Cyclos 4.13 error for POST /{user}/orders

Bug and problem reporting on Cyclos 4 version

Moderators: hugo, alexandre, rmvanarkel

Post Reply
jakob.schumann
Posts: 15
Joined: Thu Apr 23, 2020 5:37 pm

Cyclos 4.13 error for POST /{user}/orders

Post by jakob.schumann »

POSTing to the new REST endpoint /{user}/orders fails with the following exception:

Code: Select all

2020-07-02T15:34:02.058+02:00   ERROR   Webdienste      <<IP>>  Website <<domain>> OrderService    submitToBuyer   {"deliveryMethodName":"kein Versand nötig","seller":"klima_projekt_2","products":[{"product":1,"quantity":"17"}],"status":"PENDING_BUYER","currency":"climate_bonus","deliveryPrice":"0","deliveryAddress":{"city":"DD","zip":"01099","buildingNumber":"12","country":"DE","street":"Weg"},"maxDeliveryTime":{"amount":1,"field":"DAYS"},"sale":true,"buyer":9}                361ms
org.cyclos.model.EntityNotFoundException: Order, id=-2467653671196509904
        at org.cyclos.impl.utils.persistence.EntityManagerHandlerImpl.doCheckAccess(EntityManagerHandlerImpl.java:424)
        at org.cyclos.impl.utils.persistence.EntityManagerHandlerImpl.checkAccess(EntityManagerHandlerImpl.java:156)
        at org.cyclos.impl.utils.persistence.EntityManagerHandlerImpl.find(EntityManagerHandlerImpl.java:170)
        at org.cyclos.impl.AbstractServerComponent.find(AbstractServerComponent.java:118)
        at org.cyclos.impl.CRUDServiceImpl.find(CRUDServiceImpl.java:185)
        at org.cyclos.impl.marketplace.OrderServiceImpl.submitToBuyer(OrderServiceImpl.java:943)
        at org.cyclos.security.marketplace.OrderServiceSecurity.submitToBuyer(OrderServiceSecurity.java:293)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.cyclos.impl.ServiceInvokerHandlerImpl$ServiceInvocationTransactionCallback.performInvocation(ServiceInvokerHandlerImpl.java:287)
        at org.cyclos.impl.ServiceInvokerHandlerImpl$ServiceInvocationTransactionCallback.lambda$0(ServiceInvokerHandlerImpl.java:217)
        at org.cyclos.impl.InvokerHandlerImpl.runAs(InvokerHandlerImpl.java:109)
        at org.cyclos.impl.ServiceInvokerHandlerImpl$ServiceInvocationTransactionCallback.doInTransaction(ServiceInvokerHandlerImpl.java:217)
        at org.cyclos.impl.ServiceInvokerHandlerImpl$ServiceInvocationTransactionCallback.doInTransaction(ServiceInvokerHandlerImpl.java:1)
        at org.cyclos.impl.utils.transaction.TransactionHandlerImpl.runEnsuringInvocationContext(TransactionHandlerImpl.java:190)
        at org.cyclos.impl.utils.transaction.TransactionHandlerImpl.doRun(TransactionHandlerImpl.java:107)
        at org.cyclos.impl.utils.transaction.TransactionHandlerImpl.run(TransactionHandlerImpl.java:162)
        at org.cyclos.impl.utils.transaction.TransactionHandlerImpl.run(TransactionHandlerImpl.java:85)
        at jdk.internal.reflect.GeneratedMethodAccessor66.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:205)
        at com.sun.proxy.$Proxy33.run(Unknown Source)
        at org.cyclos.impl.InvokerHandlerImpl.performInTransaction(InvokerHandlerImpl.java:245)
        at org.cyclos.impl.InvokerHandlerImpl.doRunAsInTransaction(InvokerHandlerImpl.java:188)
        at org.cyclos.impl.InvokerHandlerImpl.runAsInTransaction(InvokerHandlerImpl.java:168)
        at org.cyclos.impl.ServiceInvokerHandlerImpl.doInvoke(ServiceInvokerHandlerImpl.java:801)
        at org.cyclos.impl.ServiceInvokerHandlerImpl.invoke(ServiceInvokerHandlerImpl.java:628)
        at org.cyclos.impl.access.ServiceFacadeImpl.lambda$2(ServiceFacadeImpl.java:173)
        at org.cyclos.impl.access.ServiceFacadeImpl.runInRequestContext(ServiceFacadeImpl.java:597)
        at org.cyclos.impl.access.ServiceFacadeImpl.invoke(ServiceFacadeImpl.java:171)
        at org.cyclos.server.spring.root.RequestServiceFactory$ServiceProxyInvocationHandler.invoke(RequestServiceFactory.java:74)
        at com.sun.proxy.$Proxy180.submitToBuyer(Unknown Source)
        at org.cyclos.server.rest.api.OrdersApiImpl.saveAsDraftOrSendToBuyer(OrdersApiImpl.java:201)
        at org.cyclos.server.rest.api.OrdersApiImpl.createOrder(OrdersApiImpl.java:102)
        at org.cyclos.server.rest.api.OrdersApi.createOrder(OrdersApi.java:125)
        at jdk.internal.reflect.GeneratedMethodAccessor5935.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190)
        at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)
        at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105)
        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:879)
        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:793)
        at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040)
        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943)
        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
        at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.cyclos.server.spring.root.WebServicesGzipFilter.doFilterInternal(WebServicesGzipFilter.java:57)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.cyclos.server.http.CORSFilter.doFilterInternal(CORSFilter.java:67)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:113)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:64)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:712)
        at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:459)
        at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:384)
        at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:312)
        at org.cyclos.server.http.RequestDataFilter.doFilterInternal(RequestDataFilter.java:208)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.cyclos.server.http.RequestContextFilter.doFilterInternal(RequestContextFilter.java:52)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:688)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1639)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:834)
The [masked] ID changes with each request so it seems to be really the autoincrement ID of a generated order, but why can't Cyclos find it?
(Same problem as described in viewtopic.php?f=14&t=3757)

Seller, buyer & product exists, no 422 errors from invalid parameters are returned.

Does the calls to checkAccess/doCheckAccess mean the current API user can create an order but not view it afterwards? If yes, shouldn't the result be a 403 permission denied? Which permissions would be required to create orders for a third party?

Thanks in advance,
JS

rleon
Posts: 2
Joined: Wed Jun 10, 2020 9:42 am

Re: Cyclos 4.13 error for POST /{user}/orders

Post by rleon »

Hi, we can't reproduce your issue.

Are you submitting the request logged as the seller?
Does the seller has the permission 'Enable web shop ads'?
Does the buyer has the permission 'View web shop'?
Seller and buyer are visible to each other?

jakob.schumann
Posts: 15
Joined: Thu Apr 23, 2020 5:37 pm

Re: Cyclos 4.13 error for POST /{user}/orders

Post by jakob.schumann »

Thanks for your reply, here are the details:
Are you submitting the request logged as the seller?
No, not as buyer or seller but as third party.
Does the seller has the permission 'Enable web shop ads'?
Yes
Does the buyer has the permission 'View web shop'?
Yes
Seller and buyer are visible to each other?
Yes

The admin/third party user has the following settings regarding web shops:

Code: Select all

User data
    Advertisements
      View
    Web shop
      Manage
    User webshop settings	
      View
    User webshop purchases
      Yes
    User webshop sales	
      Yes
Edit:
I see now it is probably not possible with this endpoint, I just read that part of the documentation: "the user given in the path must resolve to the authenticated user".

So how can I create an order as a third party? The shopping cart endpoints have the same "problem" as they require the buyer to be logged in: "Checks out the given shopping cart associated to the authenticated user"

We don't want to give neither sellers nor buyers access so the webservices channel and also we don't want to assign each and every user (sellers & buyers) the same admin user as broker.

We want something like delivery hero: A website where users can select a product (web shop ad), authenticate with their cyclos credentials (possible via the POST /sessions endpoint as it doesn't require web services access for the users) and then create a order for the product (and finally confirm the order to trigger the payment). Like delivery hero creates an order at my selected restaurant in my name.

admin_de2
Posts: 60
Joined: Wed Dec 31, 1969 9:00 pm

Re: Cyclos 4.13 error for POST /{user}/orders

Post by admin_de2 »

Hi dears,

according our latest call, endpoint /{user}/orders should behave straight forward:
- Either bringing and error when accessing someones data where i'm not allowed too, already when trying to create it by POST
- Or bringing back the order i posted successfully without an exception

The exception is not foreseen to be the proper behavior, seemingly here.

Can you commit it's a bug, please?

Thank you, Thomas

alexandre
Posts: 913
Joined: Wed Sep 06, 2006 9:06 am

Re: Cyclos 4.13 error for POST /{user}/orders

Post by alexandre »

Hi,

There is no support for this operation.
To create a sale the logged user must be the seller.
So you need to execute the api calls authenticated as the seller.

Regards
Alexandre Caurrinhos
Cyclos development team.

jakob.schumann
Posts: 15
Joined: Thu Apr 23, 2020 5:37 pm

Re: Cyclos 4.13 error for POST /{user}/orders

Post by jakob.schumann »

Ok, understood, it is not possible to use this endpoint for us.

Still it is a bug:

Expected result: 403 Access denied, with a permission error message

Current result: an exception is thrown, user receives a 404 with response "{"entityType":"Order","key":"-2467653671196515792"}"

Cyclos shouldn't try to modify the database when there is no permission to use the endpoint with that user, but currently it messes up the order autoincrements.

SELECT * FROM ad_orders, notice the missing autoincrement IDs, 1-13 are missing because these are the failed requests via the API, 14 is a manual order from the web frontend, 15+16 are missing again (2 failed API calls), 17 again is a manual order:

Code: Select all

14,2020-07-10 10:21:30.791+02,f,,,2020-07-10 10:21:30.791+02,00014,,f,f,PENDING_SELLER,t,128.00,2020-07-10 10:21:30.791+02,5,1,DAYS,,,9,9,1,1,2,10
17,2020-07-10 10:28:51.63+02,f,kein Versand nötig,0.00,2020-07-10 10:28:51.63+02,00017,,f,f,PENDING_SELLER,t,321.60,2020-07-10 10:28:51.63+02,6,1,DAYS,,,9,9,1,1,2,12

alexandre
Posts: 913
Joined: Wed Sep 06, 2006 9:06 am

Re: Cyclos 4.13 error for POST /{user}/orders

Post by alexandre »

Ok,

Thanks to inform, we will improve it on the next version.

Regards
Alexandre Caurrinhos
Cyclos development team.

Post Reply