createPartyRole permission for anonymous user

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

createPartyRole permission for anonymous user

Anil Patel
Hi, Today we started getting following error while creating user in
Anonymous checkout process.

   - Security Error: to run createPartyRole you must have the
   PARTYMGR_CREATE or PARTYMGR_ADMIN permission calling service createPartyRole
   in createUpdateUser

I think we need to add some permissions to Anonymous user. Do we even need
these services to be protected with permission check? The createPerson
service is not.

Please comment so I needed I'll submit patch for this.

Regards
Anil
Reply | Threaded
Open this post in threaded view
|

Re: createPartyRole permission for anonymous user

David E Jones

I'd say that's a really big NO. We don't want the anonymous user to  
ever have any permissions. Anyone with a browser and an internet  
connection can create a Party that will be used by the anonymous user.

With the anonymous UserLogin the partyId is set in memory and passed  
around, but NEVER saved to the database. This is used to get around  
the security constraints on most services in order for things to  
function.

Where are you running into a problem with this? Ie, what is the  
specific circumstance?

-David


On Mar 26, 2007, at 2:53 PM, Anil Patel wrote:

> Hi, Today we started getting following error while creating user in
> Anonymous checkout process.
>
>   - Security Error: to run createPartyRole you must have the
>   PARTYMGR_CREATE or PARTYMGR_ADMIN permission calling service  
> createPartyRole
>   in createUpdateUser
>
> I think we need to add some permissions to Anonymous user. Do we  
> even need
> these services to be protected with permission check? The createPerson
> service is not.
>
> Please comment so I needed I'll submit patch for this.
>
> Regards
> Anil


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: createPartyRole permission for anonymous user

Anil Patel
In the anon checkout process, When user enters and saves the Profile
information, We create a Person (createPerson service) and then add person
in CUSTOMER Role. The process breaks when it tries to set Person to CUSTOMER
role.

Regards
Anil

On 3/26/07, David E. Jones <[hidden email]> wrote:

>
>
> I'd say that's a really big NO. We don't want the anonymous user to
> ever have any permissions. Anyone with a browser and an internet
> connection can create a Party that will be used by the anonymous user.
>
> With the anonymous UserLogin the partyId is set in memory and passed
> around, but NEVER saved to the database. This is used to get around
> the security constraints on most services in order for things to
> function.
>
> Where are you running into a problem with this? Ie, what is the
> specific circumstance?
>
> -David
>
>
> On Mar 26, 2007, at 2:53 PM, Anil Patel wrote:
>
> > Hi, Today we started getting following error while creating user in
> > Anonymous checkout process.
> >
> >   - Security Error: to run createPartyRole you must have the
> >   PARTYMGR_CREATE or PARTYMGR_ADMIN permission calling service
> > createPartyRole
> >   in createUpdateUser
> >
> > I think we need to add some permissions to Anonymous user. Do we
> > even need
> > these services to be protected with permission check? The createPerson
> > service is not.
> >
> > Please comment so I needed I'll submit patch for this.
> >
> > Regards
> > Anil
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: createPartyRole permission for anonymous user

David E Jones

Is the service for adding a role to a party no longer allowing a  
party to do the operation if the incoming partyId matches the  
UserLogin.partyId?

Perhaps this is related to the recent Java -> simple-method  
conversion and the new simple-method implementations don't allow a  
security bypass when a Party is changing its own data?

-David


On Mar 26, 2007, at 7:15 PM, Anil Patel wrote:

> In the anon checkout process, When user enters and saves the Profile
> information, We create a Person (createPerson service) and then add  
> person
> in CUSTOMER Role. The process breaks when it tries to set Person to  
> CUSTOMER
> role.
>
> Regards
> Anil
>
> On 3/26/07, David E. Jones <[hidden email]> wrote:
>>
>>
>> I'd say that's a really big NO. We don't want the anonymous user to
>> ever have any permissions. Anyone with a browser and an internet
>> connection can create a Party that will be used by the anonymous  
>> user.
>>
>> With the anonymous UserLogin the partyId is set in memory and passed
>> around, but NEVER saved to the database. This is used to get around
>> the security constraints on most services in order for things to
>> function.
>>
>> Where are you running into a problem with this? Ie, what is the
>> specific circumstance?
>>
>> -David
>>
>>
>> On Mar 26, 2007, at 2:53 PM, Anil Patel wrote:
>>
>> > Hi, Today we started getting following error while creating user in
>> > Anonymous checkout process.
>> >
>> >   - Security Error: to run createPartyRole you must have the
>> >   PARTYMGR_CREATE or PARTYMGR_ADMIN permission calling service
>> > createPartyRole
>> >   in createUpdateUser
>> >
>> > I think we need to add some permissions to Anonymous user. Do we
>> > even need
>> > these services to be protected with permission check? The  
>> createPerson
>> > service is not.
>> >
>> > Please comment so I needed I'll submit patch for this.
>> >
>> > Regards
>> > Anil
>>
>>
>>


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: createPartyRole permission for anonymous user

Scott Gray
That's definitely the problem, ServiceUtil.getPartyIdCheckSecurity is no
longer being called if the party doesn't have the standard permissions.  I
can fix this up tonight if no one does it sooner.

Regards
Scott

On 27/03/07, David E. Jones <[hidden email]> wrote:

>
>
> Is the service for adding a role to a party no longer allowing a
> party to do the operation if the incoming partyId matches the
> UserLogin.partyId?
>
> Perhaps this is related to the recent Java -> simple-method
> conversion and the new simple-method implementations don't allow a
> security bypass when a Party is changing its own data?
>
> -David
>
>
> On Mar 26, 2007, at 7:15 PM, Anil Patel wrote:
>
> > In the anon checkout process, When user enters and saves the Profile
> > information, We create a Person (createPerson service) and then add
> > person
> > in CUSTOMER Role. The process breaks when it tries to set Person to
> > CUSTOMER
> > role.
> >
> > Regards
> > Anil
> >
> > On 3/26/07, David E. Jones <[hidden email]> wrote:
> >>
> >>
> >> I'd say that's a really big NO. We don't want the anonymous user to
> >> ever have any permissions. Anyone with a browser and an internet
> >> connection can create a Party that will be used by the anonymous
> >> user.
> >>
> >> With the anonymous UserLogin the partyId is set in memory and passed
> >> around, but NEVER saved to the database. This is used to get around
> >> the security constraints on most services in order for things to
> >> function.
> >>
> >> Where are you running into a problem with this? Ie, what is the
> >> specific circumstance?
> >>
> >> -David
> >>
> >>
> >> On Mar 26, 2007, at 2:53 PM, Anil Patel wrote:
> >>
> >> > Hi, Today we started getting following error while creating user in
> >> > Anonymous checkout process.
> >> >
> >> >   - Security Error: to run createPartyRole you must have the
> >> >   PARTYMGR_CREATE or PARTYMGR_ADMIN permission calling service
> >> > createPartyRole
> >> >   in createUpdateUser
> >> >
> >> > I think we need to add some permissions to Anonymous user. Do we
> >> > even need
> >> > these services to be protected with permission check? The
> >> createPerson
> >> > service is not.
> >> >
> >> > Please comment so I needed I'll submit patch for this.
> >> >
> >> > Regards
> >> > Anil
> >>
> >>
> >>
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: createPartyRole permission for anonymous user

Anil Patel
Now I know, I'll submit patch for this. Please wait for the patch.
Regards
Anil

On 3/26/07, Scott Gray <[hidden email]> wrote:

>
> That's definitely the problem, ServiceUtil.getPartyIdCheckSecurity is no
> longer being called if the party doesn't have the standard permissions.  I
> can fix this up tonight if no one does it sooner.
>
> Regards
> Scott
>
> On 27/03/07, David E. Jones <[hidden email]> wrote:
> >
> >
> > Is the service for adding a role to a party no longer allowing a
> > party to do the operation if the incoming partyId matches the
> > UserLogin.partyId?
> >
> > Perhaps this is related to the recent Java -> simple-method
> > conversion and the new simple-method implementations don't allow a
> > security bypass when a Party is changing its own data?
> >
> > -David
> >
> >
> > On Mar 26, 2007, at 7:15 PM, Anil Patel wrote:
> >
> > > In the anon checkout process, When user enters and saves the Profile
> > > information, We create a Person (createPerson service) and then add
> > > person
> > > in CUSTOMER Role. The process breaks when it tries to set Person to
> > > CUSTOMER
> > > role.
> > >
> > > Regards
> > > Anil
> > >
> > > On 3/26/07, David E. Jones <[hidden email]> wrote:
> > >>
> > >>
> > >> I'd say that's a really big NO. We don't want the anonymous user to
> > >> ever have any permissions. Anyone with a browser and an internet
> > >> connection can create a Party that will be used by the anonymous
> > >> user.
> > >>
> > >> With the anonymous UserLogin the partyId is set in memory and passed
> > >> around, but NEVER saved to the database. This is used to get around
> > >> the security constraints on most services in order for things to
> > >> function.
> > >>
> > >> Where are you running into a problem with this? Ie, what is the
> > >> specific circumstance?
> > >>
> > >> -David
> > >>
> > >>
> > >> On Mar 26, 2007, at 2:53 PM, Anil Patel wrote:
> > >>
> > >> > Hi, Today we started getting following error while creating user in
> > >> > Anonymous checkout process.
> > >> >
> > >> >   - Security Error: to run createPartyRole you must have the
> > >> >   PARTYMGR_CREATE or PARTYMGR_ADMIN permission calling service
> > >> > createPartyRole
> > >> >   in createUpdateUser
> > >> >
> > >> > I think we need to add some permissions to Anonymous user. Do we
> > >> > even need
> > >> > these services to be protected with permission check? The
> > >> createPerson
> > >> > service is not.
> > >> >
> > >> > Please comment so I needed I'll submit patch for this.
> > >> >
> > >> > Regards
> > >> > Anil
> > >>
> > >>
> > >>
> >
> >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: createPartyRole permission for anonymous user

Anil Patel
One quick question,
Can I use <accept-userlogin-party/> for get the effect of
ServiceUtil.getPartyIdCheckSecurity.

    <xs:element name="accept-userlogin-party">
        <xs:annotation>
            <xs:documentation>
                If that tag is present userlogin party is accepted, rather
than requiring that the user have the permission.

                Often used in cases where you want to allow a user to for
example see their own order, or update their own contact information.
            </xs:documentation>
        </xs:annotation>
        <xs:complexType>
            <xs:attributeGroup ref="attlist.accept-userlogin-party"/>
        </xs:complexType>
    </xs:element>

Anil

On 3/26/07, Anil Patel <[hidden email]> wrote:

>
> Now I know, I'll submit patch for this. Please wait for the patch.
> Regards
> Anil
>
> On 3/26/07, Scott Gray < [hidden email]> wrote:
> >
> > That's definitely the problem, ServiceUtil.getPartyIdCheckSecurity is no
> > longer being called if the party doesn't have the standard
> > permissions.  I
> > can fix this up tonight if no one does it sooner.
> >
> > Regards
> > Scott
> >
> > On 27/03/07, David E. Jones < [hidden email]> wrote:
> > >
> > >
> > > Is the service for adding a role to a party no longer allowing a
> > > party to do the operation if the incoming partyId matches the
> > > UserLogin.partyId ?
> > >
> > > Perhaps this is related to the recent Java -> simple-method
> > > conversion and the new simple-method implementations don't allow a
> > > security bypass when a Party is changing its own data?
> > >
> > > -David
> > >
> > >
> > > On Mar 26, 2007, at 7:15 PM, Anil Patel wrote:
> > >
> > > > In the anon checkout process, When user enters and saves the Profile
> > > > information, We create a Person (createPerson service) and then add
> > > > person
> > > > in CUSTOMER Role. The process breaks when it tries to set Person to
> > > > CUSTOMER
> > > > role.
> > > >
> > > > Regards
> > > > Anil
> > > >
> > > > On 3/26/07, David E. Jones < [hidden email]> wrote:
> > > >>
> > > >>
> > > >> I'd say that's a really big NO. We don't want the anonymous user to
> > > >> ever have any permissions. Anyone with a browser and an internet
> > > >> connection can create a Party that will be used by the anonymous
> > > >> user.
> > > >>
> > > >> With the anonymous UserLogin the partyId is set in memory and
> > passed
> > > >> around, but NEVER saved to the database. This is used to get around
> >
> > > >> the security constraints on most services in order for things to
> > > >> function.
> > > >>
> > > >> Where are you running into a problem with this? Ie, what is the
> > > >> specific circumstance?
> > > >>
> > > >> -David
> > > >>
> > > >>
> > > >> On Mar 26, 2007, at 2:53 PM, Anil Patel wrote:
> > > >>
> > > >> > Hi, Today we started getting following error while creating user
> > in
> > > >> > Anonymous checkout process.
> > > >> >
> > > >> >   - Security Error: to run createPartyRole you must have the
> > > >> >   PARTYMGR_CREATE or PARTYMGR_ADMIN permission calling service
> > > >> > createPartyRole
> > > >> >   in createUpdateUser
> > > >> >
> > > >> > I think we need to add some permissions to Anonymous user. Do we
> > > >> > even need
> > > >> > these services to be protected with permission check? The
> > > >> createPerson
> > > >> > service is not.
> > > >> >
> > > >> > Please comment so I needed I'll submit patch for this.
> > > >> >
> > > >> > Regards
> > > >> > Anil
> > > >>
> > > >>
> > > >>
> > >
> > >
> > >
> >
>
>
Reply | Threaded
Open this post in threaded view
|

Re: createPartyRole permission for anonymous user

David E Jones

Yeah, that's probably the easiest way.

-David


On Mar 26, 2007, at 7:42 PM, Anil Patel wrote:

> One quick question,
> Can I use <accept-userlogin-party/> for get the effect of
> ServiceUtil.getPartyIdCheckSecurity.
>
>    <xs:element name="accept-userlogin-party">
>        <xs:annotation>
>            <xs:documentation>
>                If that tag is present userlogin party is accepted,  
> rather
> than requiring that the user have the permission.
>
>                Often used in cases where you want to allow a user  
> to for
> example see their own order, or update their own contact information.
>            </xs:documentation>
>        </xs:annotation>
>        <xs:complexType>
>            <xs:attributeGroup ref="attlist.accept-userlogin-party"/>
>        </xs:complexType>
>    </xs:element>
>
> Anil
>
> On 3/26/07, Anil Patel <[hidden email]> wrote:
>>
>> Now I know, I'll submit patch for this. Please wait for the patch.
>> Regards
>> Anil
>>
>> On 3/26/07, Scott Gray < [hidden email]> wrote:
>> >
>> > That's definitely the problem,  
>> ServiceUtil.getPartyIdCheckSecurity is no
>> > longer being called if the party doesn't have the standard
>> > permissions.  I
>> > can fix this up tonight if no one does it sooner.
>> >
>> > Regards
>> > Scott
>> >
>> > On 27/03/07, David E. Jones < [hidden email]> wrote:
>> > >
>> > >
>> > > Is the service for adding a role to a party no longer allowing a
>> > > party to do the operation if the incoming partyId matches the
>> > > UserLogin.partyId ?
>> > >
>> > > Perhaps this is related to the recent Java -> simple-method
>> > > conversion and the new simple-method implementations don't  
>> allow a
>> > > security bypass when a Party is changing its own data?
>> > >
>> > > -David
>> > >
>> > >
>> > > On Mar 26, 2007, at 7:15 PM, Anil Patel wrote:
>> > >
>> > > > In the anon checkout process, When user enters and saves the  
>> Profile
>> > > > information, We create a Person (createPerson service) and  
>> then add
>> > > > person
>> > > > in CUSTOMER Role. The process breaks when it tries to set  
>> Person to
>> > > > CUSTOMER
>> > > > role.
>> > > >
>> > > > Regards
>> > > > Anil
>> > > >
>> > > > On 3/26/07, David E. Jones < [hidden email]> wrote:
>> > > >>
>> > > >>
>> > > >> I'd say that's a really big NO. We don't want the anonymous  
>> user to
>> > > >> ever have any permissions. Anyone with a browser and an  
>> internet
>> > > >> connection can create a Party that will be used by the  
>> anonymous
>> > > >> user.
>> > > >>
>> > > >> With the anonymous UserLogin the partyId is set in memory and
>> > passed
>> > > >> around, but NEVER saved to the database. This is used to  
>> get around
>> >
>> > > >> the security constraints on most services in order for  
>> things to
>> > > >> function.
>> > > >>
>> > > >> Where are you running into a problem with this? Ie, what is  
>> the
>> > > >> specific circumstance?
>> > > >>
>> > > >> -David
>> > > >>
>> > > >>
>> > > >> On Mar 26, 2007, at 2:53 PM, Anil Patel wrote:
>> > > >>
>> > > >> > Hi, Today we started getting following error while  
>> creating user
>> > in
>> > > >> > Anonymous checkout process.
>> > > >> >
>> > > >> >   - Security Error: to run createPartyRole you must have the
>> > > >> >   PARTYMGR_CREATE or PARTYMGR_ADMIN permission calling  
>> service
>> > > >> > createPartyRole
>> > > >> >   in createUpdateUser
>> > > >> >
>> > > >> > I think we need to add some permissions to Anonymous  
>> user. Do we
>> > > >> > even need
>> > > >> > these services to be protected with permission check? The
>> > > >> createPerson
>> > > >> > service is not.
>> > > >> >
>> > > >> > Please comment so I needed I'll submit patch for this.
>> > > >> >
>> > > >> > Regards
>> > > >> > Anil
>> > > >>
>> > > >>
>> > > >>
>> > >
>> > >
>> > >
>> >
>>
>>


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: createPartyRole permission for anonymous user

Anil Patel
Patch is attached to this Jira Issue.

https://issues.apache.org/jira/browse/OFBIZ-848

Regards
Anil

On 3/26/07, David E. Jones <[hidden email]> wrote:

>
>
> Yeah, that's probably the easiest way.
>
> -David
>
>
> On Mar 26, 2007, at 7:42 PM, Anil Patel wrote:
>
> > One quick question,
> > Can I use <accept-userlogin-party/> for get the effect of
> > ServiceUtil.getPartyIdCheckSecurity.
> >
> >    <xs:element name="accept-userlogin-party">
> >        <xs:annotation>
> >            <xs:documentation>
> >                If that tag is present userlogin party is accepted,
> > rather
> > than requiring that the user have the permission.
> >
> >                Often used in cases where you want to allow a user
> > to for
> > example see their own order, or update their own contact information.
> >            </xs:documentation>
> >        </xs:annotation>
> >        <xs:complexType>
> >            <xs:attributeGroup ref="attlist.accept-userlogin-party"/>
> >        </xs:complexType>
> >    </xs:element>
> >
> > Anil
> >
> > On 3/26/07, Anil Patel <[hidden email]> wrote:
> >>
> >> Now I know, I'll submit patch for this. Please wait for the patch.
> >> Regards
> >> Anil
> >>
> >> On 3/26/07, Scott Gray < [hidden email]> wrote:
> >> >
> >> > That's definitely the problem,
> >> ServiceUtil.getPartyIdCheckSecurity is no
> >> > longer being called if the party doesn't have the standard
> >> > permissions.  I
> >> > can fix this up tonight if no one does it sooner.
> >> >
> >> > Regards
> >> > Scott
> >> >
> >> > On 27/03/07, David E. Jones < [hidden email]> wrote:
> >> > >
> >> > >
> >> > > Is the service for adding a role to a party no longer allowing a
> >> > > party to do the operation if the incoming partyId matches the
> >> > > UserLogin.partyId ?
> >> > >
> >> > > Perhaps this is related to the recent Java -> simple-method
> >> > > conversion and the new simple-method implementations don't
> >> allow a
> >> > > security bypass when a Party is changing its own data?
> >> > >
> >> > > -David
> >> > >
> >> > >
> >> > > On Mar 26, 2007, at 7:15 PM, Anil Patel wrote:
> >> > >
> >> > > > In the anon checkout process, When user enters and saves the
> >> Profile
> >> > > > information, We create a Person (createPerson service) and
> >> then add
> >> > > > person
> >> > > > in CUSTOMER Role. The process breaks when it tries to set
> >> Person to
> >> > > > CUSTOMER
> >> > > > role.
> >> > > >
> >> > > > Regards
> >> > > > Anil
> >> > > >
> >> > > > On 3/26/07, David E. Jones < [hidden email]> wrote:
> >> > > >>
> >> > > >>
> >> > > >> I'd say that's a really big NO. We don't want the anonymous
> >> user to
> >> > > >> ever have any permissions. Anyone with a browser and an
> >> internet
> >> > > >> connection can create a Party that will be used by the
> >> anonymous
> >> > > >> user.
> >> > > >>
> >> > > >> With the anonymous UserLogin the partyId is set in memory and
> >> > passed
> >> > > >> around, but NEVER saved to the database. This is used to
> >> get around
> >> >
> >> > > >> the security constraints on most services in order for
> >> things to
> >> > > >> function.
> >> > > >>
> >> > > >> Where are you running into a problem with this? Ie, what is
> >> the
> >> > > >> specific circumstance?
> >> > > >>
> >> > > >> -David
> >> > > >>
> >> > > >>
> >> > > >> On Mar 26, 2007, at 2:53 PM, Anil Patel wrote:
> >> > > >>
> >> > > >> > Hi, Today we started getting following error while
> >> creating user
> >> > in
> >> > > >> > Anonymous checkout process.
> >> > > >> >
> >> > > >> >   - Security Error: to run createPartyRole you must have the
> >> > > >> >   PARTYMGR_CREATE or PARTYMGR_ADMIN permission calling
> >> service
> >> > > >> > createPartyRole
> >> > > >> >   in createUpdateUser
> >> > > >> >
> >> > > >> > I think we need to add some permissions to Anonymous
> >> user. Do we
> >> > > >> > even need
> >> > > >> > these services to be protected with permission check? The
> >> > > >> createPerson
> >> > > >> > service is not.
> >> > > >> >
> >> > > >> > Please comment so I needed I'll submit patch for this.
> >> > > >> >
> >> > > >> > Regards
> >> > > >> > Anil
> >> > > >>
> >> > > >>
> >> > > >>
> >> > >
> >> > >
> >> > >
> >> >
> >>
> >>
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: createPartyRole permission for anonymous user

masionas
In reply to this post by Anil Patel
Hi Guys,

I am using revision 557394 and on anon checkout it looks like it has the same old bug. I checked the partyservices.xml and it does have a tag    <accept-userlogin-party/>. But it gives me an error:

"The Following Errors Occurred:

Security Error: to run createPartyRole you must have the PARTYMGR_ROLE_CREATE or PARTYMGR_ADMIN permission calling service createPartyRole in createUpdateUser"

Does anyone has this issue too?
Thanks for any help.

Anil Patel wrote
In the anon checkout process, When user enters and saves the Profile
information, We create a Person (createPerson service) and then add person
in CUSTOMER Role. The process breaks when it tries to set Person to CUSTOMER
role.

Regards
Anil

On 3/26/07, David E. Jones <jonesde@hotwaxmedia.com> wrote:
>
>
> I'd say that's a really big NO. We don't want the anonymous user to
> ever have any permissions. Anyone with a browser and an internet
> connection can create a Party that will be used by the anonymous user.
>
> With the anonymous UserLogin the partyId is set in memory and passed
> around, but NEVER saved to the database. This is used to get around
> the security constraints on most services in order for things to
> function.
>
> Where are you running into a problem with this? Ie, what is the
> specific circumstance?
>
> -David
>
>
> On Mar 26, 2007, at 2:53 PM, Anil Patel wrote:
>
> > Hi, Today we started getting following error while creating user in
> > Anonymous checkout process.
> >
> >   - Security Error: to run createPartyRole you must have the
> >   PARTYMGR_CREATE or PARTYMGR_ADMIN permission calling service
> > createPartyRole
> >   in createUpdateUser
> >
> > I think we need to add some permissions to Anonymous user. Do we
> > even need
> > these services to be protected with permission check? The createPerson
> > service is not.
> >
> > Please comment so I needed I'll submit patch for this.
> >
> > Regards
> > Anil
>
>
>