You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Suraj Khurana <su...@hotwaxsystems.com> on 2017/12/01 08:41:24 UTC
Re: Permission overrides auth parameter of service
Thanks everyone for your inputs.
Yes, there are similar occurrences where permission service is defined and
service is used in case of an anonymous user as well.
Example: *CreateShoppingList* and related services
I was presuming we can execute any service as permission service
irrespective of taking *userLogin *into consideration. Please correct me if
I am wrong or missing something.
--
Thanks and Regards,
*Suraj Khurana* | Sr. Enterprise Software Engineer
*HotWax Commerce* by *HotWax Systems*
Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
On Wed, Nov 29, 2017 at 7:35 PM, Rishi Solanki <ri...@gmail.com>
wrote:
> If an service implements and do checks for the permissions then it must
> have the auth set as true. If any occurrences found then it should be by
> mistake and service definition should be fix to match.
>
> So I think the behavior we have is correct, whenever we want to check the
> permission it should have the user in context.
>
> Suraj, Any scenario you have in mind where we only require permission
> service without user?
>
>
> Rishi Solanki
> Sr Manager, Enterprise Software Development
> HotWax Systems Pvt. Ltd.
> Direct: +91-9893287847
> http://www.hotwaxsystems.com
> www.hotwax.co
>
> On Wed, Nov 29, 2017 at 1:39 PM, Scott Gray <sc...@hotwaxsystems.com>
> wrote:
>
> > auth="false" and a permission service are completely incompatible
> > scenarios. In what situation could you possibly have no userLogin and
> > successfully run a permission service?
> >
> > What would you expect to happen instead of the current behavior?
> >
> > Regards
> > Scott
> >
> > On 3 November 2017 at 17:35, Suraj Khurana <suraj.khurana@hotwaxsystems.
> > com>
> > wrote:
> >
> > > Hello team,
> > >
> > > I noticed that in any service definition if auth is set to false and
> > > permission service is also the service definition, it overrides the
> auth
> > > parameter to true by itself.
> > >
> > > For quick reference, it is written at *createPermission* method of
> > > *ModelServiceReader* class.
> > > Can someone please elaborate this behavior. IMO, this should not
> happen.
> > >
> > > --
> > > Thanks and Regards,
> > > *Suraj Khurana* | Sr. Enterprise Software Engineer
> > > *HotWax* *Commerce* by *HotWax Systems*
> > > Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
> > >
> >
>
Re: Permission overrides auth parameter of service
Posted by Scott Gray <sc...@hotwaxsystems.com>.
Ok I see, so there is a need for permission services to be able to run
without a userLogin value in some cases. Specifically in situations where
the other parameters provided can determine whether an anonymous user is
authorized to execute the given service.
Thanks for providing the additional info.
Regards
Scott
On 24 December 2017 at 00:38, Chinmay Patidar <
chinmay.patidar@hotwaxsystems.com> wrote:
> Hello All,
>
> Adding to the Suraj's example of CreateShoppingList, I would like to
> elaborate more on the same.
>
> In current implementation, 'checkShoppingListSecurity' service is a
> permission-service for 'createShoppingList' service. The system creates a
> shopping list for an anonymous user on the ecommerce when adding an item to
> the cart (try in incognito window so it doesn't pick party from the cache).
> But with the current implementation, checkShoppingListSecurity returns an
> error saying that "You must be logged in to complete the process". In
> simple words, the 'createShoppingList' service gets called for an anonymous
> user which eventually triggers 'checkShoppingListSecurity' service.
>
> The above explanation gives an example of a use case where one could
> possibly have no userLogin but has a permission service implemented(for
> covering use cases of userLogin).
>
> Also, it seems that one can't use a permission-service when no
> userLogin would be present.
>
> Also, for now, to fix the issue we can call the "checkShoppingListSecurity"
> service from the service declaration/implementation to overcome the error
> of no userLogin. Although, it creates confusion to me that the same service
> when called internally works fine but when called as a permission service,
> returns an error.
>
> Please let me know if calling the security service internally would be the
> proper approach.
>
> Thanks,
> *Chinmay Patidar* | Sr. Enterprise Software Engineer
> HotWax Commerce by HotWax Systems
> Plot no. 80, Scheme no. 78 Part 2, Near Brilliant Convention Center,
> Indore,
> M.P, India - 452010
> Cell phone: +91-9713978795
>
> On Mon, Dec 11, 2017 at 5:43 PM, Jacques Le Roux <
> jacques.le.roux@les7arts.com> wrote:
>
> > Hi Suraj,
> >
> > I don't see how you could check permissions for an anonymous user.
> > Maybe by giving anonymous users specific permissions in the context of
> > ecommerce?
> >
> > But does it makes sense, I'm not sure. Then maybe as mentioned Rishi we
> > should fix services like CreateShoppingList
> > BTW did you cross any issues with anonymous users or is that only you
> > thinking?
> >
> > Jacques
> >
> >
> >
> > Le 01/12/2017 à 09:41, Suraj Khurana a écrit :
> >
> >> Thanks everyone for your inputs.
> >>
> >> Yes, there are similar occurrences where permission service is defined
> and
> >> service is used in case of an anonymous user as well.
> >> Example: *CreateShoppingList* and related services
> >>
> >> I was presuming we can execute any service as permission service
> >> irrespective of taking *userLogin *into consideration. Please correct me
> >> if
> >> I am wrong or missing something.
> >>
> >> --
> >> Thanks and Regards,
> >> *Suraj Khurana* | Sr. Enterprise Software Engineer
> >> *HotWax Commerce* by *HotWax Systems*
> >> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
> >>
> >>
> >> On Wed, Nov 29, 2017 at 7:35 PM, Rishi Solanki <rishisolankii@gmail.com
> >
> >> wrote:
> >>
> >> If an service implements and do checks for the permissions then it must
> >>> have the auth set as true. If any occurrences found then it should be
> by
> >>> mistake and service definition should be fix to match.
> >>>
> >>> So I think the behavior we have is correct, whenever we want to check
> the
> >>> permission it should have the user in context.
> >>>
> >>> Suraj, Any scenario you have in mind where we only require permission
> >>> service without user?
> >>>
> >>>
> >>> Rishi Solanki
> >>> Sr Manager, Enterprise Software Development
> >>> HotWax Systems Pvt. Ltd.
> >>> Direct: +91-9893287847
> >>> http://www.hotwaxsystems.com
> >>> www.hotwax.co
> >>>
> >>> On Wed, Nov 29, 2017 at 1:39 PM, Scott Gray <
> >>> scott.gray@hotwaxsystems.com>
> >>> wrote:
> >>>
> >>> auth="false" and a permission service are completely incompatible
> >>>> scenarios. In what situation could you possibly have no userLogin and
> >>>> successfully run a permission service?
> >>>>
> >>>> What would you expect to happen instead of the current behavior?
> >>>>
> >>>> Regards
> >>>> Scott
> >>>>
> >>>> On 3 November 2017 at 17:35, Suraj Khurana
> <suraj.khurana@hotwaxsystems.
> >>>> com>
> >>>> wrote:
> >>>>
> >>>> Hello team,
> >>>>>
> >>>>> I noticed that in any service definition if auth is set to false and
> >>>>> permission service is also the service definition, it overrides the
> >>>>>
> >>>> auth
> >>>
> >>>> parameter to true by itself.
> >>>>>
> >>>>> For quick reference, it is written at *createPermission* method of
> >>>>> *ModelServiceReader* class.
> >>>>> Can someone please elaborate this behavior. IMO, this should not
> >>>>>
> >>>> happen.
> >>>
> >>>> --
> >>>>> Thanks and Regards,
> >>>>> *Suraj Khurana* | Sr. Enterprise Software Engineer
> >>>>> *HotWax* *Commerce* by *HotWax Systems*
> >>>>> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
> >>>>>
> >>>>>
> >
>
Re: Permission overrides auth parameter of service
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Chinmay, Suraj,
Thanks for the tip, https://issues.apache.org/jira/browse/OFBIZ-5157 is related
Jacques
Le 23/12/2017 à 12:46, Chinmay Patidar a écrit :
> Just missed a point. To regenerate the issue one has to update the 'Auto
> Save Cart' to 'Y' for the e-commerce product store record.
>
> Thanks,
> *Chinmay Patidar* | Sr. Enterprise Software Engineer
> HotWax Commerce by HotWax Systems
> Plot no. 80, Scheme no. 78 Part 2, Near Brilliant Convention Center, Indore,
> M.P, India - 452010
> Cell phone: +91-9713978795
>
> On Sat, Dec 23, 2017 at 5:08 PM, Chinmay Patidar <
> chinmay.patidar@hotwaxsystems.com> wrote:
>
>> Hello All,
>>
>> Adding to the Suraj's example of CreateShoppingList, I would like to
>> elaborate more on the same.
>>
>> In current implementation, 'checkShoppingListSecurity' service is a
>> permission-service for 'createShoppingList' service. The system creates a
>> shopping list for an anonymous user on the ecommerce when adding an item to
>> the cart (try in incognito window so it doesn't pick party from the cache).
>> But with the current implementation, checkShoppingListSecurity returns an
>> error saying that "You must be logged in to complete the process". In
>> simple words, the 'createShoppingList' service gets called for an anonymous
>> user which eventually triggers 'checkShoppingListSecurity' service.
>>
>> The above explanation gives an example of a use case where one could
>> possibly have no userLogin but has a permission service implemented(for
>> covering use cases of userLogin).
>>
>> Also, it seems that one can't use a permission-service when no
>> userLogin would be present.
>>
>> Also, for now, to fix the issue we can call the
>> "checkShoppingListSecurity" service from the service
>> declaration/implementation to overcome the error of no userLogin. Although,
>> it creates confusion to me that the same service when called internally
>> works fine but when called as a permission service, returns an error.
>>
>> Please let me know if calling the security service internally would be the
>> proper approach.
>>
>> Thanks,
>> *Chinmay Patidar* | Sr. Enterprise Software Engineer
>> HotWax Commerce by HotWax Systems
>> Plot no. 80, Scheme no. 78 Part 2, Near Brilliant Convention Center,
>> Indore, M.P, India - 452010
>> Cell phone: +91-9713978795
>>
>> On Mon, Dec 11, 2017 at 5:43 PM, Jacques Le Roux <
>> jacques.le.roux@les7arts.com> wrote:
>>
>>> Hi Suraj,
>>>
>>> I don't see how you could check permissions for an anonymous user.
>>> Maybe by giving anonymous users specific permissions in the context of
>>> ecommerce?
>>>
>>> But does it makes sense, I'm not sure. Then maybe as mentioned Rishi we
>>> should fix services like CreateShoppingList
>>> BTW did you cross any issues with anonymous users or is that only you
>>> thinking?
>>>
>>> Jacques
>>>
>>>
>>>
>>> Le 01/12/2017 à 09:41, Suraj Khurana a écrit :
>>>
>>>> Thanks everyone for your inputs.
>>>>
>>>> Yes, there are similar occurrences where permission service is defined
>>>> and
>>>> service is used in case of an anonymous user as well.
>>>> Example: *CreateShoppingList* and related services
>>>>
>>>> I was presuming we can execute any service as permission service
>>>> irrespective of taking *userLogin *into consideration. Please correct me
>>>> if
>>>> I am wrong or missing something.
>>>>
>>>> --
>>>> Thanks and Regards,
>>>> *Suraj Khurana* | Sr. Enterprise Software Engineer
>>>> *HotWax Commerce* by *HotWax Systems*
>>>> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
>>>>
>>>>
>>>> On Wed, Nov 29, 2017 at 7:35 PM, Rishi Solanki <ri...@gmail.com>
>>>> wrote:
>>>>
>>>> If an service implements and do checks for the permissions then it must
>>>>> have the auth set as true. If any occurrences found then it should be by
>>>>> mistake and service definition should be fix to match.
>>>>>
>>>>> So I think the behavior we have is correct, whenever we want to check
>>>>> the
>>>>> permission it should have the user in context.
>>>>>
>>>>> Suraj, Any scenario you have in mind where we only require permission
>>>>> service without user?
>>>>>
>>>>>
>>>>> Rishi Solanki
>>>>> Sr Manager, Enterprise Software Development
>>>>> HotWax Systems Pvt. Ltd.
>>>>> Direct: +91-9893287847
>>>>> http://www.hotwaxsystems.com
>>>>> www.hotwax.co
>>>>>
>>>>> On Wed, Nov 29, 2017 at 1:39 PM, Scott Gray <
>>>>> scott.gray@hotwaxsystems.com>
>>>>> wrote:
>>>>>
>>>>> auth="false" and a permission service are completely incompatible
>>>>>> scenarios. In what situation could you possibly have no userLogin and
>>>>>> successfully run a permission service?
>>>>>>
>>>>>> What would you expect to happen instead of the current behavior?
>>>>>>
>>>>>> Regards
>>>>>> Scott
>>>>>>
>>>>>> On 3 November 2017 at 17:35, Suraj Khurana
>>>>>> <suraj.khurana@hotwaxsystems.
>>>>>> com>
>>>>>> wrote:
>>>>>>
>>>>>> Hello team,
>>>>>>> I noticed that in any service definition if auth is set to false and
>>>>>>> permission service is also the service definition, it overrides the
>>>>>>>
>>>>>> auth
>>>>>> parameter to true by itself.
>>>>>>> For quick reference, it is written at *createPermission* method of
>>>>>>> *ModelServiceReader* class.
>>>>>>> Can someone please elaborate this behavior. IMO, this should not
>>>>>>>
>>>>>> happen.
>>>>>> --
>>>>>>> Thanks and Regards,
>>>>>>> *Suraj Khurana* | Sr. Enterprise Software Engineer
>>>>>>> *HotWax* *Commerce* by *HotWax Systems*
>>>>>>> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
>>>>>>>
>>>>>>>
Re: Permission overrides auth parameter of service
Posted by Chinmay Patidar <ch...@hotwaxsystems.com>.
Just missed a point. To regenerate the issue one has to update the 'Auto
Save Cart' to 'Y' for the e-commerce product store record.
Thanks,
*Chinmay Patidar* | Sr. Enterprise Software Engineer
HotWax Commerce by HotWax Systems
Plot no. 80, Scheme no. 78 Part 2, Near Brilliant Convention Center, Indore,
M.P, India - 452010
Cell phone: +91-9713978795
On Sat, Dec 23, 2017 at 5:08 PM, Chinmay Patidar <
chinmay.patidar@hotwaxsystems.com> wrote:
> Hello All,
>
> Adding to the Suraj's example of CreateShoppingList, I would like to
> elaborate more on the same.
>
> In current implementation, 'checkShoppingListSecurity' service is a
> permission-service for 'createShoppingList' service. The system creates a
> shopping list for an anonymous user on the ecommerce when adding an item to
> the cart (try in incognito window so it doesn't pick party from the cache).
> But with the current implementation, checkShoppingListSecurity returns an
> error saying that "You must be logged in to complete the process". In
> simple words, the 'createShoppingList' service gets called for an anonymous
> user which eventually triggers 'checkShoppingListSecurity' service.
>
> The above explanation gives an example of a use case where one could
> possibly have no userLogin but has a permission service implemented(for
> covering use cases of userLogin).
>
> Also, it seems that one can't use a permission-service when no
> userLogin would be present.
>
> Also, for now, to fix the issue we can call the
> "checkShoppingListSecurity" service from the service
> declaration/implementation to overcome the error of no userLogin. Although,
> it creates confusion to me that the same service when called internally
> works fine but when called as a permission service, returns an error.
>
> Please let me know if calling the security service internally would be the
> proper approach.
>
> Thanks,
> *Chinmay Patidar* | Sr. Enterprise Software Engineer
> HotWax Commerce by HotWax Systems
> Plot no. 80, Scheme no. 78 Part 2, Near Brilliant Convention Center,
> Indore, M.P, India - 452010
> Cell phone: +91-9713978795
>
> On Mon, Dec 11, 2017 at 5:43 PM, Jacques Le Roux <
> jacques.le.roux@les7arts.com> wrote:
>
>> Hi Suraj,
>>
>> I don't see how you could check permissions for an anonymous user.
>> Maybe by giving anonymous users specific permissions in the context of
>> ecommerce?
>>
>> But does it makes sense, I'm not sure. Then maybe as mentioned Rishi we
>> should fix services like CreateShoppingList
>> BTW did you cross any issues with anonymous users or is that only you
>> thinking?
>>
>> Jacques
>>
>>
>>
>> Le 01/12/2017 à 09:41, Suraj Khurana a écrit :
>>
>>> Thanks everyone for your inputs.
>>>
>>> Yes, there are similar occurrences where permission service is defined
>>> and
>>> service is used in case of an anonymous user as well.
>>> Example: *CreateShoppingList* and related services
>>>
>>> I was presuming we can execute any service as permission service
>>> irrespective of taking *userLogin *into consideration. Please correct me
>>> if
>>> I am wrong or missing something.
>>>
>>> --
>>> Thanks and Regards,
>>> *Suraj Khurana* | Sr. Enterprise Software Engineer
>>> *HotWax Commerce* by *HotWax Systems*
>>> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
>>>
>>>
>>> On Wed, Nov 29, 2017 at 7:35 PM, Rishi Solanki <ri...@gmail.com>
>>> wrote:
>>>
>>> If an service implements and do checks for the permissions then it must
>>>> have the auth set as true. If any occurrences found then it should be by
>>>> mistake and service definition should be fix to match.
>>>>
>>>> So I think the behavior we have is correct, whenever we want to check
>>>> the
>>>> permission it should have the user in context.
>>>>
>>>> Suraj, Any scenario you have in mind where we only require permission
>>>> service without user?
>>>>
>>>>
>>>> Rishi Solanki
>>>> Sr Manager, Enterprise Software Development
>>>> HotWax Systems Pvt. Ltd.
>>>> Direct: +91-9893287847
>>>> http://www.hotwaxsystems.com
>>>> www.hotwax.co
>>>>
>>>> On Wed, Nov 29, 2017 at 1:39 PM, Scott Gray <
>>>> scott.gray@hotwaxsystems.com>
>>>> wrote:
>>>>
>>>> auth="false" and a permission service are completely incompatible
>>>>> scenarios. In what situation could you possibly have no userLogin and
>>>>> successfully run a permission service?
>>>>>
>>>>> What would you expect to happen instead of the current behavior?
>>>>>
>>>>> Regards
>>>>> Scott
>>>>>
>>>>> On 3 November 2017 at 17:35, Suraj Khurana
>>>>> <suraj.khurana@hotwaxsystems.
>>>>> com>
>>>>> wrote:
>>>>>
>>>>> Hello team,
>>>>>>
>>>>>> I noticed that in any service definition if auth is set to false and
>>>>>> permission service is also the service definition, it overrides the
>>>>>>
>>>>> auth
>>>>
>>>>> parameter to true by itself.
>>>>>>
>>>>>> For quick reference, it is written at *createPermission* method of
>>>>>> *ModelServiceReader* class.
>>>>>> Can someone please elaborate this behavior. IMO, this should not
>>>>>>
>>>>> happen.
>>>>
>>>>> --
>>>>>> Thanks and Regards,
>>>>>> *Suraj Khurana* | Sr. Enterprise Software Engineer
>>>>>> *HotWax* *Commerce* by *HotWax Systems*
>>>>>> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
>>>>>>
>>>>>>
>>
>
Re: Permission overrides auth parameter of service
Posted by Chinmay Patidar <ch...@hotwaxsystems.com>.
Hello All,
Adding to the Suraj's example of CreateShoppingList, I would like to
elaborate more on the same.
In current implementation, 'checkShoppingListSecurity' service is a
permission-service for 'createShoppingList' service. The system creates a
shopping list for an anonymous user on the ecommerce when adding an item to
the cart (try in incognito window so it doesn't pick party from the cache).
But with the current implementation, checkShoppingListSecurity returns an
error saying that "You must be logged in to complete the process". In
simple words, the 'createShoppingList' service gets called for an anonymous
user which eventually triggers 'checkShoppingListSecurity' service.
The above explanation gives an example of a use case where one could
possibly have no userLogin but has a permission service implemented(for
covering use cases of userLogin).
Also, it seems that one can't use a permission-service when no
userLogin would be present.
Also, for now, to fix the issue we can call the "checkShoppingListSecurity"
service from the service declaration/implementation to overcome the error
of no userLogin. Although, it creates confusion to me that the same service
when called internally works fine but when called as a permission service,
returns an error.
Please let me know if calling the security service internally would be the
proper approach.
Thanks,
*Chinmay Patidar* | Sr. Enterprise Software Engineer
HotWax Commerce by HotWax Systems
Plot no. 80, Scheme no. 78 Part 2, Near Brilliant Convention Center, Indore,
M.P, India - 452010
Cell phone: +91-9713978795
On Mon, Dec 11, 2017 at 5:43 PM, Jacques Le Roux <
jacques.le.roux@les7arts.com> wrote:
> Hi Suraj,
>
> I don't see how you could check permissions for an anonymous user.
> Maybe by giving anonymous users specific permissions in the context of
> ecommerce?
>
> But does it makes sense, I'm not sure. Then maybe as mentioned Rishi we
> should fix services like CreateShoppingList
> BTW did you cross any issues with anonymous users or is that only you
> thinking?
>
> Jacques
>
>
>
> Le 01/12/2017 à 09:41, Suraj Khurana a écrit :
>
>> Thanks everyone for your inputs.
>>
>> Yes, there are similar occurrences where permission service is defined and
>> service is used in case of an anonymous user as well.
>> Example: *CreateShoppingList* and related services
>>
>> I was presuming we can execute any service as permission service
>> irrespective of taking *userLogin *into consideration. Please correct me
>> if
>> I am wrong or missing something.
>>
>> --
>> Thanks and Regards,
>> *Suraj Khurana* | Sr. Enterprise Software Engineer
>> *HotWax Commerce* by *HotWax Systems*
>> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
>>
>>
>> On Wed, Nov 29, 2017 at 7:35 PM, Rishi Solanki <ri...@gmail.com>
>> wrote:
>>
>> If an service implements and do checks for the permissions then it must
>>> have the auth set as true. If any occurrences found then it should be by
>>> mistake and service definition should be fix to match.
>>>
>>> So I think the behavior we have is correct, whenever we want to check the
>>> permission it should have the user in context.
>>>
>>> Suraj, Any scenario you have in mind where we only require permission
>>> service without user?
>>>
>>>
>>> Rishi Solanki
>>> Sr Manager, Enterprise Software Development
>>> HotWax Systems Pvt. Ltd.
>>> Direct: +91-9893287847
>>> http://www.hotwaxsystems.com
>>> www.hotwax.co
>>>
>>> On Wed, Nov 29, 2017 at 1:39 PM, Scott Gray <
>>> scott.gray@hotwaxsystems.com>
>>> wrote:
>>>
>>> auth="false" and a permission service are completely incompatible
>>>> scenarios. In what situation could you possibly have no userLogin and
>>>> successfully run a permission service?
>>>>
>>>> What would you expect to happen instead of the current behavior?
>>>>
>>>> Regards
>>>> Scott
>>>>
>>>> On 3 November 2017 at 17:35, Suraj Khurana <suraj.khurana@hotwaxsystems.
>>>> com>
>>>> wrote:
>>>>
>>>> Hello team,
>>>>>
>>>>> I noticed that in any service definition if auth is set to false and
>>>>> permission service is also the service definition, it overrides the
>>>>>
>>>> auth
>>>
>>>> parameter to true by itself.
>>>>>
>>>>> For quick reference, it is written at *createPermission* method of
>>>>> *ModelServiceReader* class.
>>>>> Can someone please elaborate this behavior. IMO, this should not
>>>>>
>>>> happen.
>>>
>>>> --
>>>>> Thanks and Regards,
>>>>> *Suraj Khurana* | Sr. Enterprise Software Engineer
>>>>> *HotWax* *Commerce* by *HotWax Systems*
>>>>> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
>>>>>
>>>>>
>
Re: Permission overrides auth parameter of service
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Suraj,
I don't see how you could check permissions for an anonymous user.
Maybe by giving anonymous users specific permissions in the context of ecommerce?
But does it makes sense, I'm not sure. Then maybe as mentioned Rishi we should fix services like CreateShoppingList
BTW did you cross any issues with anonymous users or is that only you thinking?
Jacques
Le 01/12/2017 à 09:41, Suraj Khurana a écrit :
> Thanks everyone for your inputs.
>
> Yes, there are similar occurrences where permission service is defined and
> service is used in case of an anonymous user as well.
> Example: *CreateShoppingList* and related services
>
> I was presuming we can execute any service as permission service
> irrespective of taking *userLogin *into consideration. Please correct me if
> I am wrong or missing something.
>
> --
> Thanks and Regards,
> *Suraj Khurana* | Sr. Enterprise Software Engineer
> *HotWax Commerce* by *HotWax Systems*
> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
>
>
> On Wed, Nov 29, 2017 at 7:35 PM, Rishi Solanki <ri...@gmail.com>
> wrote:
>
>> If an service implements and do checks for the permissions then it must
>> have the auth set as true. If any occurrences found then it should be by
>> mistake and service definition should be fix to match.
>>
>> So I think the behavior we have is correct, whenever we want to check the
>> permission it should have the user in context.
>>
>> Suraj, Any scenario you have in mind where we only require permission
>> service without user?
>>
>>
>> Rishi Solanki
>> Sr Manager, Enterprise Software Development
>> HotWax Systems Pvt. Ltd.
>> Direct: +91-9893287847
>> http://www.hotwaxsystems.com
>> www.hotwax.co
>>
>> On Wed, Nov 29, 2017 at 1:39 PM, Scott Gray <sc...@hotwaxsystems.com>
>> wrote:
>>
>>> auth="false" and a permission service are completely incompatible
>>> scenarios. In what situation could you possibly have no userLogin and
>>> successfully run a permission service?
>>>
>>> What would you expect to happen instead of the current behavior?
>>>
>>> Regards
>>> Scott
>>>
>>> On 3 November 2017 at 17:35, Suraj Khurana <suraj.khurana@hotwaxsystems.
>>> com>
>>> wrote:
>>>
>>>> Hello team,
>>>>
>>>> I noticed that in any service definition if auth is set to false and
>>>> permission service is also the service definition, it overrides the
>> auth
>>>> parameter to true by itself.
>>>>
>>>> For quick reference, it is written at *createPermission* method of
>>>> *ModelServiceReader* class.
>>>> Can someone please elaborate this behavior. IMO, this should not
>> happen.
>>>> --
>>>> Thanks and Regards,
>>>> *Suraj Khurana* | Sr. Enterprise Software Engineer
>>>> *HotWax* *Commerce* by *HotWax Systems*
>>>> Plot no. 80, Scheme no. 78, Vijay Nagar, Indore, M.P. India 452010
>>>>