"Manage Available Accounts via User Channel Rel" permission granting more access than intended?
Written By
Peter Schwarcz
How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!
While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.
Legacy Article
You are viewing an article from our legacy "FastTrack"
publication program, made available for informational purposes. Articles
in this program were published without a requirement for independent
editing or verification and are provided"as is" without
guarantee.
Before using any information from this article, independently verify its
suitability for your situation and project.
Issue
- We discovered that assigning the "Manage Available Accounts via User Channel Rel" permission to a role will enable the assignees to edit, or manage users of a certain Account. We believe this particular permission should not enable them to perform these actions.
- Could you please confirm if this a bug, and if so, can it be addressed?
Environment
- Liferay DXP 7.4
- Commerce
- Minium theme
Resolution
- We can confirm the “Manage Available Accounts via User Channel Rel“ permission is working as intended, in this sense.
- According to the code, first there is a check to see if the current user has the required permissions (UPDATE, MANAGE_USERS, etc.) to perform the action. If not, then Liferay proceeds with checking account-agent user relationship, that is if the user is a Channel Account Manager and grants permission in that case.
-
The expected behavior for the same scenario is also documented on COMMERCE-10004
Did this article resolve your issue ?