Description
The Financial Transaction Detail entity type’s default permissions only grants the RSR - Rock Administration security role edit rights, and even that permission is inherited from the Global Default.
By contrast, both the Financial Transaction entity type and Financial Payment Detail models have explicit Allow Edit rules for both the RSR - Financial Worker and RSR - Finance Administration roles.
Usually, this wouldn’t be an issue since the blocks allow transaction details to inherit security from the transaction they’re attached to. But if you’re using a Lava {% modifyentity %} command to create a Transaction Detail record for a new transaction, only Rock Administrators have the necessary permissions. Finance Administrators, for example, are met with the message, "You don't have access to modify this entity".
A sample template that would create a transaction like this is:
{% dbtransaction %}
{% modifyfinancialpaymentdetail id:'0' %}
[[ property name:'CurrencyTypeValueId' ]]9[[ endproperty ]]
{% endmodifyfinancialpaymentdetail %}
{% modifyfinancialtransaction id:'0' %}
[[ property name:'TransactionDateTime' ]]{{ 'Now' | Date:'yyyy-MM-dd' }}[[ endproperty ]]
[[ property name:'AuthorizedPersonAliasId' ]]16[[ endproperty ]]
[[ property name:'SourceTypeValueId' ]]10[[ endproperty ]]
[[ property name:'FinancialPaymentDetailId' ]]{{ ModifyResult.FinancialPaymentDetail.Id }}[[ endproperty ]]
[[ property name:'BatchId' ]]458[[ endproperty ]]
[[ property name:'TransactionTypeValueId' ]]53[[ endproperty ]]
{% endmodifyfinancialtransaction %}
{% modifyfinancialtransactiondetail id:'0' %}
[[ property name:'AccountId' ]]1[[ endproperty ]]
[[ property name:'Amount' ]]100[[ endproperty ]]
[[ property name:'TransactionId' ]]{{ ModifyResult.FinancialTransaction.Id }}[[ endproperty ]]
{% endmodifyfinancialtransactiondetail %}
{% enddbtransaction %}
Actual Behavior
- Rock administrators can run the template successfully.
- Finance administrators and Finance workers get an error: "You don't have access to modify this entity".
Expected Behavior
Finance administrators and Finance workers should be able to use this template with no errors, since they can create transactions manually using the UI.
Steps to Reproduce
- Log in as a person with Staff Worker and Finance Administration security roles, but not the Rock Administration role.
- Run the above template in Lava Tester or an HTML block, with the
Modify Entity command enabled.
- Note that the transaction is not created. You can add more Lava to check
TransactionResult.Success (which will be false) and TransactionResult.ErrorMessage to see the reasons.
- Under Settings > Entity Administration, change the security on
Rock.Model.FinancialTransactionDetail and give Edit: Allow rights to RSR - Finance Administration and RSR - Finance Worker, like the Financial Transaction model has.
- Run the template again and confirm that this time the template works as expected.
Issue Confirmation
Rock Version
v18.1, v19.1
Client Culture Setting
EN-US
Description
The
Financial Transaction Detailentity type’s default permissions only grants theRSR - Rock Administrationsecurity role edit rights, and even that permission is inherited from the Global Default.By contrast, both the
Financial Transactionentity type andFinancial Payment Detailmodels have explicitAllow Editrules for both theRSR - Financial WorkerandRSR - Finance Administrationroles.Usually, this wouldn’t be an issue since the blocks allow transaction details to inherit security from the transaction they’re attached to. But if you’re using a Lava
{% modifyentity %}command to create a Transaction Detail record for a new transaction, only Rock Administrators have the necessary permissions. Finance Administrators, for example, are met with the message, "You don't have access to modify this entity".A sample template that would create a transaction like this is:
{% dbtransaction %} {% modifyfinancialpaymentdetail id:'0' %} [[ property name:'CurrencyTypeValueId' ]]9[[ endproperty ]] {% endmodifyfinancialpaymentdetail %} {% modifyfinancialtransaction id:'0' %} [[ property name:'TransactionDateTime' ]]{{ 'Now' | Date:'yyyy-MM-dd' }}[[ endproperty ]] [[ property name:'AuthorizedPersonAliasId' ]]16[[ endproperty ]] [[ property name:'SourceTypeValueId' ]]10[[ endproperty ]] [[ property name:'FinancialPaymentDetailId' ]]{{ ModifyResult.FinancialPaymentDetail.Id }}[[ endproperty ]] [[ property name:'BatchId' ]]458[[ endproperty ]] [[ property name:'TransactionTypeValueId' ]]53[[ endproperty ]] {% endmodifyfinancialtransaction %} {% modifyfinancialtransactiondetail id:'0' %} [[ property name:'AccountId' ]]1[[ endproperty ]] [[ property name:'Amount' ]]100[[ endproperty ]] [[ property name:'TransactionId' ]]{{ ModifyResult.FinancialTransaction.Id }}[[ endproperty ]] {% endmodifyfinancialtransactiondetail %} {% enddbtransaction %}Actual Behavior
Expected Behavior
Finance administrators and Finance workers should be able to use this template with no errors, since they can create transactions manually using the UI.
Steps to Reproduce
Modify Entitycommand enabled.TransactionResult.Success(which will be false) andTransactionResult.ErrorMessageto see the reasons.Rock.Model.FinancialTransactionDetailand give Edit: Allow rights to RSR - Finance Administration and RSR - Finance Worker, like the Financial Transaction model has.Issue Confirmation
Rock Version
v18.1, v19.1
Client Culture Setting
EN-US