I tried this, it's working fine using the permission-service-element, there is no security error when doing a cancel item, but the cancel functionality is not working, the item is not getting cancelled, I will take a look at it later and post the details, will raise a jira issue for this.
Will be submitting the patch for security error. On Mon, Oct 26, 2009 at 3:13 PM, Abdullah Shaikh < [email protected]> wrote: > Scott, I had a look at it and I guess this should work, I will try it out > later in the day and let you know. > >> > Thanks for pointing > > > On Mon, Oct 26, 2009 at 2:56 PM, Scott Gray <[email protected]>wrote: > >> Okay I did the search :-) >> Check out partyContactMechPermissionCheck and note it's usage in the >> service defs with the permission-service element. >> >> Regards >> Scott >> >> >> On 26/10/2009, at 9:31 PM, Abdullah Shaikh wrote: >> >> ok, I will take a look, can you please point to one of them, if you have >>> any >>> in mind. >>> >>> Also, I didn't get what you meant by "change the permission check to >>> allow >>> the placing party authorization", can you please explain a bit more ? >>> >>> On Mon, Oct 26, 2009 at 1:50 PM, Scott Gray <[email protected] >>> >wrote: >>> >>> Why do we need to use the system userlogin? If we change the permission >>>> check to allow the placing party authorization then we shouldn't need to >>>> switch anything. This type of situation is handled in a few places >>>> around >>>> OFBiz, I would suggest that you find and take a look at them (which is >>>> what >>>> I would have to do to answer any more questions :-) >>>> >>>> Regards >>>> Scott >>>> >>>> >>>> On 26/10/2009, at 9:05 PM, Abdullah Shaikh wrote: >>>> >>>> Hi Scott, >>>> >>>>> >>>>> Yes, I too thought of improving the already implemented service, I >>>>> always >>>>> have that as a first preference, and all should, to make more better >>>>> code. >>>>> >>>>> Now coming back to the issue, below is what I have already comment in >>>>> previous post. >>>>> >>>>> This error is because the party (customer) doesn't have the >>>>> ORDERMGR_CREATE >>>>> or ORDERMGR_ADMIN permission, but we can't give this permission to a >>>>> customer, further as the common service is called from ecommerce and >>>>> order >>>>> manager for cancel, the solution will be to check the party's role, if >>>>> its >>>>> a >>>>> CUSTOMER, then I guess we can use the SYSTEM user in place of the >>>>> PARTY(CUSTOMER), for this we need to give ORDERMGR permission to the >>>>> SYSTEM >>>>> user. But then it will seem as if the SYSTEM user has cancelled the >>>>> order >>>>> and >>>>> not the CUSTOMER ? >>>>> >>>>> The only thought that came to my mind to improve the permission check >>>>> service is as above, but then I guess it will lead to some other >>>>> issues. >>>>> >>>>> - Abdullah >>>>> >>>>> On Mon, Oct 26, 2009 at 1:20 PM, Scott Gray < >>>>> [email protected] >>>>> >>>>>> wrote: >>>>>> >>>>> >>>>> My first thought without looking at it is that the permission checking >>>>> >>>>>> service should be improved to allow the order placing party to invoke >>>>>> the >>>>>> service. I don't personally think a separate service definition is >>>>>> the >>>>>> way >>>>>> to go. >>>>>> >>>>>> Regards >>>>>> Scott >>>>>> >>>>>> HotWax Media >>>>>> http://www.hotwaxmedia.com >>>>>> >>>>>> >>>>>> On 26/10/2009, at 8:43 PM, Abdullah Shaikh wrote: >>>>>> >>>>>> Hi All, >>>>>> >>>>>> >>>>>>> Any thoughts on this ? >>>>>>> >>>>>>> Jacques, should I proceed with the overriding service patch ? >>>>>>> >>>>>>> On Fri, Oct 23, 2009 at 6:21 PM, Abdullah Shaikh < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>> Yes, I guess maybe this is the only solution for this, should I >>>>>>> submit >>>>>>> >>>>>>> the >>>>>>>> overriding service patch for this or should I wait for some more >>>>>>>> ideas >>>>>>>> to >>>>>>>> pour in for this ? >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Oct 23, 2009 at 6:09 PM, Jacques Le Roux < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>> Abdullah, >>>>>>>> >>>>>>>> >>>>>>>>> Yes, overriding the service without permission check only for >>>>>>>>> ecommerce >>>>>>>>> use seems the better choise IMO >>>>>>>>> >>>>>>>>> Jacques >>>>>>>>> >>>>>>>>> From: "Abdullah Shaikh" <[email protected]> >>>>>>>>> >>>>>>>>> If I cancel an order item from ecommerce. I get, the below error >>>>>>>>> displayed >>>>>>>>> on the page. >>>>>>>>> >>>>>>>>> The Following Errors Occurred: >>>>>>>>> Unable to cancel order line : WSCO11640 / 00001 / null >>>>>>>>> >>>>>>>>> Note to test this you need to take the latest update of apply this >>>>>>>>> patch >>>>>>>>> https://issues.apache.org/jira/browse/OFBIZ-2408. >>>>>>>>> >>>>>>>>> Below is the error trace from console, this error is because the >>>>>>>>> party >>>>>>>>> (customer) doesn't have the ORDERMGR_CREATE or ORDERMGR_ADMIN >>>>>>>>> permission, >>>>>>>>> but we can't give this permission to a customer, further as the >>>>>>>>> common >>>>>>>>> service is called from ecommerce and order manager for cancel, the >>>>>>>>> solution >>>>>>>>> will be to check the party's role, if its a CUSTOMER, then I guess >>>>>>>>> we >>>>>>>>> can >>>>>>>>> use the SYSTEM user in place of the PARTY(CUSTOMER), for this we >>>>>>>>> need >>>>>>>>> to >>>>>>>>> give ORDERMGR permission to the SYSTEM user. >>>>>>>>> >>>>>>>>> But then it will seem as if the SYSTEM user has cancelled the order >>>>>>>>> and >>>>>>>>> not >>>>>>>>> the CUSTOMER ? >>>>>>>>> >>>>>>>>> Another solution will be to override the service without permission >>>>>>>>> check >>>>>>>>> only for ecommerce use. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >> >
