Yeah, that's probably the easiest way.
-David On Mar 26, 2007, at 7:42 PM, Anil Patel wrote:
One quick question, Can I use <accept-userlogin-party/> for get the effect of ServiceUtil.getPartyIdCheckSecurity. <xs:element name="accept-userlogin-party"> <xs:annotation> <xs:documentation>If that tag is present userlogin party is accepted, ratherthan requiring that the user have the permission.Often used in cases where you want to allow a user to forexample see their own order, or update their own contact information. </xs:documentation> </xs:annotation> <xs:complexType> <xs:attributeGroup ref="attlist.accept-userlogin-party"/> </xs:complexType> </xs:element> Anil On 3/26/07, Anil Patel <[EMAIL PROTECTED]> wrote:Now I know, I'll submit patch for this. Please wait for the patch. Regards Anil On 3/26/07, Scott Gray < [EMAIL PROTECTED]> wrote: >> That's definitely the problem, ServiceUtil.getPartyIdCheckSecurity is no> longer being called if the party doesn't have the standard > permissions. I > can fix this up tonight if no one does it sooner. > > Regards > Scott > > On 27/03/07, David E. Jones < [EMAIL PROTECTED]> wrote: > > > > > > Is the service for adding a role to a party no longer allowing a > > party to do the operation if the incoming partyId matches the > > UserLogin.partyId ? > > > > Perhaps this is related to the recent Java -> simple-method> > conversion and the new simple-method implementations don't allow a> > security bypass when a Party is changing its own data? > > > > -David > > > > > > On Mar 26, 2007, at 7:15 PM, Anil Patel wrote: > >> > > In the anon checkout process, When user enters and saves the Profile > > > information, We create a Person (createPerson service) and then add> > > person> > > in CUSTOMER Role. The process breaks when it tries to set Person to> > > CUSTOMER > > > role. > > > > > > Regards > > > Anil > > > > > > On 3/26/07, David E. Jones < [EMAIL PROTECTED]> wrote: > > >> > > >>> > >> I'd say that's a really big NO. We don't want the anonymous user to > > >> ever have any permissions. Anyone with a browser and an internet > > >> connection can create a Party that will be used by the anonymous> > >> user. > > >> > > >> With the anonymous UserLogin the partyId is set in memory and > passed> > >> around, but NEVER saved to the database. This is used to get around>> > >> the security constraints on most services in order for things to> > >> function. > > >>> > >> Where are you running into a problem with this? Ie, what is the> > >> specific circumstance? > > >> > > >> -David > > >> > > >> > > >> On Mar 26, 2007, at 2:53 PM, Anil Patel wrote: > > >>> > >> > Hi, Today we started getting following error while creating user> in > > >> > Anonymous checkout process. > > >> > > > >> > - Security Error: to run createPartyRole you must have the> > >> > PARTYMGR_CREATE or PARTYMGR_ADMIN permission calling service> > >> > createPartyRole > > >> > in createUpdateUser > > >> >> > >> > I think we need to add some permissions to Anonymous user. Do we> > >> > even need > > >> > these services to be protected with permission check? The > > >> createPerson > > >> > service is not. > > >> > > > >> > Please comment so I needed I'll submit patch for this. > > >> > > > >> > Regards > > >> > Anil > > >> > > >> > > >> > > > > > > >
smime.p7s
Description: S/MIME cryptographic signature
