Uploaded image for project: 'PUBLIC - Liferay Commerce'
  1. PUBLIC - Liferay Commerce
  2. COMMERCE-5492

Able to access PunchOut2Go login when Punch Out role is not assigned



      Test Sheet

      Steps to Reproduce
      1. In portal-ext.properties, add redirect.url.security.mode=domain and redirect.url.domains.allowed=localhost,.lfr.cloud,.punchout2go.com
      2. Start up 7.3.x portal
      3. Place the PO2G.lpkg in the deploy
      4. Reindex (Control Panel → Search → Index → Reindex all search indexes)
      5. Create a site (Control Panel → Site → Create new site → Minium Site → Name site "Test Minium Site")
      6. Navigate to site (Commerce → Channels → Click PunchOut tab → Enable Punchout2Go → Enter URL as "http://localhost:8080/group/test-minium-site)
      7. Enable Punchout2Go (Control Panel → System Settings → API Authentication → Punchout Access Token Auto Login → set Enabled to true)

      Configure PO2G
      1. Control Panel > Configuration Oauth 2 > Punchout Access Token Provider Configuration
      Verify Access Token Duration 15 seconds, Access Token Size : 8 bytes
      2. Control Panel → OAuth2 Administration → Select PunchOut account → add OAuth for Punchout2Go → Set Callback URI to "http://localhost:8080/" → Set Client Profile to Headless Server → Click Scopes Tab → Check all that boxes in the dropdowns that contain "Commerce" in them
      3. Generate access token: Run this in your terminal in the portal directory to get an access token From OAuth2 Credentials, copy and paste your client id and secret and replace it within this command: curl http://localhost:8080/o/oauth2/token -d 'grant_type=client_credentials&client_id=id-2a343dbc-11ec-de1a-0d98-83d8c519ac3&client_secret=secret-62cacabd-9437-d01c-6163-5f694bf28d1'.

      Test Steps (using Postman)
      1. Create an account - Run POST http://localhost:8080/o/headless-commerce-admin-account/v1.0/accounts
      2. Run POST http://localhost:8080/o/headless-commerce-punchout/v1.0/punchout/session/request with "create" type in the body
      3. Add two items to your cart
      4. Go to http://localhost:8080/o/api and under CartItem > GET/v1.0/carts/


      /items > Click Try it out > update cartId with your cartId > Execute
      5. In your POST http://localhost:8080/o/headless-commerce-punchout/v1.0/punchout/session/request , edit the JSON body to have your cart Id, and correct ids/skuIds for your items in cart with the previous step and then run the POST
      6. Open PunchOutStartURL in the new browser (e.g if you were testing in Chrome, open it in Firefox or Safari). Check to see if the quantity of your cart items changed accordingly to the request.
      7. In your original browser you did setup in, click Control Panel → Roles → Site Roles → Verify Punch Out role is there → Click Punch Out → Define Permissions → Verify "Check Out Open Orders" and "View Open Orders" permissions are there
      8. In the same browser, click Control Panel → Users and Organizations → PunchOut Middle User → Roles → Verify user is not assigned to any roles.
      9. Go back to browser you had PunchOutStartURL open in, and press the cart button and press the "Submit" button. User is redirected to PunchOut2Go login page.

      Expected Result
      The user will not be able to access the PunchOut2Go login page since the Punch Out role is not assigned.
      Actual Result
      Shown in GIF below, user is able to access PunchOut2Go login page even when the Punch Out role is not assigned to user.
      Reproduced on:
      Tomcat 9.0.37 + MySQL 5.7
      Portal 7.3.x GIT ID: 46e28015bb20173dc516edc19adbf283ec090754




            riccardo.alberti Riccardo Alberti
            brittney.nguyen Brittney Nguyen
            0 Vote for this issue
            0 Start watching this issue




                Version Package