permission error on cancel order item from ecommerce

If I cancel an order item from ecommerce. I get, the below error displayed
on the page.

The Following Errors Occurred:
Unable to cancel order line : WSCO11640 / 00001 / null

Note to test this you need to take the latest update of apply this patch
https://issues.apache.org/jira/browse/OFBIZ-2408.

Below is the error trace from console, this error is because the party
(customer) doesn't have the ORDERMGR_CREATE or ORDERMGR_ADMIN permission,
but we can't give this permission to a customer, further as the common
service is called from ecommerce and order manager for cancel, the solution
will be to check the party's role, if its a CUSTOMER, then I guess we can
use the SYSTEM user in place of the PARTY(CUSTOMER), for this we need to
give ORDERMGR permission to the SYSTEM user.

But then it will seem as if the SYSTEM user has cancelled the order and not
the CUSTOMER ?

Another solution will be to override the service without permission check
only for ecommerce use.

The exception on the console is below :

[java] ---- exception report
----------------------------------------------------------
[java] [TransactionUtil.setRollbackOnly] Calling transaction
setRollbackOnly; this stack trace shows where this is happening:
[java] Exception: java.lang.Exception
[java] Message: Error in simple-method [Create an OrderAdjustment
file:/home/abdullah/projects/ofbiz_ws/ofbiz/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml#createOrderAdjustment]:
; [Security Error : to run createOrderAdjustment you must have the
ORDERMGR_CREATE or ORDERMGR_ADMIN permission]
[java] ---- stack trace
---------------------------------------------------------------
[java] java.lang.Exception: Error in simple-method [Create an
OrderAdjustment
file:/home/abdullah/projects/ofbiz-sagepay_ws/ofbiz/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml#createOrderAdjustment]:
; [Security Error : to run createOrderAdjustment you must have the
ORDERMGR_CREATE or ORDERMGR_ADMIN permission]
[java]
org.ofbiz.entity.transaction.TransactionUtil.setRollbackOnly(TransactionUtil.java:371)
[java]
org.ofbiz.entity.transaction.TransactionUtil.rollback(TransactionUtil.java:318)
[java] org.ofbiz.minilang.SimpleMethod.exec(SimpleMethod.java:833)
[java]
org.ofbiz.minilang.SimpleMethod.runSimpleMethod(SimpleMethod.java:160)
[java]
org.ofbiz.minilang.SimpleMethod.runSimpleService(SimpleMethod.java:142)
[java]
org.ofbiz.minilang.SimpleServiceEngine.serviceInvoker(SimpleServiceEngine.java:78)
[java]
org.ofbiz.minilang.SimpleServiceEngine.runSync(SimpleServiceEngine.java:53)
[java]
org.ofbiz.service.ModelServiceReader$GenericInvokerImpl.runSync(ModelServiceReader.java:785)
[java]
_$gen.file_58$.home.abdullah.projects.ofbiz_45$sagepay_95$ws.ofbiz.applications.order.servicedef.services_46$xml_35$createOrderAdjustment.runSync(file:/home/abdullah/projects/ofbiz-sagepay_ws/ofbiz/applications/order/servicedef/services.xml#createOrderAdjustment:184)
[java]
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:394)
[java]
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:223)
[java]
org.ofbiz.service.GenericDispatcher.runSync(GenericDispatcher.java:159)
[java]
org.ofbiz.order.order.OrderServices.recalcOrderTax(OrderServices.java:1600)
[java] sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[java]
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
[java]
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
[java] java.lang.reflect.Method.invoke(Method.java:597)
[java]
org.ofbiz.service.engine.StandardJavaEngine.serviceInvoker(StandardJavaEngine.java:100)
[java]
org.ofbiz.service.engine.StandardJavaEngine.runSync(StandardJavaEngine.java:57)
[java]
org.ofbiz.service.ModelServiceReader$GenericInvokerImpl.runSync(ModelServiceReader.java:785)
[java]
_$gen.file_58$.home.abdullah.projects.ofbiz_45$sagepay_95$ws.ofbiz.applications.order.servicedef.services_46$xml_35$recalcTaxTotal.runSync(file:/home/abdullah/projects/ofbiz-sagepay_ws/ofbiz/applications/order/servicedef/services.xml#recalcTaxTotal:252)
[java]
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:394)
[java]
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:223)
[java]
org.ofbiz.service.GenericDispatcher.runSync(GenericDispatcher.java:159)
[java]
org.ofbiz.service.eca.ServiceEcaAction.runAction(ServiceEcaAction.java:135)
[java] org.ofbiz.service.eca.ServiceEcaRule.eval(ServiceEcaRule.java:152)
[java]
org.ofbiz.service.eca.ServiceEcaUtil.evalRules(ServiceEcaUtil.java:157)
[java]
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:492)
[java]
org.ofbiz.service.ServiceDispatcher.runSyncIgnore(ServiceDispatcher.java:236)
[java]
org.ofbiz.service.GenericDispatcher.runSyncIgnore(GenericDispatcher.java:185)
[java]
org.ofbiz.order.order.OrderServices.cancelOrderItem(OrderServices.java:1971)
[java] sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[java]
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
[java]
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
[java] java.lang.reflect.Method.invoke(Method.java:597)
[java]
org.ofbiz.service.engine.StandardJavaEngine.serviceInvoker(StandardJavaEngine.java:100)
[java]
org.ofbiz.service.engine.StandardJavaEngine.runSync(StandardJavaEngine.java:57)
[java]
org.ofbiz.service.ModelServiceReader$GenericInvokerImpl.runSync(ModelServiceReader.java:785)
[java]
_$gen.file_58$.home.abdullah.projects.ofbiz_45$sagepay_95$ws.ofbiz.applications.order.servicedef.services_46$xml_35$cancelOrderItem.runSync(file:/home/abdullah/projects/ofbiz-sagepay_ws/ofbiz/applications/order/servicedef/services.xml#cancelOrderItem:283)
[java]
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:394)
[java]
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:223)
[java]
org.ofbiz.service.GenericDispatcher.runSync(GenericDispatcher.java:159)
[java]
org.ofbiz.webapp.event.ServiceEventHandler.invoke(ServiceEventHandler.java:336)
[java]
org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:611)
[java]
org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:374)
[java]
org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:216)
[java]
org.ofbiz.webapp.control.ControlServlet.doPost(ControlServlet.java:82)
[java] javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
[java] javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
[java]
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
[java]
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[java]
org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:265)
[java]
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[java]
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[java]
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
[java]
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
[java]
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
[java]
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[java]
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[java]
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
[java]
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
[java]
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
[java]
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
[java]
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
[java] java.lang.Thread.run(Thread.java:619)
[java]
--------------------------------------------------------------------------------
[java] 2009-10-23 14:36:07,313 (http-0.0.0.0-8443-1) [
ServiceDispatcher.java:532:ERROR] Error in Service [createOrderAdjustment]:
Security Error : to run createOrderAdjustment you must have the
ORDERMGR_CREATE or ORDERMGR_ADMIN permission

Abdullah,

Yes, overriding the service without permission check only for ecommerce use seems the better choise IMO

Jacques

From: "Abdullah Shaikh" <[hidden email]>
If I cancel an order item from ecommerce. I get, the below error displayed
on the page.

The Following Errors Occurred:
Unable to cancel order line : WSCO11640 / 00001 / null

Note to test this you need to take the latest update of apply this patch
https://issues.apache.org/jira/browse/OFBIZ-2408.

Below is the error trace from console, this error is because the party
(customer) doesn't have the ORDERMGR_CREATE or ORDERMGR_ADMIN permission,
but we can't give this permission to a customer, further as the common
service is called from ecommerce and order manager for cancel, the solution
will be to check the party's role, if its a CUSTOMER, then I guess we can
use the SYSTEM user in place of the PARTY(CUSTOMER), for this we need to
give ORDERMGR permission to the SYSTEM user.

But then it will seem as if the SYSTEM user has cancelled the order and not
the CUSTOMER ?

Another solution will be to override the service without permission check
only for ecommerce use.

Yes, I guess maybe this is the only solution for this, should I submit the
overriding service patch for this or should I wait for some more ideas to
pour in for this ?

On Fri, Oct 23, 2009 at 6:09 PM, Jacques Le Roux <
[hidden email]> wrote:

Hi All,

Any thoughts on this ?

Jacques, should I proceed with the overriding service patch ?

On Fri, Oct 23, 2009 at 6:21 PM, Abdullah Shaikh <
[hidden email]> wrote:

My first thought without looking at it is that the permission checking  
service should be improved to allow the order placing party to invoke  
the service.  I don't personally think a separate service definition  
is the way to go.

Regards
Scott

HotWax Media
http://www.hotwaxmedia.com

On 26/10/2009, at 8:43 PM, Abdullah Shaikh wrote:

Yes, it's ok on my side

Jacques

From: "Abdullah Shaikh" <[hidden email]>

Hi Scott,

Yes, I too thought of improving the already implemented service, I always
have that as a first preference, and all should, to make more better code.

Now coming back to the issue, below is what I have already comment in
previous post.

This error is because the party (customer) doesn't have the ORDERMGR_CREATE
or ORDERMGR_ADMIN permission, but we can't give this permission to a
customer, further as the common service is called from ecommerce and order
manager for cancel, the solution will be to check the party's role, if its a
CUSTOMER, then I guess we can use the SYSTEM user in place of the
PARTY(CUSTOMER), for this we need to give ORDERMGR permission to the SYSTEM
user. But then it will seem as if the SYSTEM user has cancelled the order
and
not the CUSTOMER ?

The only thought that came to my mind to improve the permission check
service is as above, but then I guess it will lead to some other issues.

- Abdullah

On Mon, Oct 26, 2009 at 1:20 PM, Scott Gray <[hidden email]>wrote:

Why do we need to use the system userlogin?  If we change the  
permission check to allow the placing party authorization then we  
shouldn't need to switch anything.  This type of situation is handled  
in a few places around OFBiz, I would suggest that you find and take a  
look at them (which is what I would have to do to answer any more  
questions :-)

Regards
Scott

On 26/10/2009, at 9:05 PM, Abdullah Shaikh wrote:

ok, I will take a look, can you please point to one of them, if you have any
in mind.

Also, I didn't get what you meant by "change the permission check to allow
the placing party authorization", can you please explain a bit more ?

On Mon, Oct 26, 2009 at 1:50 PM, Scott Gray <[hidden email]>wrote:

Okay I did the search :-)
Check out partyContactMechPermissionCheck and note it's usage in the  
service defs with the permission-service element.

Regards
Scott

On 26/10/2009, at 9:31 PM, Abdullah Shaikh wrote:

Scott, I had a look at it and I guess this should work, I will try it out
later in the day and let you know.

>
Thanks for pointing

On Mon, Oct 26, 2009 at 2:56 PM, Scott Gray <[hidden email]>wrote:

I tried this, it's working fine using the permission-service-element, there
is no security error when doing a cancel item, but the cancel functionality
is not working, the item is not getting cancelled, I will take a look at it
later and post the details, will raise a jira issue for this.

Will be submitting the patch for security error.

On Mon, Oct 26, 2009 at 3:13 PM, Abdullah Shaikh <
[hidden email]> wrote:

Hi Scott, as per your suggestion I have implemented a permission checking
service, please have a look and let me know if its alright, although I
tested this on my system, it was working fine, I didn't got any permission
error.

Patch attached - https://issues.apache.org/jira/browse/OFBIZ-3075

- Abdullah

On Wed, Oct 28, 2009 at 7:32 PM, Abdullah Shaikh <
[hidden email]> wrote: