Permissions for services "called by the user" in the frontend

[Alexander1893 <al...@familie-schweizer.net>]

Hi all,

I have a general question about permissons:

If I want to call a service I need to have the right permission - which is
absolutly correct regarding security reasons.

I have to call several existing services dependend on the actions a user
makes in the storefrontend - e.g.:
> a customer can "load" his finaccount by a creditcard payment
> he enters his cc-data and (if the payment provider returns a positive
> result) I want to charge the finaccount with this amount.

When I call the corresponding finAccount-Service for charging the permission
is checked and the roles that are considered are the roles of the logged in
customer. As the customer has not the necessary role, the call returns an
error.

I see the following possibilties:
> I can give the necessary roles to each customer - but I don't know what
> security-impacts this would have
> I could call the service "using another person who has the role" - but I
> don't know how to do this.

So my question is:
How is the best way to call this kind of services without any security
impacts?

Thanks in advance & sorry (I don't know the role-concept of ofbiz that much
at the moment)
Alexander
-- 
View this message in context: http://n4.nabble.com/Permissions-for-services-called-by-the-user-in-the-frontend-tp965460p965460.html
Sent from the OFBiz - User mailing list archive at Nabble.com.