
their particular transaction to see if the user is allowed to post that transaction.
Ideally, external apps posting to GL wouldn't need to assign any additional permissions to the user.
The permission SECAs decision would be based on the validity of the data in the transaction, not on
the user's permissions.
-Adrian
I understand but in my case it's much more convenient and understandable to use a system userLogin with admin right when calling the serice. So I finally commited my (slightly reformated) changes in trunk. rev. 606625
This is not the only place where a such trick is used, see also OrderServices.java[1157] and CheckOutHelper.java[627]
I will open a new issue for the "The question [Gift Card Number:] requires a valid gift-card number." problem.
> Run GiftCertificateServices.createTransaction as system user
> ------------------------------------------------------------
>
> Key: OFBIZ-1532
> URL: https://issues.apache.org/jira/browse/OFBIZ-1532
> Project: OFBiz
> Issue Type: Bug
> Components: accounting
> Affects Versions: SVN trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Fix For: SVN trunk
>
> Attachments: GiftCertificateServices.java.patch
>
>
> To be able to run GiftCertificateServices.createTransaction (to create a Gift Certificate from eCommerce : Gift Card Activation) we have to run as system user (it needs ACCTG_ATX_CREATE)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.