Patch is attached to this Jira Issue. https://issues.apache.org/jira/browse/OFBIZ-848
Regards Anil On 3/26/07, David E. Jones <[EMAIL PROTECTED]> wrote:
Yeah, that's probably the easiest way. -David On Mar 26, 2007, at 7:42 PM, Anil Patel wrote: > One quick question, > Can I use <accept-userlogin-party/> for get the effect of > ServiceUtil.getPartyIdCheckSecurity. > > <xs:element name="accept-userlogin-party"> > <xs:annotation> > <xs:documentation> > If that tag is present userlogin party is accepted, > rather > than requiring that the user have the permission. > > Often used in cases where you want to allow a user > to for > example see their own order, or update their own contact information. > </xs:documentation> > </xs:annotation> > <xs:complexType> > <xs:attributeGroup ref="attlist.accept-userlogin-party"/> > </xs:complexType> > </xs:element> > > Anil > > On 3/26/07, Anil Patel <[EMAIL PROTECTED]> wrote: >> >> Now I know, I'll submit patch for this. Please wait for the patch. >> Regards >> Anil >> >> On 3/26/07, Scott Gray < [EMAIL PROTECTED]> wrote: >> > >> > That's definitely the problem, >> ServiceUtil.getPartyIdCheckSecurity is no >> > longer being called if the party doesn't have the standard >> > permissions. I >> > can fix this up tonight if no one does it sooner. >> > >> > Regards >> > Scott >> > >> > On 27/03/07, David E. Jones < [EMAIL PROTECTED]> wrote: >> > > >> > > >> > > Is the service for adding a role to a party no longer allowing a >> > > party to do the operation if the incoming partyId matches the >> > > UserLogin.partyId ? >> > > >> > > Perhaps this is related to the recent Java -> simple-method >> > > conversion and the new simple-method implementations don't >> allow a >> > > security bypass when a Party is changing its own data? >> > > >> > > -David >> > > >> > > >> > > On Mar 26, 2007, at 7:15 PM, Anil Patel wrote: >> > > >> > > > In the anon checkout process, When user enters and saves the >> Profile >> > > > information, We create a Person (createPerson service) and >> then add >> > > > person >> > > > in CUSTOMER Role. The process breaks when it tries to set >> Person to >> > > > CUSTOMER >> > > > role. >> > > > >> > > > Regards >> > > > Anil >> > > > >> > > > On 3/26/07, David E. Jones < [EMAIL PROTECTED]> wrote: >> > > >> >> > > >> >> > > >> I'd say that's a really big NO. We don't want the anonymous >> user to >> > > >> ever have any permissions. Anyone with a browser and an >> internet >> > > >> connection can create a Party that will be used by the >> anonymous >> > > >> user. >> > > >> >> > > >> With the anonymous UserLogin the partyId is set in memory and >> > passed >> > > >> around, but NEVER saved to the database. This is used to >> get around >> > >> > > >> the security constraints on most services in order for >> things to >> > > >> function. >> > > >> >> > > >> Where are you running into a problem with this? Ie, what is >> the >> > > >> specific circumstance? >> > > >> >> > > >> -David >> > > >> >> > > >> >> > > >> On Mar 26, 2007, at 2:53 PM, Anil Patel wrote: >> > > >> >> > > >> > Hi, Today we started getting following error while >> creating user >> > in >> > > >> > Anonymous checkout process. >> > > >> > >> > > >> > - Security Error: to run createPartyRole you must have the >> > > >> > PARTYMGR_CREATE or PARTYMGR_ADMIN permission calling >> service >> > > >> > createPartyRole >> > > >> > in createUpdateUser >> > > >> > >> > > >> > I think we need to add some permissions to Anonymous >> user. Do we >> > > >> > even need >> > > >> > these services to be protected with permission check? The >> > > >> createPerson >> > > >> > service is not. >> > > >> > >> > > >> > Please comment so I needed I'll submit patch for this. >> > > >> > >> > > >> > Regards >> > > >> > Anil >> > > >> >> > > >> >> > > >> >> > > >> > > >> > > >> > >> >>
