Is the service for adding a role to a party no longer allowing a party to do the operation if the incoming partyId matches the UserLogin.partyId?
Perhaps this is related to the recent Java -> simple-method conversion and the new simple-method implementations don't allow a security bypass when a Party is changing its own data?
-David On Mar 26, 2007, at 7:15 PM, Anil Patel wrote:
In the anon checkout process, When user enters and saves the Profileinformation, We create a Person (createPerson service) and then add person in CUSTOMER Role. The process breaks when it tries to set Person to CUSTOMERrole. Regards Anil On 3/26/07, David E. Jones <[EMAIL PROTECTED]> wrote:I'd say that's a really big NO. We don't want the anonymous user to ever have any permissions. Anyone with a browser and an internetconnection can create a Party that will be used by the anonymous user.With the anonymous UserLogin the partyId is set in memory and passed around, but NEVER saved to the database. This is used to get around the security constraints on most services in order for things to function. Where are you running into a problem with this? Ie, what is the specific circumstance? -David On Mar 26, 2007, at 2:53 PM, Anil Patel wrote: > Hi, Today we started getting following error while creating user in > Anonymous checkout process. > > - Security Error: to run createPartyRole you must have the > PARTYMGR_CREATE or PARTYMGR_ADMIN permission calling service > createPartyRole > in createUpdateUser > > I think we need to add some permissions to Anonymous user. Do we > even need> these services to be protected with permission check? The createPerson> service is not. > > Please comment so I needed I'll submit patch for this. > > Regards > Anil
smime.p7s
Description: S/MIME cryptographic signature
