That's definitely the problem, ServiceUtil.getPartyIdCheckSecurity is no longer being called if the party doesn't have the standard permissions. I can fix this up tonight if no one does it sooner.
Regards Scott On 27/03/07, David E. Jones <[EMAIL PROTECTED]> wrote:
Is the service for adding a role to a party no longer allowing a party to do the operation if the incoming partyId matches the UserLogin.partyId? Perhaps this is related to the recent Java -> simple-method conversion and the new simple-method implementations don't allow a security bypass when a Party is changing its own data? -David On Mar 26, 2007, at 7:15 PM, Anil Patel wrote: > In the anon checkout process, When user enters and saves the Profile > information, We create a Person (createPerson service) and then add > person > in CUSTOMER Role. The process breaks when it tries to set Person to > CUSTOMER > role. > > Regards > Anil > > On 3/26/07, David E. Jones <[EMAIL PROTECTED]> wrote: >> >> >> I'd say that's a really big NO. We don't want the anonymous user to >> ever have any permissions. Anyone with a browser and an internet >> connection can create a Party that will be used by the anonymous >> user. >> >> With the anonymous UserLogin the partyId is set in memory and passed >> around, but NEVER saved to the database. This is used to get around >> the security constraints on most services in order for things to >> function. >> >> Where are you running into a problem with this? Ie, what is the >> specific circumstance? >> >> -David >> >> >> On Mar 26, 2007, at 2:53 PM, Anil Patel wrote: >> >> > Hi, Today we started getting following error while creating user in >> > Anonymous checkout process. >> > >> > - Security Error: to run createPartyRole you must have the >> > PARTYMGR_CREATE or PARTYMGR_ADMIN permission calling service >> > createPartyRole >> > in createUpdateUser >> > >> > I think we need to add some permissions to Anonymous user. Do we >> > even need >> > these services to be protected with permission check? The >> createPerson >> > service is not. >> > >> > Please comment so I needed I'll submit patch for this. >> > >> > Regards >> > Anil >> >> >>
