paypal IPN causes security error when creating payment

> The following exception happened when I received an paypal IPN for a sales
> order.
>
> accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml#createPayment]]:
> ; [Security Error : To Create a Payment you must either be the to or from
> party or have the PAY_INFO_CREATE or PAY_INFO_ADMIN permissions.]
>
> The order was placed by a registered user and the IPN was sent to the server
> right after the order was submitted.
>
> If anyone knows the root cause, please let me know. That would save me some
> time tracing the source code.
>
> Thanks,
> Hansen
>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> this is an ofbiz message saying the user does not   have PAY_INFO_CREATE
> permissions.
> my guess is that the code is not use the "system" user in running this
> code. it is is then the security permissions have to assigned to the
> system user.
>
> it seems we have lost the ability to assign permissions to groups in the
>  current version.
>
>
> Hansen Wang sent the following on 2/5/2009 12:23 PM:
> > The following exception happened when I received an paypal IPN for a
> sales
> > order.
> >
> >
> accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml#createPayment]]:
> > ; [Security Error : To Create a Payment you must either be the to or from
> > party or have the PAY_INFO_CREATE or PAY_INFO_ADMIN permissions.]
> >
> > The order was placed by a registered user and the IPN was sent to the
> server
> > right after the order was submitted.
> >
> > If anyone knows the root cause, please let me know. That would save me
> some
> > time tracing the source code.
> >
> > Thanks,
> > Hansen
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFJi069rP3NbaWWqE4RAkYXAKCYQUk/i7Xek8TrevAPDv45/j33rwCdFaBb
> TmsiwFranMSRUpJrzEZCOL8=
> =rvR8
> -----END PGP SIGNATURE-----
>

> I use release4 trunk. My presumption is that paypalIPN works out of the box
> for the release I am using.
>
> Thanks,
> Hansen
>
> On Thu, Feb 5, 2009 at 1:40 PM, BJ Freeman <[hidden email]> wrote:
>
> this is an ofbiz message saying the user does not   have PAY_INFO_CREATE
> permissions.
> my guess is that the code is not use the "system" user in running this
> code. it is is then the security permissions have to assigned to the
> system user.
>
> it seems we have lost the ability to assign permissions to groups in the
>  current version.
>
>
> Hansen Wang sent the following on 2/5/2009 12:23 PM:
>>>> The following exception happened when I received an paypal IPN for a
> sales
>>>> order.
>>>>
>>>>
> accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml#createPayment]]:
>>>> ; [Security Error : To Create a Payment you must either be the to or from
>>>> party or have the PAY_INFO_CREATE or PAY_INFO_ADMIN permissions.]
>>>>
>>>> The order was placed by a registered user and the IPN was sent to the
> server
>>>> right after the order was submitted.
>>>>
>>>> If anyone knows the root cause, please let me know. That would save me
> some
>>>> time tracing the source code.
>>>>
>>>> Thanks,
>>>> Hansen
>>>>
>>

> release4 is the most stable. however they may be bugs that have not been
> found.
>
> Hansen Wang sent the following on 2/5/2009 12:48 PM:
>> I use release4 trunk. My presumption is that paypalIPN works out of the box
>> for the release I am using.
>
>> Thanks,
>> Hansen
>
>> On Thu, Feb 5, 2009 at 1:40 PM, BJ Freeman <[hidden email]> wrote:
>
>> this is an ofbiz message saying the user does not   have PAY_INFO_CREATE
>> permissions.
>> my guess is that the code is not use the "system" user in running this
>> code. it is is then the security permissions have to assigned to the
>> system user.
>
>> it seems we have lost the ability to assign permissions to groups in the
>>  current version.
>
>
>> Hansen Wang sent the following on 2/5/2009 12:23 PM:
>>>>> The following exception happened when I received an paypal IPN for a
>> sales
>>>>> order.
>>>>>
>>>>>
>> accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml#createPayment]]:
>>>>> ; [Security Error : To Create a Payment you must either be the to or from
>>>>> party or have the PAY_INFO_CREATE or PAY_INFO_ADMIN permissions.]
>>>>>
>>>>> The order was placed by a registered user and the IPN was sent to the
>> server
>>>>> right after the order was submitted.
>>>>>
>>>>> If anyone knows the root cause, please let me know. That would save me
>> some
>>>>> time tracing the source code.
>>>>>
>>>>> Thanks,
>>>>> Hansen
>>>>>
>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I did a quick review of the code
> the only two security groups that have this permission are the
> ORDERENTRY and ORDERPURCH
> This means if the user is not a order taker or purchasing agent and have
>  these permission it will not work.
> your error orginated from
> PaymentMethodServices.java
>
> need more information about you senario to help any more.
>
>
> BJ Freeman sent the following on 2/5/2009 1:01 PM:
>  > release4 is the most stable. however they may be bugs that have not
> been
> > found.
> >
> > Hansen Wang sent the following on 2/5/2009 12:48 PM:
> >> I use release4 trunk. My presumption is that paypalIPN works out of the
> box
> >> for the release I am using.
> >
> >> Thanks,
> >> Hansen
> >
> >> On Thu, Feb 5, 2009 at 1:40 PM, BJ Freeman <[hidden email]> wrote:
> >
> >> this is an ofbiz message saying the user does not   have PAY_INFO_CREATE
> >> permissions.
> >> my guess is that the code is not use the "system" user in running this
> >> code. it is is then the security permissions have to assigned to the
> >> system user.
> >
> >> it seems we have lost the ability to assign permissions to groups in the
> >>  current version.
> >
> >
> >> Hansen Wang sent the following on 2/5/2009 12:23 PM:
> >>>>> The following exception happened when I received an paypal IPN for a
> >> sales
> >>>>> order.
> >>>>>
> >>>>>
> >>
> accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml#createPayment]]:
> >>>>> ; [Security Error : To Create a Payment you must either be the to or
> from
> >>>>> party or have the PAY_INFO_CREATE or PAY_INFO_ADMIN permissions.]
> >>>>>
> >>>>> The order was placed by a registered user and the IPN was sent to the
> >> server
> >>>>> right after the order was submitted.
> >>>>>
> >>>>> If anyone knows the root cause, please let me know. That would save
> me
> >> some
> >>>>> time tracing the source code.
> >>>>>
> >>>>> Thanks,
> >>>>> Hansen
> >>>>>
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFJi1z1rP3NbaWWqE4RAvkKAJ9YT0wcCooR8g1PJCxQoEbF15iPaACgmURg
> cx7LogJpN4yQp1hInV43DIQ=
> =frrY
> -----END PGP SIGNATURE-----
>

> Yes. That is exactly where the problem is. The exception did not happen
> after I added the user to the ORDERENTRY group. But this is not a solution
> because a regular customer can not have the permissions in the group. Looks
> like have to change the code to switch the user when executing the related
> code block. What would you recommend to do?
>
> Thanks.
> Hansen
>
>
> On Thu, Feb 5, 2009 at 2:41 PM, BJ Freeman <[hidden email]> wrote:
>
> I did a quick review of the code
> the only two security groups that have this permission are the
> ORDERENTRY and ORDERPURCH
> This means if the user is not a order taker or purchasing agent and have
>  these permission it will not work.
> your error orginated from
> PaymentMethodServices.java
>
> need more information about you senario to help any more.
>
>
> BJ Freeman sent the following on 2/5/2009 1:01 PM:
>  > release4 is the most stable. however they may be bugs that have not
> been
>>>> found.
>>>>
>>>> Hansen Wang sent the following on 2/5/2009 12:48 PM:
>>>>> I use release4 trunk. My presumption is that paypalIPN works out of the
> box
>>>>> for the release I am using.
>>>>> Thanks,
>>>>> Hansen
>>>>> On Thu, Feb 5, 2009 at 1:40 PM, BJ Freeman <[hidden email]> wrote:
>>>>> this is an ofbiz message saying the user does not   have PAY_INFO_CREATE
>>>>> permissions.
>>>>> my guess is that the code is not use the "system" user in running this
>>>>> code. it is is then the security permissions have to assigned to the
>>>>> system user.
>>>>> it seems we have lost the ability to assign permissions to groups in the
>>>>>  current version.
>>>>
>>>>> Hansen Wang sent the following on 2/5/2009 12:23 PM:
>>>>>>>> The following exception happened when I received an paypal IPN for a
>>>>> sales
>>>>>>>> order.
>>>>>>>>
>>>>>>>>
> accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml#createPayment]]:
>>>>>>>> ; [Security Error : To Create a Payment you must either be the to or
> from
>>>>>>>> party or have the PAY_INFO_CREATE or PAY_INFO_ADMIN permissions.]
>>>>>>>>
>>>>>>>> The order was placed by a registered user and the IPN was sent to the
>>>>> server
>>>>>>>> right after the order was submitted.
>>>>>>>>
>>>>>>>> If anyone knows the root cause, please let me know. That would save
> me
>>>>> some
>>>>>>>> time tracing the source code.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Hansen
>>>>>>>>
>>

> It looks like a bug. To resolve it, just add the following parameter and
> value when calling createPaymentFromPreference (line 493 of
> PayPalEvents.java).
> paymentFromId=userLogin.getString("partyId")
>
>
> BJ Freeman wrote:
> here is what I see
> these Methods are meant to allow a party to update their profile.
> you could create a customerGroup
> and put the security permission under that, then assign the
> customergroup to the parties login.
> Unless you want only your staff to update it.
> the way it is setup now you staff are the only ones to Create and Update
>  CC info.
> However this should have nothing to do with IPN process once the CC is
> created.
>
>
>
> Hansen Wang sent the following on 2/5/2009 2:25 PM:
>>>> Yes. That is exactly where the problem is. The exception did not happen
>>>> after I added the user to the ORDERENTRY group. But this is not a
>>>> solution
>>>> because a regular customer can not have the permissions in the group.
>>>> Looks
>>>> like have to change the code to switch the user when executing the
>>>> related
>>>> code block. What would you recommend to do?
>>>>
>>>> Thanks.
>>>> Hansen
>>>>
>>>>
>>>> On Thu, Feb 5, 2009 at 2:41 PM, BJ Freeman <[hidden email]> wrote:
>>>>
>>>> I did a quick review of the code
>>>> the only two security groups that have this permission are the
>>>> ORDERENTRY and ORDERPURCH
>>>> This means if the user is not a order taker or purchasing agent and have
>>>>  these permission it will not work.
>>>> your error orginated from
>>>> PaymentMethodServices.java
>>>>
>>>> need more information about you senario to help any more.
>>>>
>>>>
>>>> BJ Freeman sent the following on 2/5/2009 1:01 PM:
>>>>  > release4 is the most stable. however they may be bugs that have not
>>>> been
>>>>>>> found.
>>>>>>>
>>>>>>> Hansen Wang sent the following on 2/5/2009 12:48 PM:
>>>>>>>> I use release4 trunk. My presumption is that paypalIPN works out of
>>>>>>>> the
>>>> box
>>>>>>>> for the release I am using.
>>>>>>>> Thanks,
>>>>>>>> Hansen
>>>>>>>> On Thu, Feb 5, 2009 at 1:40 PM, BJ Freeman <[hidden email]>
>>>>>>>> wrote:
>>>>>>>> this is an ofbiz message saying the user does not   have
>>>>>>>> PAY_INFO_CREATE
>>>>>>>> permissions.
>>>>>>>> my guess is that the code is not use the "system" user in running
>>>>>>>> this
>>>>>>>> code. it is is then the security permissions have to assigned to the
>>>>>>>> system user.
>>>>>>>> it seems we have lost the ability to assign permissions to groups in
>>>>>>>> the
>>>>>>>>  current version.
>>>>>>>> Hansen Wang sent the following on 2/5/2009 12:23 PM:
>>>>>>>>>>> The following exception happened when I received an paypal IPN for
>>>>>>>>>>> a
>>>>>>>> sales
>>>>>>>>>>> order.
>>>>>>>>>>>
>>>>>>>>>>>
>>>> accounting/script/org/ofbiz/accounting/payment/PaymentServices.xml#createPayment]]:
>>>>>>>>>>> ; [Security Error : To Create a Payment you must either be the to
>>>>>>>>>>> or
>>>> from
>>>>>>>>>>> party or have the PAY_INFO_CREATE or PAY_INFO_ADMIN permissions.]
>>>>>>>>>>>
>>>>>>>>>>> The order was placed by a registered user and the IPN was sent to
>>>>>>>>>>> the
>>>>>>>> server
>>>>>>>>>>> right after the order was submitted.
>>>>>>>>>>>
>>>>>>>>>>> If anyone knows the root cause, please let me know. That would
>>>>>>>>>>> save
>>>> me
>>>>>>>> some
>>>>>>>>>>> time tracing the source code.
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Hansen
>>>>>>>>>>>
>>
>>