You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by MrJohnBrown <mi...@softasap.net> on 2007/07/24 00:52:02 UTC

Re: createPartyRole permission for anonymous user

Hi Guys,

I am using revision 557394 and on anon checkout it looks like it has the
same old bug. I checked the partyservices.xml and it does have a tag   
<accept-userlogin-party/>. But it gives me an error:

"The Following Errors Occurred:

Security Error: to run createPartyRole you must have the
PARTYMGR_ROLE_CREATE or PARTYMGR_ADMIN permission calling service
createPartyRole in createUpdateUser"

Does anyone has this issue too?
Thanks for any help.


Anil Patel wrote:
> 
> In the anon checkout process, When user enters and saves the Profile
> information, We create a Person (createPerson service) and then add person
> in CUSTOMER Role. The process breaks when it tries to set Person to
> CUSTOMER
> role.
> 
> Regards
> Anil
> 
> On 3/26/07, David E. Jones <jo...@hotwaxmedia.com> wrote:
>>
>>
>> I'd say that's a really big NO. We don't want the anonymous user to
>> ever have any permissions. Anyone with a browser and an internet
>> connection can create a Party that will be used by the anonymous user.
>>
>> With the anonymous UserLogin the partyId is set in memory and passed
>> around, but NEVER saved to the database. This is used to get around
>> the security constraints on most services in order for things to
>> function.
>>
>> Where are you running into a problem with this? Ie, what is the
>> specific circumstance?
>>
>> -David
>>
>>
>> On Mar 26, 2007, at 2:53 PM, Anil Patel wrote:
>>
>> > Hi, Today we started getting following error while creating user in
>> > Anonymous checkout process.
>> >
>> >   - Security Error: to run createPartyRole you must have the
>> >   PARTYMGR_CREATE or PARTYMGR_ADMIN permission calling service
>> > createPartyRole
>> >   in createUpdateUser
>> >
>> > I think we need to add some permissions to Anonymous user. Do we
>> > even need
>> > these services to be protected with permission check? The createPerson
>> > service is not.
>> >
>> > Please comment so I needed I'll submit patch for this.
>> >
>> > Regards
>> > Anil
>>
>>
>>
> 
> 

-- 
View this message in context: http://www.nabble.com/createPartyRole-permission-for-anonymous-user-tf3469503.html#a11754291
Sent from the OFBiz - Dev mailing list archive at Nabble.com.