permission error on cancel order item from ecommerce

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

permission error on cancel order item from ecommerce

Abdullah Shaikh-3
If I cancel an order item from ecommerce. I get, the below error displayed
on the page.

The Following Errors Occurred:
Unable to cancel order line : WSCO11640 / 00001 / null

Note to test this you need to take the latest update of apply this patch
https://issues.apache.org/jira/browse/OFBIZ-2408.

Below is the error trace from console, this error is because the party
(customer) doesn't have the ORDERMGR_CREATE or ORDERMGR_ADMIN permission,
but we can't give this permission to a customer, further as the common
service is called from ecommerce and order manager for cancel, the solution
will be to check the party's role, if its a CUSTOMER, then I guess we can
use the SYSTEM user in place of the PARTY(CUSTOMER), for this we need to
give ORDERMGR permission to the SYSTEM user.

But then it will seem as if the SYSTEM user has cancelled the order and not
the CUSTOMER ?

Another solution will be to override the service without permission check
only for ecommerce use.

The exception on the console is below :

[java] ---- exception report
----------------------------------------------------------
[java] [TransactionUtil.setRollbackOnly] Calling transaction
setRollbackOnly; this stack trace shows where this is happening:
[java] Exception: java.lang.Exception
[java] Message: Error in simple-method [Create an OrderAdjustment
file:/home/abdullah/projects/ofbiz_ws/ofbiz/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml#createOrderAdjustment]:
; [Security Error : to run createOrderAdjustment you must have the
ORDERMGR_CREATE or ORDERMGR_ADMIN permission]
[java] ---- stack trace
---------------------------------------------------------------
[java] java.lang.Exception: Error in simple-method [Create an
OrderAdjustment
file:/home/abdullah/projects/ofbiz-sagepay_ws/ofbiz/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml#createOrderAdjustment]:
; [Security Error : to run createOrderAdjustment you must have the
ORDERMGR_CREATE or ORDERMGR_ADMIN permission]
[java]
org.ofbiz.entity.transaction.TransactionUtil.setRollbackOnly(TransactionUtil.java:371)
[java]
org.ofbiz.entity.transaction.TransactionUtil.rollback(TransactionUtil.java:318)
[java] org.ofbiz.minilang.SimpleMethod.exec(SimpleMethod.java:833)
[java]
org.ofbiz.minilang.SimpleMethod.runSimpleMethod(SimpleMethod.java:160)
[java]
org.ofbiz.minilang.SimpleMethod.runSimpleService(SimpleMethod.java:142)
[java]
org.ofbiz.minilang.SimpleServiceEngine.serviceInvoker(SimpleServiceEngine.java:78)
[java]
org.ofbiz.minilang.SimpleServiceEngine.runSync(SimpleServiceEngine.java:53)
[java]
org.ofbiz.service.ModelServiceReader$GenericInvokerImpl.runSync(ModelServiceReader.java:785)
[java]
_$gen.file_58$.home.abdullah.projects.ofbiz_45$sagepay_95$ws.ofbiz.applications.order.servicedef.services_46$xml_35$createOrderAdjustment.runSync(file:/home/abdullah/projects/ofbiz-sagepay_ws/ofbiz/applications/order/servicedef/services.xml#createOrderAdjustment:184)
[java]
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:394)
[java]
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:223)
[java]
org.ofbiz.service.GenericDispatcher.runSync(GenericDispatcher.java:159)
[java]
org.ofbiz.order.order.OrderServices.recalcOrderTax(OrderServices.java:1600)
[java] sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[java]
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
[java]
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
[java] java.lang.reflect.Method.invoke(Method.java:597)
[java]
org.ofbiz.service.engine.StandardJavaEngine.serviceInvoker(StandardJavaEngine.java:100)
[java]
org.ofbiz.service.engine.StandardJavaEngine.runSync(StandardJavaEngine.java:57)
[java]
org.ofbiz.service.ModelServiceReader$GenericInvokerImpl.runSync(ModelServiceReader.java:785)
[java]
_$gen.file_58$.home.abdullah.projects.ofbiz_45$sagepay_95$ws.ofbiz.applications.order.servicedef.services_46$xml_35$recalcTaxTotal.runSync(file:/home/abdullah/projects/ofbiz-sagepay_ws/ofbiz/applications/order/servicedef/services.xml#recalcTaxTotal:252)
[java]
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:394)
[java]
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:223)
[java]
org.ofbiz.service.GenericDispatcher.runSync(GenericDispatcher.java:159)
[java]
org.ofbiz.service.eca.ServiceEcaAction.runAction(ServiceEcaAction.java:135)
[java] org.ofbiz.service.eca.ServiceEcaRule.eval(ServiceEcaRule.java:152)
[java]
org.ofbiz.service.eca.ServiceEcaUtil.evalRules(ServiceEcaUtil.java:157)
[java]
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:492)
[java]
org.ofbiz.service.ServiceDispatcher.runSyncIgnore(ServiceDispatcher.java:236)
[java]
org.ofbiz.service.GenericDispatcher.runSyncIgnore(GenericDispatcher.java:185)
[java]
org.ofbiz.order.order.OrderServices.cancelOrderItem(OrderServices.java:1971)
[java] sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[java]
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
[java]
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
[java] java.lang.reflect.Method.invoke(Method.java:597)
[java]
org.ofbiz.service.engine.StandardJavaEngine.serviceInvoker(StandardJavaEngine.java:100)
[java]
org.ofbiz.service.engine.StandardJavaEngine.runSync(StandardJavaEngine.java:57)
[java]
org.ofbiz.service.ModelServiceReader$GenericInvokerImpl.runSync(ModelServiceReader.java:785)
[java]
_$gen.file_58$.home.abdullah.projects.ofbiz_45$sagepay_95$ws.ofbiz.applications.order.servicedef.services_46$xml_35$cancelOrderItem.runSync(file:/home/abdullah/projects/ofbiz-sagepay_ws/ofbiz/applications/order/servicedef/services.xml#cancelOrderItem:283)
[java]
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:394)
[java]
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:223)
[java]
org.ofbiz.service.GenericDispatcher.runSync(GenericDispatcher.java:159)
[java]
org.ofbiz.webapp.event.ServiceEventHandler.invoke(ServiceEventHandler.java:336)
[java]
org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:611)
[java]
org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:374)
[java]
org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:216)
[java]
org.ofbiz.webapp.control.ControlServlet.doPost(ControlServlet.java:82)
[java] javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
[java] javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
[java]
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
[java]
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[java]
org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:265)
[java]
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[java]
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[java]
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
[java]
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
[java]
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
[java]
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[java]
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[java]
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
[java]
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
[java]
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
[java]
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
[java]
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
[java] java.lang.Thread.run(Thread.java:619)
[java]
--------------------------------------------------------------------------------
[java] 2009-10-23 14:36:07,313 (http-0.0.0.0-8443-1) [
ServiceDispatcher.java:532:ERROR] Error in Service [createOrderAdjustment]:
Security Error : to run createOrderAdjustment you must have the
ORDERMGR_CREATE or ORDERMGR_ADMIN permission
Reply | Threaded
Open this post in threaded view
|

Re: permission error on cancel order item from ecommerce

Jacques Le Roux
Administrator
Abdullah,

Yes, overriding the service without permission check only for ecommerce use seems the better choise IMO

Jacques

From: "Abdullah Shaikh" <[hidden email]>
If I cancel an order item from ecommerce. I get, the below error displayed
on the page.

The Following Errors Occurred:
Unable to cancel order line : WSCO11640 / 00001 / null

Note to test this you need to take the latest update of apply this patch
https://issues.apache.org/jira/browse/OFBIZ-2408.

Below is the error trace from console, this error is because the party
(customer) doesn't have the ORDERMGR_CREATE or ORDERMGR_ADMIN permission,
but we can't give this permission to a customer, further as the common
service is called from ecommerce and order manager for cancel, the solution
will be to check the party's role, if its a CUSTOMER, then I guess we can
use the SYSTEM user in place of the PARTY(CUSTOMER), for this we need to
give ORDERMGR permission to the SYSTEM user.

But then it will seem as if the SYSTEM user has cancelled the order and not
the CUSTOMER ?

Another solution will be to override the service without permission check
only for ecommerce use.



Reply | Threaded
Open this post in threaded view
|

Re: permission error on cancel order item from ecommerce

Abdullah Shaikh-3
Yes, I guess maybe this is the only solution for this, should I submit the
overriding service patch for this or should I wait for some more ideas to
pour in for this ?

On Fri, Oct 23, 2009 at 6:09 PM, Jacques Le Roux <
[hidden email]> wrote:

> Abdullah,
>
> Yes, overriding the service without permission check only for ecommerce use
> seems the better choise IMO
>
> Jacques
>
> From: "Abdullah Shaikh" <[hidden email]>
>
> If I cancel an order item from ecommerce. I get, the below error displayed
> on the page.
>
> The Following Errors Occurred:
> Unable to cancel order line : WSCO11640 / 00001 / null
>
> Note to test this you need to take the latest update of apply this patch
> https://issues.apache.org/jira/browse/OFBIZ-2408.
>
> Below is the error trace from console, this error is because the party
> (customer) doesn't have the ORDERMGR_CREATE or ORDERMGR_ADMIN permission,
> but we can't give this permission to a customer, further as the common
> service is called from ecommerce and order manager for cancel, the solution
> will be to check the party's role, if its a CUSTOMER, then I guess we can
> use the SYSTEM user in place of the PARTY(CUSTOMER), for this we need to
> give ORDERMGR permission to the SYSTEM user.
>
> But then it will seem as if the SYSTEM user has cancelled the order and not
> the CUSTOMER ?
>
> Another solution will be to override the service without permission check
> only for ecommerce use.
>
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: permission error on cancel order item from ecommerce

Abdullah Shaikh-3
Hi All,

Any thoughts on this ?

Jacques, should I proceed with the overriding service patch ?

On Fri, Oct 23, 2009 at 6:21 PM, Abdullah Shaikh <
[hidden email]> wrote:

> Yes, I guess maybe this is the only solution for this, should I submit the
> overriding service patch for this or should I wait for some more ideas to
> pour in for this ?
>
>
> On Fri, Oct 23, 2009 at 6:09 PM, Jacques Le Roux <
> [hidden email]> wrote:
>
>> Abdullah,
>>
>> Yes, overriding the service without permission check only for ecommerce
>> use seems the better choise IMO
>>
>> Jacques
>>
>> From: "Abdullah Shaikh" <[hidden email]>
>>
>> If I cancel an order item from ecommerce. I get, the below error displayed
>> on the page.
>>
>> The Following Errors Occurred:
>> Unable to cancel order line : WSCO11640 / 00001 / null
>>
>> Note to test this you need to take the latest update of apply this patch
>> https://issues.apache.org/jira/browse/OFBIZ-2408.
>>
>> Below is the error trace from console, this error is because the party
>> (customer) doesn't have the ORDERMGR_CREATE or ORDERMGR_ADMIN permission,
>> but we can't give this permission to a customer, further as the common
>> service is called from ecommerce and order manager for cancel, the
>> solution
>> will be to check the party's role, if its a CUSTOMER, then I guess we can
>> use the SYSTEM user in place of the PARTY(CUSTOMER), for this we need to
>> give ORDERMGR permission to the SYSTEM user.
>>
>> But then it will seem as if the SYSTEM user has cancelled the order and
>> not
>> the CUSTOMER ?
>>
>> Another solution will be to override the service without permission check
>> only for ecommerce use.
>>
>>
>>
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: permission error on cancel order item from ecommerce

Scott Gray-2
My first thought without looking at it is that the permission checking  
service should be improved to allow the order placing party to invoke  
the service.  I don't personally think a separate service definition  
is the way to go.

Regards
Scott

HotWax Media
http://www.hotwaxmedia.com

On 26/10/2009, at 8:43 PM, Abdullah Shaikh wrote:

> Hi All,
>
> Any thoughts on this ?
>
> Jacques, should I proceed with the overriding service patch ?
>
> On Fri, Oct 23, 2009 at 6:21 PM, Abdullah Shaikh <
> [hidden email]> wrote:
>
>> Yes, I guess maybe this is the only solution for this, should I  
>> submit the
>> overriding service patch for this or should I wait for some more  
>> ideas to
>> pour in for this ?
>>
>>
>> On Fri, Oct 23, 2009 at 6:09 PM, Jacques Le Roux <
>> [hidden email]> wrote:
>>
>>> Abdullah,
>>>
>>> Yes, overriding the service without permission check only for  
>>> ecommerce
>>> use seems the better choise IMO
>>>
>>> Jacques
>>>
>>> From: "Abdullah Shaikh" <[hidden email]>
>>>
>>> If I cancel an order item from ecommerce. I get, the below error  
>>> displayed
>>> on the page.
>>>
>>> The Following Errors Occurred:
>>> Unable to cancel order line : WSCO11640 / 00001 / null
>>>
>>> Note to test this you need to take the latest update of apply this  
>>> patch
>>> https://issues.apache.org/jira/browse/OFBIZ-2408.
>>>
>>> Below is the error trace from console, this error is because the  
>>> party
>>> (customer) doesn't have the ORDERMGR_CREATE or ORDERMGR_ADMIN  
>>> permission,
>>> but we can't give this permission to a customer, further as the  
>>> common
>>> service is called from ecommerce and order manager for cancel, the
>>> solution
>>> will be to check the party's role, if its a CUSTOMER, then I guess  
>>> we can
>>> use the SYSTEM user in place of the PARTY(CUSTOMER), for this we  
>>> need to
>>> give ORDERMGR permission to the SYSTEM user.
>>>
>>> But then it will seem as if the SYSTEM user has cancelled the  
>>> order and
>>> not
>>> the CUSTOMER ?
>>>
>>> Another solution will be to override the service without  
>>> permission check
>>> only for ecommerce use.
>>>
>>>
>>>
>>>
>>


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: permission error on cancel order item from ecommerce

Jacques Le Roux
Administrator
In reply to this post by Abdullah Shaikh-3
Yes, it's ok on my side

Jacques

From: "Abdullah Shaikh" <[hidden email]>

> Hi All,
>
> Any thoughts on this ?
>
> Jacques, should I proceed with the overriding service patch ?
>
> On Fri, Oct 23, 2009 at 6:21 PM, Abdullah Shaikh <
> [hidden email]> wrote:
>
>> Yes, I guess maybe this is the only solution for this, should I submit the
>> overriding service patch for this or should I wait for some more ideas to
>> pour in for this ?
>>
>>
>> On Fri, Oct 23, 2009 at 6:09 PM, Jacques Le Roux <
>> [hidden email]> wrote:
>>
>>> Abdullah,
>>>
>>> Yes, overriding the service without permission check only for ecommerce
>>> use seems the better choise IMO
>>>
>>> Jacques
>>>
>>> From: "Abdullah Shaikh" <[hidden email]>
>>>
>>> If I cancel an order item from ecommerce. I get, the below error displayed
>>> on the page.
>>>
>>> The Following Errors Occurred:
>>> Unable to cancel order line : WSCO11640 / 00001 / null
>>>
>>> Note to test this you need to take the latest update of apply this patch
>>> https://issues.apache.org/jira/browse/OFBIZ-2408.
>>>
>>> Below is the error trace from console, this error is because the party
>>> (customer) doesn't have the ORDERMGR_CREATE or ORDERMGR_ADMIN permission,
>>> but we can't give this permission to a customer, further as the common
>>> service is called from ecommerce and order manager for cancel, the
>>> solution
>>> will be to check the party's role, if its a CUSTOMER, then I guess we can
>>> use the SYSTEM user in place of the PARTY(CUSTOMER), for this we need to
>>> give ORDERMGR permission to the SYSTEM user.
>>>
>>> But then it will seem as if the SYSTEM user has cancelled the order and
>>> not
>>> the CUSTOMER ?
>>>
>>> Another solution will be to override the service without permission check
>>> only for ecommerce use.
>>>
>>>
>>>
>>>
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: permission error on cancel order item from ecommerce

Abdullah Shaikh-3
In reply to this post by Scott Gray-2
Hi Scott,

Yes, I too thought of improving the already implemented service, I always
have that as a first preference, and all should, to make more better code.

Now coming back to the issue, below is what I have already comment in
previous post.

This error is because the party (customer) doesn't have the ORDERMGR_CREATE
or ORDERMGR_ADMIN permission, but we can't give this permission to a
customer, further as the common service is called from ecommerce and order
manager for cancel, the solution will be to check the party's role, if its a
CUSTOMER, then I guess we can use the SYSTEM user in place of the
PARTY(CUSTOMER), for this we need to give ORDERMGR permission to the SYSTEM
user. But then it will seem as if the SYSTEM user has cancelled the order
and
not the CUSTOMER ?

The only thought that came to my mind to improve the permission check
service is as above, but then I guess it will lead to some other issues.

- Abdullah

On Mon, Oct 26, 2009 at 1:20 PM, Scott Gray <[hidden email]>wrote:

> My first thought without looking at it is that the permission checking
> service should be improved to allow the order placing party to invoke the
> service.  I don't personally think a separate service definition is the way
> to go.
>
> Regards
> Scott
>
> HotWax Media
> http://www.hotwaxmedia.com
>
>
> On 26/10/2009, at 8:43 PM, Abdullah Shaikh wrote:
>
>  Hi All,
>>
>> Any thoughts on this ?
>>
>> Jacques, should I proceed with the overriding service patch ?
>>
>> On Fri, Oct 23, 2009 at 6:21 PM, Abdullah Shaikh <
>> [hidden email]> wrote:
>>
>>  Yes, I guess maybe this is the only solution for this, should I submit
>>> the
>>> overriding service patch for this or should I wait for some more ideas to
>>> pour in for this ?
>>>
>>>
>>> On Fri, Oct 23, 2009 at 6:09 PM, Jacques Le Roux <
>>> [hidden email]> wrote:
>>>
>>>  Abdullah,
>>>>
>>>> Yes, overriding the service without permission check only for ecommerce
>>>> use seems the better choise IMO
>>>>
>>>> Jacques
>>>>
>>>> From: "Abdullah Shaikh" <[hidden email]>
>>>>
>>>> If I cancel an order item from ecommerce. I get, the below error
>>>> displayed
>>>> on the page.
>>>>
>>>> The Following Errors Occurred:
>>>> Unable to cancel order line : WSCO11640 / 00001 / null
>>>>
>>>> Note to test this you need to take the latest update of apply this patch
>>>> https://issues.apache.org/jira/browse/OFBIZ-2408.
>>>>
>>>> Below is the error trace from console, this error is because the party
>>>> (customer) doesn't have the ORDERMGR_CREATE or ORDERMGR_ADMIN
>>>> permission,
>>>> but we can't give this permission to a customer, further as the common
>>>> service is called from ecommerce and order manager for cancel, the
>>>> solution
>>>> will be to check the party's role, if its a CUSTOMER, then I guess we
>>>> can
>>>> use the SYSTEM user in place of the PARTY(CUSTOMER), for this we need to
>>>> give ORDERMGR permission to the SYSTEM user.
>>>>
>>>> But then it will seem as if the SYSTEM user has cancelled the order and
>>>> not
>>>> the CUSTOMER ?
>>>>
>>>> Another solution will be to override the service without permission
>>>> check
>>>> only for ecommerce use.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>
Reply | Threaded
Open this post in threaded view
|

Re: permission error on cancel order item from ecommerce

Scott Gray-2
Why do we need to use the system userlogin?  If we change the  
permission check to allow the placing party authorization then we  
shouldn't need to switch anything.  This type of situation is handled  
in a few places around OFBiz, I would suggest that you find and take a  
look at them (which is what I would have to do to answer any more  
questions :-)

Regards
Scott

On 26/10/2009, at 9:05 PM, Abdullah Shaikh wrote:

> Hi Scott,
>
> Yes, I too thought of improving the already implemented service, I  
> always
> have that as a first preference, and all should, to make more better  
> code.
>
> Now coming back to the issue, below is what I have already comment in
> previous post.
>
> This error is because the party (customer) doesn't have the  
> ORDERMGR_CREATE
> or ORDERMGR_ADMIN permission, but we can't give this permission to a
> customer, further as the common service is called from ecommerce and  
> order
> manager for cancel, the solution will be to check the party's role,  
> if its a
> CUSTOMER, then I guess we can use the SYSTEM user in place of the
> PARTY(CUSTOMER), for this we need to give ORDERMGR permission to the  
> SYSTEM
> user. But then it will seem as if the SYSTEM user has cancelled the  
> order
> and
> not the CUSTOMER ?
>
> The only thought that came to my mind to improve the permission check
> service is as above, but then I guess it will lead to some other  
> issues.
>
> - Abdullah
>
> On Mon, Oct 26, 2009 at 1:20 PM, Scott Gray <[hidden email]
> >wrote:
>
>> My first thought without looking at it is that the permission  
>> checking
>> service should be improved to allow the order placing party to  
>> invoke the
>> service.  I don't personally think a separate service definition is  
>> the way
>> to go.
>>
>> Regards
>> Scott
>>
>> HotWax Media
>> http://www.hotwaxmedia.com
>>
>>
>> On 26/10/2009, at 8:43 PM, Abdullah Shaikh wrote:
>>
>> Hi All,
>>>
>>> Any thoughts on this ?
>>>
>>> Jacques, should I proceed with the overriding service patch ?
>>>
>>> On Fri, Oct 23, 2009 at 6:21 PM, Abdullah Shaikh <
>>> [hidden email]> wrote:
>>>
>>> Yes, I guess maybe this is the only solution for this, should I  
>>> submit
>>>> the
>>>> overriding service patch for this or should I wait for some more  
>>>> ideas to
>>>> pour in for this ?
>>>>
>>>>
>>>> On Fri, Oct 23, 2009 at 6:09 PM, Jacques Le Roux <
>>>> [hidden email]> wrote:
>>>>
>>>> Abdullah,
>>>>>
>>>>> Yes, overriding the service without permission check only for  
>>>>> ecommerce
>>>>> use seems the better choise IMO
>>>>>
>>>>> Jacques
>>>>>
>>>>> From: "Abdullah Shaikh" <[hidden email]>
>>>>>
>>>>> If I cancel an order item from ecommerce. I get, the below error
>>>>> displayed
>>>>> on the page.
>>>>>
>>>>> The Following Errors Occurred:
>>>>> Unable to cancel order line : WSCO11640 / 00001 / null
>>>>>
>>>>> Note to test this you need to take the latest update of apply  
>>>>> this patch
>>>>> https://issues.apache.org/jira/browse/OFBIZ-2408.
>>>>>
>>>>> Below is the error trace from console, this error is because the  
>>>>> party
>>>>> (customer) doesn't have the ORDERMGR_CREATE or ORDERMGR_ADMIN
>>>>> permission,
>>>>> but we can't give this permission to a customer, further as the  
>>>>> common
>>>>> service is called from ecommerce and order manager for cancel, the
>>>>> solution
>>>>> will be to check the party's role, if its a CUSTOMER, then I  
>>>>> guess we
>>>>> can
>>>>> use the SYSTEM user in place of the PARTY(CUSTOMER), for this we  
>>>>> need to
>>>>> give ORDERMGR permission to the SYSTEM user.
>>>>>
>>>>> But then it will seem as if the SYSTEM user has cancelled the  
>>>>> order and
>>>>> not
>>>>> the CUSTOMER ?
>>>>>
>>>>> Another solution will be to override the service without  
>>>>> permission
>>>>> check
>>>>> only for ecommerce use.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: permission error on cancel order item from ecommerce

Abdullah Shaikh-3
ok, I will take a look, can you please point to one of them, if you have any
in mind.

Also, I didn't get what you meant by "change the permission check to allow
the placing party authorization", can you please explain a bit more ?

On Mon, Oct 26, 2009 at 1:50 PM, Scott Gray <[hidden email]>wrote:

> Why do we need to use the system userlogin?  If we change the permission
> check to allow the placing party authorization then we shouldn't need to
> switch anything.  This type of situation is handled in a few places around
> OFBiz, I would suggest that you find and take a look at them (which is what
> I would have to do to answer any more questions :-)
>
> Regards
> Scott
>
>
> On 26/10/2009, at 9:05 PM, Abdullah Shaikh wrote:
>
>  Hi Scott,
>>
>> Yes, I too thought of improving the already implemented service, I always
>> have that as a first preference, and all should, to make more better code.
>>
>> Now coming back to the issue, below is what I have already comment in
>> previous post.
>>
>> This error is because the party (customer) doesn't have the
>> ORDERMGR_CREATE
>> or ORDERMGR_ADMIN permission, but we can't give this permission to a
>> customer, further as the common service is called from ecommerce and order
>> manager for cancel, the solution will be to check the party's role, if its
>> a
>> CUSTOMER, then I guess we can use the SYSTEM user in place of the
>> PARTY(CUSTOMER), for this we need to give ORDERMGR permission to the
>> SYSTEM
>> user. But then it will seem as if the SYSTEM user has cancelled the order
>> and
>> not the CUSTOMER ?
>>
>> The only thought that came to my mind to improve the permission check
>> service is as above, but then I guess it will lead to some other issues.
>>
>> - Abdullah
>>
>> On Mon, Oct 26, 2009 at 1:20 PM, Scott Gray <[hidden email]
>> >wrote:
>>
>>  My first thought without looking at it is that the permission checking
>>> service should be improved to allow the order placing party to invoke the
>>> service.  I don't personally think a separate service definition is the
>>> way
>>> to go.
>>>
>>> Regards
>>> Scott
>>>
>>> HotWax Media
>>> http://www.hotwaxmedia.com
>>>
>>>
>>> On 26/10/2009, at 8:43 PM, Abdullah Shaikh wrote:
>>>
>>> Hi All,
>>>
>>>>
>>>> Any thoughts on this ?
>>>>
>>>> Jacques, should I proceed with the overriding service patch ?
>>>>
>>>> On Fri, Oct 23, 2009 at 6:21 PM, Abdullah Shaikh <
>>>> [hidden email]> wrote:
>>>>
>>>> Yes, I guess maybe this is the only solution for this, should I submit
>>>>
>>>>> the
>>>>> overriding service patch for this or should I wait for some more ideas
>>>>> to
>>>>> pour in for this ?
>>>>>
>>>>>
>>>>> On Fri, Oct 23, 2009 at 6:09 PM, Jacques Le Roux <
>>>>> [hidden email]> wrote:
>>>>>
>>>>> Abdullah,
>>>>>
>>>>>>
>>>>>> Yes, overriding the service without permission check only for
>>>>>> ecommerce
>>>>>> use seems the better choise IMO
>>>>>>
>>>>>> Jacques
>>>>>>
>>>>>> From: "Abdullah Shaikh" <[hidden email]>
>>>>>>
>>>>>> If I cancel an order item from ecommerce. I get, the below error
>>>>>> displayed
>>>>>> on the page.
>>>>>>
>>>>>> The Following Errors Occurred:
>>>>>> Unable to cancel order line : WSCO11640 / 00001 / null
>>>>>>
>>>>>> Note to test this you need to take the latest update of apply this
>>>>>> patch
>>>>>> https://issues.apache.org/jira/browse/OFBIZ-2408.
>>>>>>
>>>>>> Below is the error trace from console, this error is because the party
>>>>>> (customer) doesn't have the ORDERMGR_CREATE or ORDERMGR_ADMIN
>>>>>> permission,
>>>>>> but we can't give this permission to a customer, further as the common
>>>>>> service is called from ecommerce and order manager for cancel, the
>>>>>> solution
>>>>>> will be to check the party's role, if its a CUSTOMER, then I guess we
>>>>>> can
>>>>>> use the SYSTEM user in place of the PARTY(CUSTOMER), for this we need
>>>>>> to
>>>>>> give ORDERMGR permission to the SYSTEM user.
>>>>>>
>>>>>> But then it will seem as if the SYSTEM user has cancelled the order
>>>>>> and
>>>>>> not
>>>>>> the CUSTOMER ?
>>>>>>
>>>>>> Another solution will be to override the service without permission
>>>>>> check
>>>>>> only for ecommerce use.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>
>
Reply | Threaded
Open this post in threaded view
|

Re: permission error on cancel order item from ecommerce

Scott Gray-2
Okay I did the search :-)
Check out partyContactMechPermissionCheck and note it's usage in the  
service defs with the permission-service element.

Regards
Scott

On 26/10/2009, at 9:31 PM, Abdullah Shaikh wrote:

> ok, I will take a look, can you please point to one of them, if you  
> have any
> in mind.
>
> Also, I didn't get what you meant by "change the permission check to  
> allow
> the placing party authorization", can you please explain a bit more ?
>
> On Mon, Oct 26, 2009 at 1:50 PM, Scott Gray <[hidden email]
> >wrote:
>
>> Why do we need to use the system userlogin?  If we change the  
>> permission
>> check to allow the placing party authorization then we shouldn't  
>> need to
>> switch anything.  This type of situation is handled in a few places  
>> around
>> OFBiz, I would suggest that you find and take a look at them (which  
>> is what
>> I would have to do to answer any more questions :-)
>>
>> Regards
>> Scott
>>
>>
>> On 26/10/2009, at 9:05 PM, Abdullah Shaikh wrote:
>>
>> Hi Scott,
>>>
>>> Yes, I too thought of improving the already implemented service, I  
>>> always
>>> have that as a first preference, and all should, to make more  
>>> better code.
>>>
>>> Now coming back to the issue, below is what I have already comment  
>>> in
>>> previous post.
>>>
>>> This error is because the party (customer) doesn't have the
>>> ORDERMGR_CREATE
>>> or ORDERMGR_ADMIN permission, but we can't give this permission to a
>>> customer, further as the common service is called from ecommerce  
>>> and order
>>> manager for cancel, the solution will be to check the party's  
>>> role, if its
>>> a
>>> CUSTOMER, then I guess we can use the SYSTEM user in place of the
>>> PARTY(CUSTOMER), for this we need to give ORDERMGR permission to the
>>> SYSTEM
>>> user. But then it will seem as if the SYSTEM user has cancelled  
>>> the order
>>> and
>>> not the CUSTOMER ?
>>>
>>> The only thought that came to my mind to improve the permission  
>>> check
>>> service is as above, but then I guess it will lead to some other  
>>> issues.
>>>
>>> - Abdullah
>>>
>>> On Mon, Oct 26, 2009 at 1:20 PM, Scott Gray <[hidden email]
>>>> wrote:
>>>
>>> My first thought without looking at it is that the permission  
>>> checking
>>>> service should be improved to allow the order placing party to  
>>>> invoke the
>>>> service.  I don't personally think a separate service definition  
>>>> is the
>>>> way
>>>> to go.
>>>>
>>>> Regards
>>>> Scott
>>>>
>>>> HotWax Media
>>>> http://www.hotwaxmedia.com
>>>>
>>>>
>>>> On 26/10/2009, at 8:43 PM, Abdullah Shaikh wrote:
>>>>
>>>> Hi All,
>>>>
>>>>>
>>>>> Any thoughts on this ?
>>>>>
>>>>> Jacques, should I proceed with the overriding service patch ?
>>>>>
>>>>> On Fri, Oct 23, 2009 at 6:21 PM, Abdullah Shaikh <
>>>>> [hidden email]> wrote:
>>>>>
>>>>> Yes, I guess maybe this is the only solution for this, should I  
>>>>> submit
>>>>>
>>>>>> the
>>>>>> overriding service patch for this or should I wait for some  
>>>>>> more ideas
>>>>>> to
>>>>>> pour in for this ?
>>>>>>
>>>>>>
>>>>>> On Fri, Oct 23, 2009 at 6:09 PM, Jacques Le Roux <
>>>>>> [hidden email]> wrote:
>>>>>>
>>>>>> Abdullah,
>>>>>>
>>>>>>>
>>>>>>> Yes, overriding the service without permission check only for
>>>>>>> ecommerce
>>>>>>> use seems the better choise IMO
>>>>>>>
>>>>>>> Jacques
>>>>>>>
>>>>>>> From: "Abdullah Shaikh" <[hidden email]>
>>>>>>>
>>>>>>> If I cancel an order item from ecommerce. I get, the below error
>>>>>>> displayed
>>>>>>> on the page.
>>>>>>>
>>>>>>> The Following Errors Occurred:
>>>>>>> Unable to cancel order line : WSCO11640 / 00001 / null
>>>>>>>
>>>>>>> Note to test this you need to take the latest update of apply  
>>>>>>> this
>>>>>>> patch
>>>>>>> https://issues.apache.org/jira/browse/OFBIZ-2408.
>>>>>>>
>>>>>>> Below is the error trace from console, this error is because  
>>>>>>> the party
>>>>>>> (customer) doesn't have the ORDERMGR_CREATE or ORDERMGR_ADMIN
>>>>>>> permission,
>>>>>>> but we can't give this permission to a customer, further as  
>>>>>>> the common
>>>>>>> service is called from ecommerce and order manager for cancel,  
>>>>>>> the
>>>>>>> solution
>>>>>>> will be to check the party's role, if its a CUSTOMER, then I  
>>>>>>> guess we
>>>>>>> can
>>>>>>> use the SYSTEM user in place of the PARTY(CUSTOMER), for this  
>>>>>>> we need
>>>>>>> to
>>>>>>> give ORDERMGR permission to the SYSTEM user.
>>>>>>>
>>>>>>> But then it will seem as if the SYSTEM user has cancelled the  
>>>>>>> order
>>>>>>> and
>>>>>>> not
>>>>>>> the CUSTOMER ?
>>>>>>>
>>>>>>> Another solution will be to override the service without  
>>>>>>> permission
>>>>>>> check
>>>>>>> only for ecommerce use.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: permission error on cancel order item from ecommerce

Abdullah Shaikh-3
Scott, I had a look at it and I guess this should work, I will try it out
later in the day and let you know.

>
Thanks for pointing

On Mon, Oct 26, 2009 at 2:56 PM, Scott Gray <[hidden email]>wrote:

> Okay I did the search :-)
> Check out partyContactMechPermissionCheck and note it's usage in the
> service defs with the permission-service element.
>
> Regards
> Scott
>
>
> On 26/10/2009, at 9:31 PM, Abdullah Shaikh wrote:
>
>  ok, I will take a look, can you please point to one of them, if you have
>> any
>> in mind.
>>
>> Also, I didn't get what you meant by "change the permission check to allow
>> the placing party authorization", can you please explain a bit more ?
>>
>> On Mon, Oct 26, 2009 at 1:50 PM, Scott Gray <[hidden email]
>> >wrote:
>>
>>  Why do we need to use the system userlogin?  If we change the permission
>>> check to allow the placing party authorization then we shouldn't need to
>>> switch anything.  This type of situation is handled in a few places
>>> around
>>> OFBiz, I would suggest that you find and take a look at them (which is
>>> what
>>> I would have to do to answer any more questions :-)
>>>
>>> Regards
>>> Scott
>>>
>>>
>>> On 26/10/2009, at 9:05 PM, Abdullah Shaikh wrote:
>>>
>>> Hi Scott,
>>>
>>>>
>>>> Yes, I too thought of improving the already implemented service, I
>>>> always
>>>> have that as a first preference, and all should, to make more better
>>>> code.
>>>>
>>>> Now coming back to the issue, below is what I have already comment in
>>>> previous post.
>>>>
>>>> This error is because the party (customer) doesn't have the
>>>> ORDERMGR_CREATE
>>>> or ORDERMGR_ADMIN permission, but we can't give this permission to a
>>>> customer, further as the common service is called from ecommerce and
>>>> order
>>>> manager for cancel, the solution will be to check the party's role, if
>>>> its
>>>> a
>>>> CUSTOMER, then I guess we can use the SYSTEM user in place of the
>>>> PARTY(CUSTOMER), for this we need to give ORDERMGR permission to the
>>>> SYSTEM
>>>> user. But then it will seem as if the SYSTEM user has cancelled the
>>>> order
>>>> and
>>>> not the CUSTOMER ?
>>>>
>>>> The only thought that came to my mind to improve the permission check
>>>> service is as above, but then I guess it will lead to some other issues.
>>>>
>>>> - Abdullah
>>>>
>>>> On Mon, Oct 26, 2009 at 1:20 PM, Scott Gray <[hidden email]
>>>>
>>>>> wrote:
>>>>>
>>>>
>>>> My first thought without looking at it is that the permission checking
>>>>
>>>>> service should be improved to allow the order placing party to invoke
>>>>> the
>>>>> service.  I don't personally think a separate service definition is the
>>>>> way
>>>>> to go.
>>>>>
>>>>> Regards
>>>>> Scott
>>>>>
>>>>> HotWax Media
>>>>> http://www.hotwaxmedia.com
>>>>>
>>>>>
>>>>> On 26/10/2009, at 8:43 PM, Abdullah Shaikh wrote:
>>>>>
>>>>> Hi All,
>>>>>
>>>>>
>>>>>> Any thoughts on this ?
>>>>>>
>>>>>> Jacques, should I proceed with the overriding service patch ?
>>>>>>
>>>>>> On Fri, Oct 23, 2009 at 6:21 PM, Abdullah Shaikh <
>>>>>> [hidden email]> wrote:
>>>>>>
>>>>>> Yes, I guess maybe this is the only solution for this, should I submit
>>>>>>
>>>>>>  the
>>>>>>> overriding service patch for this or should I wait for some more
>>>>>>> ideas
>>>>>>> to
>>>>>>> pour in for this ?
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Oct 23, 2009 at 6:09 PM, Jacques Le Roux <
>>>>>>> [hidden email]> wrote:
>>>>>>>
>>>>>>> Abdullah,
>>>>>>>
>>>>>>>
>>>>>>>> Yes, overriding the service without permission check only for
>>>>>>>> ecommerce
>>>>>>>> use seems the better choise IMO
>>>>>>>>
>>>>>>>> Jacques
>>>>>>>>
>>>>>>>> From: "Abdullah Shaikh" <[hidden email]>
>>>>>>>>
>>>>>>>> If I cancel an order item from ecommerce. I get, the below error
>>>>>>>> displayed
>>>>>>>> on the page.
>>>>>>>>
>>>>>>>> The Following Errors Occurred:
>>>>>>>> Unable to cancel order line : WSCO11640 / 00001 / null
>>>>>>>>
>>>>>>>> Note to test this you need to take the latest update of apply this
>>>>>>>> patch
>>>>>>>> https://issues.apache.org/jira/browse/OFBIZ-2408.
>>>>>>>>
>>>>>>>> Below is the error trace from console, this error is because the
>>>>>>>> party
>>>>>>>> (customer) doesn't have the ORDERMGR_CREATE or ORDERMGR_ADMIN
>>>>>>>> permission,
>>>>>>>> but we can't give this permission to a customer, further as the
>>>>>>>> common
>>>>>>>> service is called from ecommerce and order manager for cancel, the
>>>>>>>> solution
>>>>>>>> will be to check the party's role, if its a CUSTOMER, then I guess
>>>>>>>> we
>>>>>>>> can
>>>>>>>> use the SYSTEM user in place of the PARTY(CUSTOMER), for this we
>>>>>>>> need
>>>>>>>> to
>>>>>>>> give ORDERMGR permission to the SYSTEM user.
>>>>>>>>
>>>>>>>> But then it will seem as if the SYSTEM user has cancelled the order
>>>>>>>> and
>>>>>>>> not
>>>>>>>> the CUSTOMER ?
>>>>>>>>
>>>>>>>> Another solution will be to override the service without permission
>>>>>>>> check
>>>>>>>> only for ecommerce use.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>>>
>
Reply | Threaded
Open this post in threaded view
|

Re: permission error on cancel order item from ecommerce

Abdullah Shaikh-3
I tried this, it's working fine using the permission-service-element, there
is no security error when doing a cancel item, but the cancel functionality
is not working, the item is not getting cancelled, I will take a look at it
later and post the details, will raise a jira issue for this.

Will be submitting the patch for security error.

On Mon, Oct 26, 2009 at 3:13 PM, Abdullah Shaikh <
[hidden email]> wrote:

> Scott, I had a look at it and I guess this should work, I will try it out
> later in the day and let you know.
>
>>
> Thanks for pointing
>
>
> On Mon, Oct 26, 2009 at 2:56 PM, Scott Gray <[hidden email]>wrote:
>
>> Okay I did the search :-)
>> Check out partyContactMechPermissionCheck and note it's usage in the
>> service defs with the permission-service element.
>>
>> Regards
>> Scott
>>
>>
>> On 26/10/2009, at 9:31 PM, Abdullah Shaikh wrote:
>>
>>  ok, I will take a look, can you please point to one of them, if you have
>>> any
>>> in mind.
>>>
>>> Also, I didn't get what you meant by "change the permission check to
>>> allow
>>> the placing party authorization", can you please explain a bit more ?
>>>
>>> On Mon, Oct 26, 2009 at 1:50 PM, Scott Gray <[hidden email]
>>> >wrote:
>>>
>>>  Why do we need to use the system userlogin?  If we change the permission
>>>> check to allow the placing party authorization then we shouldn't need to
>>>> switch anything.  This type of situation is handled in a few places
>>>> around
>>>> OFBiz, I would suggest that you find and take a look at them (which is
>>>> what
>>>> I would have to do to answer any more questions :-)
>>>>
>>>> Regards
>>>> Scott
>>>>
>>>>
>>>> On 26/10/2009, at 9:05 PM, Abdullah Shaikh wrote:
>>>>
>>>> Hi Scott,
>>>>
>>>>>
>>>>> Yes, I too thought of improving the already implemented service, I
>>>>> always
>>>>> have that as a first preference, and all should, to make more better
>>>>> code.
>>>>>
>>>>> Now coming back to the issue, below is what I have already comment in
>>>>> previous post.
>>>>>
>>>>> This error is because the party (customer) doesn't have the
>>>>> ORDERMGR_CREATE
>>>>> or ORDERMGR_ADMIN permission, but we can't give this permission to a
>>>>> customer, further as the common service is called from ecommerce and
>>>>> order
>>>>> manager for cancel, the solution will be to check the party's role, if
>>>>> its
>>>>> a
>>>>> CUSTOMER, then I guess we can use the SYSTEM user in place of the
>>>>> PARTY(CUSTOMER), for this we need to give ORDERMGR permission to the
>>>>> SYSTEM
>>>>> user. But then it will seem as if the SYSTEM user has cancelled the
>>>>> order
>>>>> and
>>>>> not the CUSTOMER ?
>>>>>
>>>>> The only thought that came to my mind to improve the permission check
>>>>> service is as above, but then I guess it will lead to some other
>>>>> issues.
>>>>>
>>>>> - Abdullah
>>>>>
>>>>> On Mon, Oct 26, 2009 at 1:20 PM, Scott Gray <
>>>>> [hidden email]
>>>>>
>>>>>> wrote:
>>>>>>
>>>>>
>>>>> My first thought without looking at it is that the permission checking
>>>>>
>>>>>> service should be improved to allow the order placing party to invoke
>>>>>> the
>>>>>> service.  I don't personally think a separate service definition is
>>>>>> the
>>>>>> way
>>>>>> to go.
>>>>>>
>>>>>> Regards
>>>>>> Scott
>>>>>>
>>>>>> HotWax Media
>>>>>> http://www.hotwaxmedia.com
>>>>>>
>>>>>>
>>>>>> On 26/10/2009, at 8:43 PM, Abdullah Shaikh wrote:
>>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>>
>>>>>>> Any thoughts on this ?
>>>>>>>
>>>>>>> Jacques, should I proceed with the overriding service patch ?
>>>>>>>
>>>>>>> On Fri, Oct 23, 2009 at 6:21 PM, Abdullah Shaikh <
>>>>>>> [hidden email]> wrote:
>>>>>>>
>>>>>>> Yes, I guess maybe this is the only solution for this, should I
>>>>>>> submit
>>>>>>>
>>>>>>>  the
>>>>>>>> overriding service patch for this or should I wait for some more
>>>>>>>> ideas
>>>>>>>> to
>>>>>>>> pour in for this ?
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Oct 23, 2009 at 6:09 PM, Jacques Le Roux <
>>>>>>>> [hidden email]> wrote:
>>>>>>>>
>>>>>>>> Abdullah,
>>>>>>>>
>>>>>>>>
>>>>>>>>> Yes, overriding the service without permission check only for
>>>>>>>>> ecommerce
>>>>>>>>> use seems the better choise IMO
>>>>>>>>>
>>>>>>>>> Jacques
>>>>>>>>>
>>>>>>>>> From: "Abdullah Shaikh" <[hidden email]>
>>>>>>>>>
>>>>>>>>> If I cancel an order item from ecommerce. I get, the below error
>>>>>>>>> displayed
>>>>>>>>> on the page.
>>>>>>>>>
>>>>>>>>> The Following Errors Occurred:
>>>>>>>>> Unable to cancel order line : WSCO11640 / 00001 / null
>>>>>>>>>
>>>>>>>>> Note to test this you need to take the latest update of apply this
>>>>>>>>> patch
>>>>>>>>> https://issues.apache.org/jira/browse/OFBIZ-2408.
>>>>>>>>>
>>>>>>>>> Below is the error trace from console, this error is because the
>>>>>>>>> party
>>>>>>>>> (customer) doesn't have the ORDERMGR_CREATE or ORDERMGR_ADMIN
>>>>>>>>> permission,
>>>>>>>>> but we can't give this permission to a customer, further as the
>>>>>>>>> common
>>>>>>>>> service is called from ecommerce and order manager for cancel, the
>>>>>>>>> solution
>>>>>>>>> will be to check the party's role, if its a CUSTOMER, then I guess
>>>>>>>>> we
>>>>>>>>> can
>>>>>>>>> use the SYSTEM user in place of the PARTY(CUSTOMER), for this we
>>>>>>>>> need
>>>>>>>>> to
>>>>>>>>> give ORDERMGR permission to the SYSTEM user.
>>>>>>>>>
>>>>>>>>> But then it will seem as if the SYSTEM user has cancelled the order
>>>>>>>>> and
>>>>>>>>> not
>>>>>>>>> the CUSTOMER ?
>>>>>>>>>
>>>>>>>>> Another solution will be to override the service without permission
>>>>>>>>> check
>>>>>>>>> only for ecommerce use.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: permission error on cancel order item from ecommerce

Abdullah Shaikh-3
Hi Scott, as per your suggestion I have implemented a permission checking
service, please have a look and let me know if its alright, although I
tested this on my system, it was working fine, I didn't got any permission
error.

Patch attached - https://issues.apache.org/jira/browse/OFBIZ-3075

- Abdullah

On Wed, Oct 28, 2009 at 7:32 PM, Abdullah Shaikh <
[hidden email]> wrote:

> I tried this, it's working fine using the permission-service-element, there
> is no security error when doing a cancel item, but the cancel functionality
> is not working, the item is not getting cancelled, I will take a look at it
> later and post the details, will raise a jira issue for this.
>
> Will be submitting the patch for security error.
>
>
> On Mon, Oct 26, 2009 at 3:13 PM, Abdullah Shaikh <
> [hidden email]> wrote:
>
>> Scott, I had a look at it and I guess this should work, I will try it out
>> later in the day and let you know.
>>
>>>
>> Thanks for pointing
>>
>>
>> On Mon, Oct 26, 2009 at 2:56 PM, Scott Gray <[hidden email]>wrote:
>>
>>> Okay I did the search :-)
>>> Check out partyContactMechPermissionCheck and note it's usage in the
>>> service defs with the permission-service element.
>>>
>>> Regards
>>> Scott
>>>
>>>
>>> On 26/10/2009, at 9:31 PM, Abdullah Shaikh wrote:
>>>
>>>  ok, I will take a look, can you please point to one of them, if you have
>>>> any
>>>> in mind.
>>>>
>>>> Also, I didn't get what you meant by "change the permission check to
>>>> allow
>>>> the placing party authorization", can you please explain a bit more ?
>>>>
>>>> On Mon, Oct 26, 2009 at 1:50 PM, Scott Gray <[hidden email]
>>>> >wrote:
>>>>
>>>>  Why do we need to use the system userlogin?  If we change the
>>>>> permission
>>>>> check to allow the placing party authorization then we shouldn't need
>>>>> to
>>>>> switch anything.  This type of situation is handled in a few places
>>>>> around
>>>>> OFBiz, I would suggest that you find and take a look at them (which is
>>>>> what
>>>>> I would have to do to answer any more questions :-)
>>>>>
>>>>> Regards
>>>>> Scott
>>>>>
>>>>>
>>>>> On 26/10/2009, at 9:05 PM, Abdullah Shaikh wrote:
>>>>>
>>>>> Hi Scott,
>>>>>
>>>>>>
>>>>>> Yes, I too thought of improving the already implemented service, I
>>>>>> always
>>>>>> have that as a first preference, and all should, to make more better
>>>>>> code.
>>>>>>
>>>>>> Now coming back to the issue, below is what I have already comment in
>>>>>> previous post.
>>>>>>
>>>>>> This error is because the party (customer) doesn't have the
>>>>>> ORDERMGR_CREATE
>>>>>> or ORDERMGR_ADMIN permission, but we can't give this permission to a
>>>>>> customer, further as the common service is called from ecommerce and
>>>>>> order
>>>>>> manager for cancel, the solution will be to check the party's role, if
>>>>>> its
>>>>>> a
>>>>>> CUSTOMER, then I guess we can use the SYSTEM user in place of the
>>>>>> PARTY(CUSTOMER), for this we need to give ORDERMGR permission to the
>>>>>> SYSTEM
>>>>>> user. But then it will seem as if the SYSTEM user has cancelled the
>>>>>> order
>>>>>> and
>>>>>> not the CUSTOMER ?
>>>>>>
>>>>>> The only thought that came to my mind to improve the permission check
>>>>>> service is as above, but then I guess it will lead to some other
>>>>>> issues.
>>>>>>
>>>>>> - Abdullah
>>>>>>
>>>>>> On Mon, Oct 26, 2009 at 1:20 PM, Scott Gray <
>>>>>> [hidden email]
>>>>>>
>>>>>>> wrote:
>>>>>>>
>>>>>>
>>>>>> My first thought without looking at it is that the permission checking
>>>>>>
>>>>>>> service should be improved to allow the order placing party to invoke
>>>>>>> the
>>>>>>> service.  I don't personally think a separate service definition is
>>>>>>> the
>>>>>>> way
>>>>>>> to go.
>>>>>>>
>>>>>>> Regards
>>>>>>> Scott
>>>>>>>
>>>>>>> HotWax Media
>>>>>>> http://www.hotwaxmedia.com
>>>>>>>
>>>>>>>
>>>>>>> On 26/10/2009, at 8:43 PM, Abdullah Shaikh wrote:
>>>>>>>
>>>>>>> Hi All,
>>>>>>>
>>>>>>>
>>>>>>>> Any thoughts on this ?
>>>>>>>>
>>>>>>>> Jacques, should I proceed with the overriding service patch ?
>>>>>>>>
>>>>>>>> On Fri, Oct 23, 2009 at 6:21 PM, Abdullah Shaikh <
>>>>>>>> [hidden email]> wrote:
>>>>>>>>
>>>>>>>> Yes, I guess maybe this is the only solution for this, should I
>>>>>>>> submit
>>>>>>>>
>>>>>>>>  the
>>>>>>>>> overriding service patch for this or should I wait for some more
>>>>>>>>> ideas
>>>>>>>>> to
>>>>>>>>> pour in for this ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Fri, Oct 23, 2009 at 6:09 PM, Jacques Le Roux <
>>>>>>>>> [hidden email]> wrote:
>>>>>>>>>
>>>>>>>>> Abdullah,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Yes, overriding the service without permission check only for
>>>>>>>>>> ecommerce
>>>>>>>>>> use seems the better choise IMO
>>>>>>>>>>
>>>>>>>>>> Jacques
>>>>>>>>>>
>>>>>>>>>> From: "Abdullah Shaikh" <[hidden email]>
>>>>>>>>>>
>>>>>>>>>> If I cancel an order item from ecommerce. I get, the below error
>>>>>>>>>> displayed
>>>>>>>>>> on the page.
>>>>>>>>>>
>>>>>>>>>> The Following Errors Occurred:
>>>>>>>>>> Unable to cancel order line : WSCO11640 / 00001 / null
>>>>>>>>>>
>>>>>>>>>> Note to test this you need to take the latest update of apply this
>>>>>>>>>> patch
>>>>>>>>>> https://issues.apache.org/jira/browse/OFBIZ-2408.
>>>>>>>>>>
>>>>>>>>>> Below is the error trace from console, this error is because the
>>>>>>>>>> party
>>>>>>>>>> (customer) doesn't have the ORDERMGR_CREATE or ORDERMGR_ADMIN
>>>>>>>>>> permission,
>>>>>>>>>> but we can't give this permission to a customer, further as the
>>>>>>>>>> common
>>>>>>>>>> service is called from ecommerce and order manager for cancel, the
>>>>>>>>>> solution
>>>>>>>>>> will be to check the party's role, if its a CUSTOMER, then I guess
>>>>>>>>>> we
>>>>>>>>>> can
>>>>>>>>>> use the SYSTEM user in place of the PARTY(CUSTOMER), for this we
>>>>>>>>>> need
>>>>>>>>>> to
>>>>>>>>>> give ORDERMGR permission to the SYSTEM user.
>>>>>>>>>>
>>>>>>>>>> But then it will seem as if the SYSTEM user has cancelled the
>>>>>>>>>> order
>>>>>>>>>> and
>>>>>>>>>> not
>>>>>>>>>> the CUSTOMER ?
>>>>>>>>>>
>>>>>>>>>> Another solution will be to override the service without
>>>>>>>>>> permission
>>>>>>>>>> check
>>>>>>>>>> only for ecommerce use.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>>
>>
>