Hi Scott, as per your suggestion I have implemented a permission checking service, please have a look and let me know if its alright, although I tested this on my system, it was working fine, I didn't got any permission error.
Patch attached - https://issues.apache.org/jira/browse/OFBIZ-3075 - Abdullah On Wed, Oct 28, 2009 at 7:32 PM, Abdullah Shaikh < [email protected]> wrote: > I tried this, it's working fine using the permission-service-element, there > is no security error when doing a cancel item, but the cancel functionality > is not working, the item is not getting cancelled, I will take a look at it > later and post the details, will raise a jira issue for this. > > Will be submitting the patch for security error. > > > On Mon, Oct 26, 2009 at 3:13 PM, Abdullah Shaikh < > [email protected]> wrote: > >> Scott, I had a look at it and I guess this should work, I will try it out >> later in the day and let you know. >> >>> >> Thanks for pointing >> >> >> On Mon, Oct 26, 2009 at 2:56 PM, Scott Gray >> <[email protected]>wrote: >> >>> Okay I did the search :-) >>> Check out partyContactMechPermissionCheck and note it's usage in the >>> service defs with the permission-service element. >>> >>> Regards >>> Scott >>> >>> >>> On 26/10/2009, at 9:31 PM, Abdullah Shaikh wrote: >>> >>> ok, I will take a look, can you please point to one of them, if you have >>>> any >>>> in mind. >>>> >>>> Also, I didn't get what you meant by "change the permission check to >>>> allow >>>> the placing party authorization", can you please explain a bit more ? >>>> >>>> On Mon, Oct 26, 2009 at 1:50 PM, Scott Gray <[email protected] >>>> >wrote: >>>> >>>> Why do we need to use the system userlogin? If we change the >>>>> permission >>>>> check to allow the placing party authorization then we shouldn't need >>>>> to >>>>> switch anything. This type of situation is handled in a few places >>>>> around >>>>> OFBiz, I would suggest that you find and take a look at them (which is >>>>> what >>>>> I would have to do to answer any more questions :-) >>>>> >>>>> Regards >>>>> Scott >>>>> >>>>> >>>>> On 26/10/2009, at 9:05 PM, Abdullah Shaikh wrote: >>>>> >>>>> Hi Scott, >>>>> >>>>>> >>>>>> Yes, I too thought of improving the already implemented service, I >>>>>> always >>>>>> have that as a first preference, and all should, to make more better >>>>>> code. >>>>>> >>>>>> Now coming back to the issue, below is what I have already comment in >>>>>> previous post. >>>>>> >>>>>> This error is because the party (customer) doesn't have the >>>>>> ORDERMGR_CREATE >>>>>> or ORDERMGR_ADMIN permission, but we can't give this permission to a >>>>>> customer, further as the common service is called from ecommerce and >>>>>> order >>>>>> manager for cancel, the solution will be to check the party's role, if >>>>>> its >>>>>> a >>>>>> CUSTOMER, then I guess we can use the SYSTEM user in place of the >>>>>> PARTY(CUSTOMER), for this we need to give ORDERMGR permission to the >>>>>> SYSTEM >>>>>> user. But then it will seem as if the SYSTEM user has cancelled the >>>>>> order >>>>>> and >>>>>> not the CUSTOMER ? >>>>>> >>>>>> The only thought that came to my mind to improve the permission check >>>>>> service is as above, but then I guess it will lead to some other >>>>>> issues. >>>>>> >>>>>> - Abdullah >>>>>> >>>>>> On Mon, Oct 26, 2009 at 1:20 PM, Scott Gray < >>>>>> [email protected] >>>>>> >>>>>>> wrote: >>>>>>> >>>>>> >>>>>> My first thought without looking at it is that the permission checking >>>>>> >>>>>>> service should be improved to allow the order placing party to invoke >>>>>>> the >>>>>>> service. I don't personally think a separate service definition is >>>>>>> the >>>>>>> way >>>>>>> to go. >>>>>>> >>>>>>> Regards >>>>>>> Scott >>>>>>> >>>>>>> HotWax Media >>>>>>> http://www.hotwaxmedia.com >>>>>>> >>>>>>> >>>>>>> On 26/10/2009, at 8:43 PM, Abdullah Shaikh wrote: >>>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> >>>>>>>> Any thoughts on this ? >>>>>>>> >>>>>>>> Jacques, should I proceed with the overriding service patch ? >>>>>>>> >>>>>>>> On Fri, Oct 23, 2009 at 6:21 PM, Abdullah Shaikh < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>> Yes, I guess maybe this is the only solution for this, should I >>>>>>>> submit >>>>>>>> >>>>>>>> the >>>>>>>>> overriding service patch for this or should I wait for some more >>>>>>>>> ideas >>>>>>>>> to >>>>>>>>> pour in for this ? >>>>>>>>> >>>>>>>>> >>>>>>>>> On Fri, Oct 23, 2009 at 6:09 PM, Jacques Le Roux < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>> Abdullah, >>>>>>>>> >>>>>>>>> >>>>>>>>>> Yes, overriding the service without permission check only for >>>>>>>>>> ecommerce >>>>>>>>>> use seems the better choise IMO >>>>>>>>>> >>>>>>>>>> Jacques >>>>>>>>>> >>>>>>>>>> From: "Abdullah Shaikh" <[email protected]> >>>>>>>>>> >>>>>>>>>> If I cancel an order item from ecommerce. I get, the below error >>>>>>>>>> displayed >>>>>>>>>> on the page. >>>>>>>>>> >>>>>>>>>> The Following Errors Occurred: >>>>>>>>>> Unable to cancel order line : WSCO11640 / 00001 / null >>>>>>>>>> >>>>>>>>>> Note to test this you need to take the latest update of apply this >>>>>>>>>> patch >>>>>>>>>> https://issues.apache.org/jira/browse/OFBIZ-2408. >>>>>>>>>> >>>>>>>>>> Below is the error trace from console, this error is because the >>>>>>>>>> party >>>>>>>>>> (customer) doesn't have the ORDERMGR_CREATE or ORDERMGR_ADMIN >>>>>>>>>> permission, >>>>>>>>>> but we can't give this permission to a customer, further as the >>>>>>>>>> common >>>>>>>>>> service is called from ecommerce and order manager for cancel, the >>>>>>>>>> solution >>>>>>>>>> will be to check the party's role, if its a CUSTOMER, then I guess >>>>>>>>>> we >>>>>>>>>> can >>>>>>>>>> use the SYSTEM user in place of the PARTY(CUSTOMER), for this we >>>>>>>>>> need >>>>>>>>>> to >>>>>>>>>> give ORDERMGR permission to the SYSTEM user. >>>>>>>>>> >>>>>>>>>> But then it will seem as if the SYSTEM user has cancelled the >>>>>>>>>> order >>>>>>>>>> and >>>>>>>>>> not >>>>>>>>>> the CUSTOMER ? >>>>>>>>>> >>>>>>>>>> Another solution will be to override the service without >>>>>>>>>> permission >>>>>>>>>> check >>>>>>>>>> only for ecommerce use. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>> >> >
