Permissions for services "called by the user" in the frontend

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Permissions for services "called by the user" in the frontend

Alexander1893
Hi all,

I have a general question about permissons:

If I want to call a service I need to have the right permission - which is absolutly correct regarding security reasons.

I have to call several existing services dependend on the actions a user makes in the storefrontend - e.g.:
> a customer can "load" his finaccount by a creditcard payment
> he enters his cc-data and (if the payment provider returns a positive result) I want to charge the finaccount with this amount.

When I call the corresponding finAccount-Service for charging the permission is checked and the roles that are considered are the roles of the logged in customer. As the customer has not the necessary role, the call returns an error.

I see the following possibilties:
> I can give the necessary roles to each customer - but I don't know what security-impacts this would have
> I could call the service "using another person who has the role" - but I don't know how to do this.

So my question is:
How is the best way to call this kind of services without any security impacts?

Thanks in advance & sorry (I don't know the role-concept of ofbiz that much at the moment)
Alexander