search

brustj / tracmor

Automatically exported from code.google.com/p/tracmor
GNU General Public License v2.0
0 stars 0 forks source link

User authorization not enforced #32

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1. Create User Role with the following authorizations:
Assets Enabled: View=All, Edit=Owner, Delete=Owner, All other modules disabled
2. Create a New User w/ the above User Role
3. Login as new user
4. From shortcut menu, choose any transaction shortcut, i.e. Move, Check
Out, Check In or Reserve
5. Perform any transaction & save

What is the expected output? What do you see instead?
Expected output is something like "you do not have access to this page",
instead user is able to perform an "editing" transaction with an asset that
he is not owner of and save. However, user is not able to perform any
editing transaction that he is not owner of within the asset record itself
(i.e. buttons are grayed out). 

Please use labels and text to provide additional information.

Original issue reported on code.google.com by lyndi...@gmail.com on 27 Apr 2007 at 11:57

GoogleCodeExporter commented 8 years ago 
This has been fixed. It was an issue for all interfaces where you were adding
inventory and assets. So I've fixed it on the transaction pages for assets and
inventory, as well as in the shipping and receipt modules.

Original comment by hunterje...@gmail.com on 29 Apr 2007 at 9:33