I added a new functionality and page and a privilege associated with this page but this is not been respected. I added a page to update license agreement and should only be accessible to anyone with the “Edit License Agreement” privilege but this is not the case. My service method is defined as below
@Authorized(LicenseAgreementModuleConfig.EDIT_LICENSE_AGREEMENT_PRIVILEGE)
@Transactional
LicenseAgreement updateLicenseAgreement(String licenseBody);
And my page has
<openmrs:require privilege="Edit License Agreement" otherwise="/login.htm" redirect="/module/licenseagreement/manageLicenseAgreement.page"/>
But none of these is been respected. I created a new user that doesn’t have this privilege. Entered the link to the page and instead of redirecting me to the login page, it showed me the page even though the user does not have the privilege to.
Now when the user updates the license agreement from the UI and submits the changes, I was at least expecting the service layer to also throw an exception since the person initiating that call does not have the required privilege but that doesn’t happen. The update is successful. I’m I missing something?