One quick question,
Can I use <accept-userlogin-party/> for get the effect of
ServiceUtil.getPartyIdCheckSecurity.
<xs:element name="accept-userlogin-party">
<xs:annotation>
<xs:documentation>
If that tag is present userlogin party is accepted, rather
than requiring that the user have the permission.
Often used in cases where you want to allow a user to for
example see their own order, or update their own contact information.
</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attributeGroup ref="attlist.accept-userlogin-party"/>
</xs:complexType>
</xs:element>
Anil
On 3/26/07, Anil Patel <[EMAIL PROTECTED]> wrote:
Now I know, I'll submit patch for this. Please wait for the patch.
Regards
Anil
On 3/26/07, Scott Gray < [EMAIL PROTECTED]> wrote:
>
> That's definitely the problem, ServiceUtil.getPartyIdCheckSecurity is no
> longer being called if the party doesn't have the standard
> permissions. I
> can fix this up tonight if no one does it sooner.
>
> Regards
> Scott
>
> On 27/03/07, David E. Jones < [EMAIL PROTECTED]> wrote:
> >
> >
> > Is the service for adding a role to a party no longer allowing a
> > party to do the operation if the incoming partyId matches the
> > UserLogin.partyId ?
> >
> > Perhaps this is related to the recent Java -> simple-method
> > conversion and the new simple-method implementations don't allow a
> > security bypass when a Party is changing its own data?
> >
> > -David
> >
> >
> > On Mar 26, 2007, at 7:15 PM, Anil Patel wrote:
> >
> > > In the anon checkout process, When user enters and saves the Profile
> > > information, We create a Person (createPerson service) and then add
> > > person
> > > in CUSTOMER Role. The process breaks when it tries to set Person to
> > > CUSTOMER
> > > role.
> > >
> > > Regards
> > > Anil
> > >
> > > On 3/26/07, David E. Jones < [EMAIL PROTECTED]> wrote:
> > >>
> > >>
> > >> I'd say that's a really big NO. We don't want the anonymous user to
> > >> ever have any permissions. Anyone with a browser and an internet
> > >> connection can create a Party that will be used by the anonymous
> > >> user.
> > >>
> > >> With the anonymous UserLogin the partyId is set in memory and
> passed
> > >> around, but NEVER saved to the database. This is used to get around
>
> > >> the security constraints on most services in order for things to
> > >> function.
> > >>
> > >> Where are you running into a problem with this? Ie, what is the
> > >> specific circumstance?
> > >>
> > >> -David
> > >>
> > >>
> > >> On Mar 26, 2007, at 2:53 PM, Anil Patel wrote:
> > >>
> > >> > Hi, Today we started getting following error while creating user
> in
> > >> > Anonymous checkout process.
> > >> >
> > >> > - Security Error: to run createPartyRole you must have the
> > >> > PARTYMGR_CREATE or PARTYMGR_ADMIN permission calling service
> > >> > createPartyRole
> > >> > in createUpdateUser
> > >> >
> > >> > I think we need to add some permissions to Anonymous user. Do we
> > >> > even need
> > >> > these services to be protected with permission check? The
> > >> createPerson
> > >> > service is not.
> > >> >
> > >> > Please comment so I needed I'll submit patch for this.
> > >> >
> > >> > Regards
> > >> > Anil
> > >>
> > >>
> > >>
> >
> >
> >
>
