Re: permission error on cancel order item from ecommerce

[Abdullah Shaikh <ab...@viithiisys.com>]

Hi Scott, as per your suggestion I have implemented a permission checking
service, please have a look and let me know if its alright, although I
tested this on my system, it was working fine, I didn't got any permission
error.

Patch attached - https://issues.apache.org/jira/browse/OFBIZ-3075

- Abdullah

On Wed, Oct 28, 2009 at 7:32 PM, Abdullah Shaikh <
abdullah.shaikh@viithiisys.com> wrote:

> I tried this, it's working fine using the permission-service-element, there
> is no security error when doing a cancel item, but the cancel functionality
> is not working, the item is not getting cancelled, I will take a look at it
> later and post the details, will raise a jira issue for this.
>
> Will be submitting the patch for security error.
>
>
> On Mon, Oct 26, 2009 at 3:13 PM, Abdullah Shaikh <
> abdullah.shaikh@viithiisys.com> wrote:
>
>> Scott, I had a look at it and I guess this should work, I will try it out
>> later in the day and let you know.
>>
>>>
>> Thanks for pointing
>>
>>
>> On Mon, Oct 26, 2009 at 2:56 PM, Scott Gray <sc...@hotwaxmedia.com>wrote:
>>
>>> Okay I did the search :-)
>>> Check out partyContactMechPermissionCheck and note it's usage in the
>>> service defs with the permission-service element.
>>>
>>> Regards
>>> Scott
>>>
>>>
>>> On 26/10/2009, at 9:31 PM, Abdullah Shaikh wrote:
>>>
>>>  ok, I will take a look, can you please point to one of them, if you have
>>>> any
>>>> in mind.
>>>>
>>>> Also, I didn't get what you meant by "change the permission check to
>>>> allow
>>>> the placing party authorization", can you please explain a bit more ?
>>>>
>>>> On Mon, Oct 26, 2009 at 1:50 PM, Scott Gray <scott.gray@hotwaxmedia.com
>>>> >wrote:
>>>>
>>>>  Why do we need to use the system userlogin?  If we change the
>>>>> permission
>>>>> check to allow the placing party authorization then we shouldn't need
>>>>> to
>>>>> switch anything.  This type of situation is handled in a few places
>>>>> around
>>>>> OFBiz, I would suggest that you find and take a look at them (which is
>>>>> what
>>>>> I would have to do to answer any more questions :-)
>>>>>
>>>>> Regards
>>>>> Scott
>>>>>
>>>>>
>>>>> On 26/10/2009, at 9:05 PM, Abdullah Shaikh wrote:
>>>>>
>>>>> Hi Scott,
>>>>>
>>>>>>
>>>>>> Yes, I too thought of improving the already implemented service, I
>>>>>> always
>>>>>> have that as a first preference, and all should, to make more better
>>>>>> code.
>>>>>>
>>>>>> Now coming back to the issue, below is what I have already comment in
>>>>>> previous post.
>>>>>>
>>>>>> This error is because the party (customer) doesn't have the
>>>>>> ORDERMGR_CREATE
>>>>>> or ORDERMGR_ADMIN permission, but we can't give this permission to a
>>>>>> customer, further as the common service is called from ecommerce and
>>>>>> order
>>>>>> manager for cancel, the solution will be to check the party's role, if
>>>>>> its
>>>>>> a
>>>>>> CUSTOMER, then I guess we can use the SYSTEM user in place of the
>>>>>> PARTY(CUSTOMER), for this we need to give ORDERMGR permission to the
>>>>>> SYSTEM
>>>>>> user. But then it will seem as if the SYSTEM user has cancelled the
>>>>>> order
>>>>>> and
>>>>>> not the CUSTOMER ?
>>>>>>
>>>>>> The only thought that came to my mind to improve the permission check
>>>>>> service is as above, but then I guess it will lead to some other
>>>>>> issues.
>>>>>>
>>>>>> - Abdullah
>>>>>>
>>>>>> On Mon, Oct 26, 2009 at 1:20 PM, Scott Gray <
>>>>>> scott.gray@hotwaxmedia.com
>>>>>>
>>>>>>> wrote:
>>>>>>>
>>>>>>
>>>>>> My first thought without looking at it is that the permission checking
>>>>>>
>>>>>>> service should be improved to allow the order placing party to invoke
>>>>>>> the
>>>>>>> service.  I don't personally think a separate service definition is
>>>>>>> the
>>>>>>> way
>>>>>>> to go.
>>>>>>>
>>>>>>> Regards
>>>>>>> Scott
>>>>>>>
>>>>>>> HotWax Media
>>>>>>> http://www.hotwaxmedia.com
>>>>>>>
>>>>>>>
>>>>>>> On 26/10/2009, at 8:43 PM, Abdullah Shaikh wrote:
>>>>>>>
>>>>>>> Hi All,
>>>>>>>
>>>>>>>
>>>>>>>> Any thoughts on this ?
>>>>>>>>
>>>>>>>> Jacques, should I proceed with the overriding service patch ?
>>>>>>>>
>>>>>>>> On Fri, Oct 23, 2009 at 6:21 PM, Abdullah Shaikh <
>>>>>>>> abdullah.shaikh@viithiisys.com> wrote:
>>>>>>>>
>>>>>>>> Yes, I guess maybe this is the only solution for this, should I
>>>>>>>> submit
>>>>>>>>
>>>>>>>>  the
>>>>>>>>> overriding service patch for this or should I wait for some more
>>>>>>>>> ideas
>>>>>>>>> to
>>>>>>>>> pour in for this ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Fri, Oct 23, 2009 at 6:09 PM, Jacques Le Roux <
>>>>>>>>> jacques.le.roux@les7arts.com> wrote:
>>>>>>>>>
>>>>>>>>> Abdullah,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Yes, overriding the service without permission check only for
>>>>>>>>>> ecommerce
>>>>>>>>>> use seems the better choise IMO
>>>>>>>>>>
>>>>>>>>>> Jacques
>>>>>>>>>>
>>>>>>>>>> From: "Abdullah Shaikh" <ab...@viithiisys.com>
>>>>>>>>>>
>>>>>>>>>> If I cancel an order item from ecommerce. I get, the below error
>>>>>>>>>> displayed
>>>>>>>>>> on the page.
>>>>>>>>>>
>>>>>>>>>> The Following Errors Occurred:
>>>>>>>>>> Unable to cancel order line : WSCO11640 / 00001 / null
>>>>>>>>>>
>>>>>>>>>> Note to test this you need to take the latest update of apply this
>>>>>>>>>> patch
>>>>>>>>>> https://issues.apache.org/jira/browse/OFBIZ-2408.
>>>>>>>>>>
>>>>>>>>>> Below is the error trace from console, this error is because the
>>>>>>>>>> party
>>>>>>>>>> (customer) doesn't have the ORDERMGR_CREATE or ORDERMGR_ADMIN
>>>>>>>>>> permission,
>>>>>>>>>> but we can't give this permission to a customer, further as the
>>>>>>>>>> common
>>>>>>>>>> service is called from ecommerce and order manager for cancel, the
>>>>>>>>>> solution
>>>>>>>>>> will be to check the party's role, if its a CUSTOMER, then I guess
>>>>>>>>>> we
>>>>>>>>>> can
>>>>>>>>>> use the SYSTEM user in place of the PARTY(CUSTOMER), for this we
>>>>>>>>>> need
>>>>>>>>>> to
>>>>>>>>>> give ORDERMGR permission to the SYSTEM user.
>>>>>>>>>>
>>>>>>>>>> But then it will seem as if the SYSTEM user has cancelled the
>>>>>>>>>> order
>>>>>>>>>> and
>>>>>>>>>> not
>>>>>>>>>> the CUSTOMER ?
>>>>>>>>>>
>>>>>>>>>> Another solution will be to override the service without
>>>>>>>>>> permission
>>>>>>>>>> check
>>>>>>>>>> only for ecommerce use.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>>
>>
>