Permission overrides auth parameter of service

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Permission overrides auth parameter of service

Suraj Khurana
Hello team,

I noticed that in any service definition if auth is set to false and
permission service is also the service definition, it overrides the auth
parameter to true by itself.

For quick reference, it is written at *createPermission* method of
*ModelServiceReader* class.
Can someone please elaborate this behavior. IMO, this should not happen.

--
Thanks and Regards,
*Suraj Khurana* | Sr. Enterprise Software Engineer
*HotWax* *Commerce* by  *HotWax Systems*
Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
Reply | Threaded
Open this post in threaded view
|

Re: Permission overrides auth parameter of service

Jacques Le Roux
Administrator
Le 03/11/2017 à 05:35, Suraj Khurana a écrit :

> Hello team,
>
> I noticed that in any service definition if auth is set to false and
> permission service is also the service definition, it overrides the auth
> parameter to true by itself.
>
> For quick reference, it is written at *createPermission* method of
> *ModelServiceReader* class.
> Can someone please elaborate this behavior. IMO, this should not happen.
>
> --
> Thanks and Regards,
> *Suraj Khurana* | Sr. Enterprise Software Engineer
> *HotWax* *Commerce* by  *HotWax Systems*
> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
>
Hi Suraj,

I guess you mean "permission service is also *IN* the service definition", right?

If yes this is indeed a weird behaviour, fortunately it's not reverse (I mean it does not change from true to false) but still

Jacques

Reply | Threaded
Open this post in threaded view
|

Re: Permission overrides auth parameter of service

Jacques Le Roux
Administrator
Le 17/11/2017 à 09:20, Jacques Le Roux a écrit :

> Le 03/11/2017 à 05:35, Suraj Khurana a écrit :
>> Hello team,
>>
>> I noticed that in any service definition if auth is set to false and
>> permission service is also the service definition, it overrides the auth
>> parameter to true by itself.
>>
>> For quick reference, it is written at *createPermission* method of
>> *ModelServiceReader* class.
>> Can someone please elaborate this behavior. IMO, this should not happen.
>>
>> --
>> Thanks and Regards,
>> *Suraj Khurana* | Sr. Enterprise Software Engineer
>> *HotWax* *Commerce* by  *HotWax Systems*
>> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
>>
> Hi Suraj,
>
> I guess you mean "permission service is also *IN* the service definition", right?
>
> If yes this is indeed a weird behaviour, fortunately it's not reverse (I mean it does not change from true to false) but still
>
> Jacques
>
>
Hi Suraj,

No actions (Jira created, etc.) here?

Jacques

Reply | Threaded
Open this post in threaded view
|

Re: Permission overrides auth parameter of service

Scott Gray-3
In reply to this post by Suraj Khurana
auth="false" and a permission service are completely incompatible
scenarios.  In what situation could you possibly have no userLogin and
successfully run a permission service?

What would you expect to happen instead of the current behavior?

Regards
Scott

On 3 November 2017 at 17:35, Suraj Khurana <[hidden email]>
wrote:

> Hello team,
>
> I noticed that in any service definition if auth is set to false and
> permission service is also the service definition, it overrides the auth
> parameter to true by itself.
>
> For quick reference, it is written at *createPermission* method of
> *ModelServiceReader* class.
> Can someone please elaborate this behavior. IMO, this should not happen.
>
> --
> Thanks and Regards,
> *Suraj Khurana* | Sr. Enterprise Software Engineer
> *HotWax* *Commerce* by  *HotWax Systems*
> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
>
Reply | Threaded
Open this post in threaded view
|

Re: Permission overrides auth parameter of service

Rishi Solanki
If an service implements and  do checks for the permissions then it must
have the auth set as true. If any occurrences found then it should be by
mistake and service definition should be fix to match.

So I think the behavior we have is correct, whenever we want to check the
permission it should have the user in context.

Suraj, Any scenario you have in mind where we only require permission
service without user?


Rishi Solanki
Sr Manager, Enterprise Software Development
HotWax Systems Pvt. Ltd.
Direct: +91-9893287847
http://www.hotwaxsystems.com
www.hotwax.co

On Wed, Nov 29, 2017 at 1:39 PM, Scott Gray <[hidden email]>
wrote:

> auth="false" and a permission service are completely incompatible
> scenarios.  In what situation could you possibly have no userLogin and
> successfully run a permission service?
>
> What would you expect to happen instead of the current behavior?
>
> Regards
> Scott
>
> On 3 November 2017 at 17:35, Suraj Khurana <suraj.khurana@hotwaxsystems.
> com>
> wrote:
>
> > Hello team,
> >
> > I noticed that in any service definition if auth is set to false and
> > permission service is also the service definition, it overrides the auth
> > parameter to true by itself.
> >
> > For quick reference, it is written at *createPermission* method of
> > *ModelServiceReader* class.
> > Can someone please elaborate this behavior. IMO, this should not happen.
> >
> > --
> > Thanks and Regards,
> > *Suraj Khurana* | Sr. Enterprise Software Engineer
> > *HotWax* *Commerce* by  *HotWax Systems*
> > Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Permission overrides auth parameter of service

Suraj Khurana
Thanks everyone for your inputs.

Yes, there are similar occurrences where permission service is defined and
service is used in case of an anonymous user as well.
Example: *CreateShoppingList* and related services

I was presuming we can execute any service as permission service
irrespective of taking *userLogin *into consideration. Please correct me if
I am wrong or missing something.

--
Thanks and Regards,
*Suraj Khurana* | Sr. Enterprise Software Engineer
*HotWax Commerce*  by  *HotWax Systems*
Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010


On Wed, Nov 29, 2017 at 7:35 PM, Rishi Solanki <[hidden email]>
wrote:

> If an service implements and  do checks for the permissions then it must
> have the auth set as true. If any occurrences found then it should be by
> mistake and service definition should be fix to match.
>
> So I think the behavior we have is correct, whenever we want to check the
> permission it should have the user in context.
>
> Suraj, Any scenario you have in mind where we only require permission
> service without user?
>
>
> Rishi Solanki
> Sr Manager, Enterprise Software Development
> HotWax Systems Pvt. Ltd.
> Direct: +91-9893287847
> http://www.hotwaxsystems.com
> www.hotwax.co
>
> On Wed, Nov 29, 2017 at 1:39 PM, Scott Gray <[hidden email]>
> wrote:
>
> > auth="false" and a permission service are completely incompatible
> > scenarios.  In what situation could you possibly have no userLogin and
> > successfully run a permission service?
> >
> > What would you expect to happen instead of the current behavior?
> >
> > Regards
> > Scott
> >
> > On 3 November 2017 at 17:35, Suraj Khurana <suraj.khurana@hotwaxsystems.
> > com>
> > wrote:
> >
> > > Hello team,
> > >
> > > I noticed that in any service definition if auth is set to false and
> > > permission service is also the service definition, it overrides the
> auth
> > > parameter to true by itself.
> > >
> > > For quick reference, it is written at *createPermission* method of
> > > *ModelServiceReader* class.
> > > Can someone please elaborate this behavior. IMO, this should not
> happen.
> > >
> > > --
> > > Thanks and Regards,
> > > *Suraj Khurana* | Sr. Enterprise Software Engineer
> > > *HotWax* *Commerce* by  *HotWax Systems*
> > > Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Permission overrides auth parameter of service

Jacques Le Roux
Administrator
Hi Suraj,

I don't see how you could check permissions for an anonymous user.
Maybe by giving anonymous users specific permissions in the context of ecommerce?

But does it makes sense, I'm not sure. Then maybe as mentioned Rishi we should fix services like CreateShoppingList
BTW did you cross any issues with anonymous users or is that only you thinking?

Jacques


Le 01/12/2017 à 09:41, Suraj Khurana a écrit :

> Thanks everyone for your inputs.
>
> Yes, there are similar occurrences where permission service is defined and
> service is used in case of an anonymous user as well.
> Example: *CreateShoppingList* and related services
>
> I was presuming we can execute any service as permission service
> irrespective of taking *userLogin *into consideration. Please correct me if
> I am wrong or missing something.
>
> --
> Thanks and Regards,
> *Suraj Khurana* | Sr. Enterprise Software Engineer
> *HotWax Commerce*  by  *HotWax Systems*
> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
>
>
> On Wed, Nov 29, 2017 at 7:35 PM, Rishi Solanki <[hidden email]>
> wrote:
>
>> If an service implements and  do checks for the permissions then it must
>> have the auth set as true. If any occurrences found then it should be by
>> mistake and service definition should be fix to match.
>>
>> So I think the behavior we have is correct, whenever we want to check the
>> permission it should have the user in context.
>>
>> Suraj, Any scenario you have in mind where we only require permission
>> service without user?
>>
>>
>> Rishi Solanki
>> Sr Manager, Enterprise Software Development
>> HotWax Systems Pvt. Ltd.
>> Direct: +91-9893287847
>> http://www.hotwaxsystems.com
>> www.hotwax.co
>>
>> On Wed, Nov 29, 2017 at 1:39 PM, Scott Gray <[hidden email]>
>> wrote:
>>
>>> auth="false" and a permission service are completely incompatible
>>> scenarios.  In what situation could you possibly have no userLogin and
>>> successfully run a permission service?
>>>
>>> What would you expect to happen instead of the current behavior?
>>>
>>> Regards
>>> Scott
>>>
>>> On 3 November 2017 at 17:35, Suraj Khurana <suraj.khurana@hotwaxsystems.
>>> com>
>>> wrote:
>>>
>>>> Hello team,
>>>>
>>>> I noticed that in any service definition if auth is set to false and
>>>> permission service is also the service definition, it overrides the
>> auth
>>>> parameter to true by itself.
>>>>
>>>> For quick reference, it is written at *createPermission* method of
>>>> *ModelServiceReader* class.
>>>> Can someone please elaborate this behavior. IMO, this should not
>> happen.
>>>> --
>>>> Thanks and Regards,
>>>> *Suraj Khurana* | Sr. Enterprise Software Engineer
>>>> *HotWax* *Commerce* by  *HotWax Systems*
>>>> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
>>>>

Reply | Threaded
Open this post in threaded view
|

Re: Permission overrides auth parameter of service

Chinmay Patidar
Hello All,

Adding to the Suraj's example of CreateShoppingList, I would like to
elaborate more on the same.

In current implementation, 'checkShoppingListSecurity' service is a
permission-service for 'createShoppingList' service. The system creates a
shopping list for an anonymous user on the ecommerce when adding an item to
the cart (try in incognito window so it doesn't pick party from the cache).
But with the current implementation, checkShoppingListSecurity returns an
error saying that "You must be logged in to complete the process". In
simple words, the 'createShoppingList' service gets called for an anonymous
user which eventually triggers 'checkShoppingListSecurity' service.

The above explanation gives an example of a use case where one could
possibly have no userLogin but has a permission service implemented(for
covering use cases of userLogin).

Also, it seems that one can't use a permission-service when no
userLogin would be present.

Also, for now, to fix the issue we can call the "checkShoppingListSecurity"
service from the service declaration/implementation to overcome the error
of no userLogin. Although, it creates confusion to me that the same service
when called internally works fine but when called as a permission service,
returns an error.

Please let me know if calling the security service internally would be the
proper approach.

Thanks,
*Chinmay Patidar* | Sr. Enterprise Software Engineer
HotWax Commerce by HotWax Systems
Plot no. 80, Scheme no. 78 Part 2, Near Brilliant Convention Center, Indore,
M.P, India - 452010
Cell phone: +91-9713978795

On Mon, Dec 11, 2017 at 5:43 PM, Jacques Le Roux <
[hidden email]> wrote:

> Hi Suraj,
>
> I don't see how you could check permissions for an anonymous user.
> Maybe by giving anonymous users specific permissions in the context of
> ecommerce?
>
> But does it makes sense, I'm not sure. Then maybe as mentioned Rishi we
> should fix services like CreateShoppingList
> BTW did you cross any issues with anonymous users or is that only you
> thinking?
>
> Jacques
>
>
>
> Le 01/12/2017 à 09:41, Suraj Khurana a écrit :
>
>> Thanks everyone for your inputs.
>>
>> Yes, there are similar occurrences where permission service is defined and
>> service is used in case of an anonymous user as well.
>> Example: *CreateShoppingList* and related services
>>
>> I was presuming we can execute any service as permission service
>> irrespective of taking *userLogin *into consideration. Please correct me
>> if
>> I am wrong or missing something.
>>
>> --
>> Thanks and Regards,
>> *Suraj Khurana* | Sr. Enterprise Software Engineer
>> *HotWax Commerce*  by  *HotWax Systems*
>> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
>>
>>
>> On Wed, Nov 29, 2017 at 7:35 PM, Rishi Solanki <[hidden email]>
>> wrote:
>>
>> If an service implements and  do checks for the permissions then it must
>>> have the auth set as true. If any occurrences found then it should be by
>>> mistake and service definition should be fix to match.
>>>
>>> So I think the behavior we have is correct, whenever we want to check the
>>> permission it should have the user in context.
>>>
>>> Suraj, Any scenario you have in mind where we only require permission
>>> service without user?
>>>
>>>
>>> Rishi Solanki
>>> Sr Manager, Enterprise Software Development
>>> HotWax Systems Pvt. Ltd.
>>> Direct: +91-9893287847
>>> http://www.hotwaxsystems.com
>>> www.hotwax.co
>>>
>>> On Wed, Nov 29, 2017 at 1:39 PM, Scott Gray <
>>> [hidden email]>
>>> wrote:
>>>
>>> auth="false" and a permission service are completely incompatible
>>>> scenarios.  In what situation could you possibly have no userLogin and
>>>> successfully run a permission service?
>>>>
>>>> What would you expect to happen instead of the current behavior?
>>>>
>>>> Regards
>>>> Scott
>>>>
>>>> On 3 November 2017 at 17:35, Suraj Khurana <suraj.khurana@hotwaxsystems.
>>>> com>
>>>> wrote:
>>>>
>>>> Hello team,
>>>>>
>>>>> I noticed that in any service definition if auth is set to false and
>>>>> permission service is also the service definition, it overrides the
>>>>>
>>>> auth
>>>
>>>> parameter to true by itself.
>>>>>
>>>>> For quick reference, it is written at *createPermission* method of
>>>>> *ModelServiceReader* class.
>>>>> Can someone please elaborate this behavior. IMO, this should not
>>>>>
>>>> happen.
>>>
>>>> --
>>>>> Thanks and Regards,
>>>>> *Suraj Khurana* | Sr. Enterprise Software Engineer
>>>>> *HotWax* *Commerce* by  *HotWax Systems*
>>>>> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
>>>>>
>>>>>
>
Reply | Threaded
Open this post in threaded view
|

Re: Permission overrides auth parameter of service

Chinmay Patidar
Just missed a point. To regenerate the issue one has to update the 'Auto
Save Cart' to 'Y' for the e-commerce product store record.

Thanks,
*Chinmay Patidar* | Sr. Enterprise Software Engineer
HotWax Commerce by HotWax Systems
Plot no. 80, Scheme no. 78 Part 2, Near Brilliant Convention Center, Indore,
M.P, India - 452010
Cell phone: +91-9713978795

On Sat, Dec 23, 2017 at 5:08 PM, Chinmay Patidar <
[hidden email]> wrote:

> Hello All,
>
> Adding to the Suraj's example of CreateShoppingList, I would like to
> elaborate more on the same.
>
> In current implementation, 'checkShoppingListSecurity' service is a
> permission-service for 'createShoppingList' service. The system creates a
> shopping list for an anonymous user on the ecommerce when adding an item to
> the cart (try in incognito window so it doesn't pick party from the cache).
> But with the current implementation, checkShoppingListSecurity returns an
> error saying that "You must be logged in to complete the process". In
> simple words, the 'createShoppingList' service gets called for an anonymous
> user which eventually triggers 'checkShoppingListSecurity' service.
>
> The above explanation gives an example of a use case where one could
> possibly have no userLogin but has a permission service implemented(for
> covering use cases of userLogin).
>
> Also, it seems that one can't use a permission-service when no
> userLogin would be present.
>
> Also, for now, to fix the issue we can call the
> "checkShoppingListSecurity" service from the service
> declaration/implementation to overcome the error of no userLogin. Although,
> it creates confusion to me that the same service when called internally
> works fine but when called as a permission service, returns an error.
>
> Please let me know if calling the security service internally would be the
> proper approach.
>
> Thanks,
> *Chinmay Patidar* | Sr. Enterprise Software Engineer
> HotWax Commerce by HotWax Systems
> Plot no. 80, Scheme no. 78 Part 2, Near Brilliant Convention Center,
> Indore, M.P, India - 452010
> Cell phone: +91-9713978795
>
> On Mon, Dec 11, 2017 at 5:43 PM, Jacques Le Roux <
> [hidden email]> wrote:
>
>> Hi Suraj,
>>
>> I don't see how you could check permissions for an anonymous user.
>> Maybe by giving anonymous users specific permissions in the context of
>> ecommerce?
>>
>> But does it makes sense, I'm not sure. Then maybe as mentioned Rishi we
>> should fix services like CreateShoppingList
>> BTW did you cross any issues with anonymous users or is that only you
>> thinking?
>>
>> Jacques
>>
>>
>>
>> Le 01/12/2017 à 09:41, Suraj Khurana a écrit :
>>
>>> Thanks everyone for your inputs.
>>>
>>> Yes, there are similar occurrences where permission service is defined
>>> and
>>> service is used in case of an anonymous user as well.
>>> Example: *CreateShoppingList* and related services
>>>
>>> I was presuming we can execute any service as permission service
>>> irrespective of taking *userLogin *into consideration. Please correct me
>>> if
>>> I am wrong or missing something.
>>>
>>> --
>>> Thanks and Regards,
>>> *Suraj Khurana* | Sr. Enterprise Software Engineer
>>> *HotWax Commerce*  by  *HotWax Systems*
>>> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
>>>
>>>
>>> On Wed, Nov 29, 2017 at 7:35 PM, Rishi Solanki <[hidden email]>
>>> wrote:
>>>
>>> If an service implements and  do checks for the permissions then it must
>>>> have the auth set as true. If any occurrences found then it should be by
>>>> mistake and service definition should be fix to match.
>>>>
>>>> So I think the behavior we have is correct, whenever we want to check
>>>> the
>>>> permission it should have the user in context.
>>>>
>>>> Suraj, Any scenario you have in mind where we only require permission
>>>> service without user?
>>>>
>>>>
>>>> Rishi Solanki
>>>> Sr Manager, Enterprise Software Development
>>>> HotWax Systems Pvt. Ltd.
>>>> Direct: +91-9893287847
>>>> http://www.hotwaxsystems.com
>>>> www.hotwax.co
>>>>
>>>> On Wed, Nov 29, 2017 at 1:39 PM, Scott Gray <
>>>> [hidden email]>
>>>> wrote:
>>>>
>>>> auth="false" and a permission service are completely incompatible
>>>>> scenarios.  In what situation could you possibly have no userLogin and
>>>>> successfully run a permission service?
>>>>>
>>>>> What would you expect to happen instead of the current behavior?
>>>>>
>>>>> Regards
>>>>> Scott
>>>>>
>>>>> On 3 November 2017 at 17:35, Suraj Khurana
>>>>> <suraj.khurana@hotwaxsystems.
>>>>> com>
>>>>> wrote:
>>>>>
>>>>> Hello team,
>>>>>>
>>>>>> I noticed that in any service definition if auth is set to false and
>>>>>> permission service is also the service definition, it overrides the
>>>>>>
>>>>> auth
>>>>
>>>>> parameter to true by itself.
>>>>>>
>>>>>> For quick reference, it is written at *createPermission* method of
>>>>>> *ModelServiceReader* class.
>>>>>> Can someone please elaborate this behavior. IMO, this should not
>>>>>>
>>>>> happen.
>>>>
>>>>> --
>>>>>> Thanks and Regards,
>>>>>> *Suraj Khurana* | Sr. Enterprise Software Engineer
>>>>>> *HotWax* *Commerce* by  *HotWax Systems*
>>>>>> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
>>>>>>
>>>>>>
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: Permission overrides auth parameter of service

Jacques Le Roux
Administrator
Hi Chinmay, Suraj,

Thanks for the tip, https://issues.apache.org/jira/browse/OFBIZ-5157 is related

Jacques


Le 23/12/2017 à 12:46, Chinmay Patidar a écrit :

> Just missed a point. To regenerate the issue one has to update the 'Auto
> Save Cart' to 'Y' for the e-commerce product store record.
>
> Thanks,
> *Chinmay Patidar* | Sr. Enterprise Software Engineer
> HotWax Commerce by HotWax Systems
> Plot no. 80, Scheme no. 78 Part 2, Near Brilliant Convention Center, Indore,
> M.P, India - 452010
> Cell phone: +91-9713978795
>
> On Sat, Dec 23, 2017 at 5:08 PM, Chinmay Patidar <
> [hidden email]> wrote:
>
>> Hello All,
>>
>> Adding to the Suraj's example of CreateShoppingList, I would like to
>> elaborate more on the same.
>>
>> In current implementation, 'checkShoppingListSecurity' service is a
>> permission-service for 'createShoppingList' service. The system creates a
>> shopping list for an anonymous user on the ecommerce when adding an item to
>> the cart (try in incognito window so it doesn't pick party from the cache).
>> But with the current implementation, checkShoppingListSecurity returns an
>> error saying that "You must be logged in to complete the process". In
>> simple words, the 'createShoppingList' service gets called for an anonymous
>> user which eventually triggers 'checkShoppingListSecurity' service.
>>
>> The above explanation gives an example of a use case where one could
>> possibly have no userLogin but has a permission service implemented(for
>> covering use cases of userLogin).
>>
>> Also, it seems that one can't use a permission-service when no
>> userLogin would be present.
>>
>> Also, for now, to fix the issue we can call the
>> "checkShoppingListSecurity" service from the service
>> declaration/implementation to overcome the error of no userLogin. Although,
>> it creates confusion to me that the same service when called internally
>> works fine but when called as a permission service, returns an error.
>>
>> Please let me know if calling the security service internally would be the
>> proper approach.
>>
>> Thanks,
>> *Chinmay Patidar* | Sr. Enterprise Software Engineer
>> HotWax Commerce by HotWax Systems
>> Plot no. 80, Scheme no. 78 Part 2, Near Brilliant Convention Center,
>> Indore, M.P, India - 452010
>> Cell phone: +91-9713978795
>>
>> On Mon, Dec 11, 2017 at 5:43 PM, Jacques Le Roux <
>> [hidden email]> wrote:
>>
>>> Hi Suraj,
>>>
>>> I don't see how you could check permissions for an anonymous user.
>>> Maybe by giving anonymous users specific permissions in the context of
>>> ecommerce?
>>>
>>> But does it makes sense, I'm not sure. Then maybe as mentioned Rishi we
>>> should fix services like CreateShoppingList
>>> BTW did you cross any issues with anonymous users or is that only you
>>> thinking?
>>>
>>> Jacques
>>>
>>>
>>>
>>> Le 01/12/2017 à 09:41, Suraj Khurana a écrit :
>>>
>>>> Thanks everyone for your inputs.
>>>>
>>>> Yes, there are similar occurrences where permission service is defined
>>>> and
>>>> service is used in case of an anonymous user as well.
>>>> Example: *CreateShoppingList* and related services
>>>>
>>>> I was presuming we can execute any service as permission service
>>>> irrespective of taking *userLogin *into consideration. Please correct me
>>>> if
>>>> I am wrong or missing something.
>>>>
>>>> --
>>>> Thanks and Regards,
>>>> *Suraj Khurana* | Sr. Enterprise Software Engineer
>>>> *HotWax Commerce*  by  *HotWax Systems*
>>>> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
>>>>
>>>>
>>>> On Wed, Nov 29, 2017 at 7:35 PM, Rishi Solanki <[hidden email]>
>>>> wrote:
>>>>
>>>> If an service implements and  do checks for the permissions then it must
>>>>> have the auth set as true. If any occurrences found then it should be by
>>>>> mistake and service definition should be fix to match.
>>>>>
>>>>> So I think the behavior we have is correct, whenever we want to check
>>>>> the
>>>>> permission it should have the user in context.
>>>>>
>>>>> Suraj, Any scenario you have in mind where we only require permission
>>>>> service without user?
>>>>>
>>>>>
>>>>> Rishi Solanki
>>>>> Sr Manager, Enterprise Software Development
>>>>> HotWax Systems Pvt. Ltd.
>>>>> Direct: +91-9893287847
>>>>> http://www.hotwaxsystems.com
>>>>> www.hotwax.co
>>>>>
>>>>> On Wed, Nov 29, 2017 at 1:39 PM, Scott Gray <
>>>>> [hidden email]>
>>>>> wrote:
>>>>>
>>>>> auth="false" and a permission service are completely incompatible
>>>>>> scenarios.  In what situation could you possibly have no userLogin and
>>>>>> successfully run a permission service?
>>>>>>
>>>>>> What would you expect to happen instead of the current behavior?
>>>>>>
>>>>>> Regards
>>>>>> Scott
>>>>>>
>>>>>> On 3 November 2017 at 17:35, Suraj Khurana
>>>>>> <suraj.khurana@hotwaxsystems.
>>>>>> com>
>>>>>> wrote:
>>>>>>
>>>>>> Hello team,
>>>>>>> I noticed that in any service definition if auth is set to false and
>>>>>>> permission service is also the service definition, it overrides the
>>>>>>>
>>>>>> auth
>>>>>> parameter to true by itself.
>>>>>>> For quick reference, it is written at *createPermission* method of
>>>>>>> *ModelServiceReader* class.
>>>>>>> Can someone please elaborate this behavior. IMO, this should not
>>>>>>>
>>>>>> happen.
>>>>>> --
>>>>>>> Thanks and Regards,
>>>>>>> *Suraj Khurana* | Sr. Enterprise Software Engineer
>>>>>>> *HotWax* *Commerce* by  *HotWax Systems*
>>>>>>> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
>>>>>>>
>>>>>>>

Reply | Threaded
Open this post in threaded view
|

Re: Permission overrides auth parameter of service

Scott Gray-3
In reply to this post by Chinmay Patidar
Ok I see, so there is a need for permission services to be able to run
without a userLogin value in some cases.  Specifically in situations where
the other parameters provided can determine whether an anonymous user is
authorized to execute the given service.

Thanks for providing the additional info.

Regards
Scott

On 24 December 2017 at 00:38, Chinmay Patidar <
[hidden email]> wrote:

> Hello All,
>
> Adding to the Suraj's example of CreateShoppingList, I would like to
> elaborate more on the same.
>
> In current implementation, 'checkShoppingListSecurity' service is a
> permission-service for 'createShoppingList' service. The system creates a
> shopping list for an anonymous user on the ecommerce when adding an item to
> the cart (try in incognito window so it doesn't pick party from the cache).
> But with the current implementation, checkShoppingListSecurity returns an
> error saying that "You must be logged in to complete the process". In
> simple words, the 'createShoppingList' service gets called for an anonymous
> user which eventually triggers 'checkShoppingListSecurity' service.
>
> The above explanation gives an example of a use case where one could
> possibly have no userLogin but has a permission service implemented(for
> covering use cases of userLogin).
>
> Also, it seems that one can't use a permission-service when no
> userLogin would be present.
>
> Also, for now, to fix the issue we can call the "checkShoppingListSecurity"
> service from the service declaration/implementation to overcome the error
> of no userLogin. Although, it creates confusion to me that the same service
> when called internally works fine but when called as a permission service,
> returns an error.
>
> Please let me know if calling the security service internally would be the
> proper approach.
>
> Thanks,
> *Chinmay Patidar* | Sr. Enterprise Software Engineer
> HotWax Commerce by HotWax Systems
> Plot no. 80, Scheme no. 78 Part 2, Near Brilliant Convention Center,
> Indore,
> M.P, India - 452010
> Cell phone: +91-9713978795
>
> On Mon, Dec 11, 2017 at 5:43 PM, Jacques Le Roux <
> [hidden email]> wrote:
>
> > Hi Suraj,
> >
> > I don't see how you could check permissions for an anonymous user.
> > Maybe by giving anonymous users specific permissions in the context of
> > ecommerce?
> >
> > But does it makes sense, I'm not sure. Then maybe as mentioned Rishi we
> > should fix services like CreateShoppingList
> > BTW did you cross any issues with anonymous users or is that only you
> > thinking?
> >
> > Jacques
> >
> >
> >
> > Le 01/12/2017 à 09:41, Suraj Khurana a écrit :
> >
> >> Thanks everyone for your inputs.
> >>
> >> Yes, there are similar occurrences where permission service is defined
> and
> >> service is used in case of an anonymous user as well.
> >> Example: *CreateShoppingList* and related services
> >>
> >> I was presuming we can execute any service as permission service
> >> irrespective of taking *userLogin *into consideration. Please correct me
> >> if
> >> I am wrong or missing something.
> >>
> >> --
> >> Thanks and Regards,
> >> *Suraj Khurana* | Sr. Enterprise Software Engineer
> >> *HotWax Commerce*  by  *HotWax Systems*
> >> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
> >>
> >>
> >> On Wed, Nov 29, 2017 at 7:35 PM, Rishi Solanki <[hidden email]
> >
> >> wrote:
> >>
> >> If an service implements and  do checks for the permissions then it must
> >>> have the auth set as true. If any occurrences found then it should be
> by
> >>> mistake and service definition should be fix to match.
> >>>
> >>> So I think the behavior we have is correct, whenever we want to check
> the
> >>> permission it should have the user in context.
> >>>
> >>> Suraj, Any scenario you have in mind where we only require permission
> >>> service without user?
> >>>
> >>>
> >>> Rishi Solanki
> >>> Sr Manager, Enterprise Software Development
> >>> HotWax Systems Pvt. Ltd.
> >>> Direct: +91-9893287847
> >>> http://www.hotwaxsystems.com
> >>> www.hotwax.co
> >>>
> >>> On Wed, Nov 29, 2017 at 1:39 PM, Scott Gray <
> >>> [hidden email]>
> >>> wrote:
> >>>
> >>> auth="false" and a permission service are completely incompatible
> >>>> scenarios.  In what situation could you possibly have no userLogin and
> >>>> successfully run a permission service?
> >>>>
> >>>> What would you expect to happen instead of the current behavior?
> >>>>
> >>>> Regards
> >>>> Scott
> >>>>
> >>>> On 3 November 2017 at 17:35, Suraj Khurana
> <suraj.khurana@hotwaxsystems.
> >>>> com>
> >>>> wrote:
> >>>>
> >>>> Hello team,
> >>>>>
> >>>>> I noticed that in any service definition if auth is set to false and
> >>>>> permission service is also the service definition, it overrides the
> >>>>>
> >>>> auth
> >>>
> >>>> parameter to true by itself.
> >>>>>
> >>>>> For quick reference, it is written at *createPermission* method of
> >>>>> *ModelServiceReader* class.
> >>>>> Can someone please elaborate this behavior. IMO, this should not
> >>>>>
> >>>> happen.
> >>>
> >>>> --
> >>>>> Thanks and Regards,
> >>>>> *Suraj Khurana* | Sr. Enterprise Software Engineer
> >>>>> *HotWax* *Commerce* by  *HotWax Systems*
> >>>>> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
> >>>>>
> >>>>>
> >
>