Uploaded image for project: 'PUBLIC - Liferay Commerce'
  1. PUBLIC - Liferay Commerce
  2. COMMERCE-5338

Order permission indexer not filtering by channel groupId

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.2, Master
    • Fix Version/s: 7.4 CE GA1, Master
    • Component/s: None
    • Labels:
      None

      Description

      The CommerceOrderIndexer is not filtering by channel groupId.

      A user should be able to see only the orders belonging to a channel for which he has permissions.

      Steps to reproduce the issue:

      • Create a site (minium/speedwell);
      • Place an order as admin user;
      • Create a "Order Admin" user (not company admin) and assign it to a role that has all permission related to order (Control panel + Resource)
      • Login with the "Order Admin" user and go to the admin order page

      Expected Result:

      No orders

      Actual Result:

      Caused by: com.liferay.portal.kernel.security.auth.PrincipalException$MustHavePermission: User 41659 must have VIEW permission for com.liferay.commerce.product.model.Commerc
      eChannel 38231

        Attachments

          Activity

            People

            Assignee:
            kristin.onias Kristin Onias
            Reporter:
            riccardo.alberti Riccardo Alberti
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Packages

                Version Package
                7.4 CE GA1
                Master