Now I know, I'll submit patch for this. Please wait for the patch. Regards Anil
On 3/26/07, Scott Gray <[EMAIL PROTECTED]> wrote:
That's definitely the problem, ServiceUtil.getPartyIdCheckSecurity is no longer being called if the party doesn't have the standard permissions. I can fix this up tonight if no one does it sooner. Regards Scott On 27/03/07, David E. Jones <[EMAIL PROTECTED]> wrote: > > > Is the service for adding a role to a party no longer allowing a > party to do the operation if the incoming partyId matches the > UserLogin.partyId? > > Perhaps this is related to the recent Java -> simple-method > conversion and the new simple-method implementations don't allow a > security bypass when a Party is changing its own data? > > -David > > > On Mar 26, 2007, at 7:15 PM, Anil Patel wrote: > > > In the anon checkout process, When user enters and saves the Profile > > information, We create a Person (createPerson service) and then add > > person > > in CUSTOMER Role. The process breaks when it tries to set Person to > > CUSTOMER > > role. > > > > Regards > > Anil > > > > On 3/26/07, David E. Jones <[EMAIL PROTECTED]> wrote: > >> > >> > >> I'd say that's a really big NO. We don't want the anonymous user to > >> ever have any permissions. Anyone with a browser and an internet > >> connection can create a Party that will be used by the anonymous > >> user. > >> > >> With the anonymous UserLogin the partyId is set in memory and passed > >> around, but NEVER saved to the database. This is used to get around > >> the security constraints on most services in order for things to > >> function. > >> > >> Where are you running into a problem with this? Ie, what is the > >> specific circumstance? > >> > >> -David > >> > >> > >> On Mar 26, 2007, at 2:53 PM, Anil Patel wrote: > >> > >> > Hi, Today we started getting following error while creating user in > >> > Anonymous checkout process. > >> > > >> > - Security Error: to run createPartyRole you must have the > >> > PARTYMGR_CREATE or PARTYMGR_ADMIN permission calling service > >> > createPartyRole > >> > in createUpdateUser > >> > > >> > I think we need to add some permissions to Anonymous user. Do we > >> > even need > >> > these services to be protected with permission check? The > >> createPerson > >> > service is not. > >> > > >> > Please comment so I needed I'll submit patch for this. > >> > > >> > Regards > >> > Anil > >> > >> > >> > > >
