Issue with Order Management

Vote:
 

I am facing this issue on Commerce 14.24 version. I am logged in with Auth0 authentication with CatalogMangers & CustomerServiceRepresentatives role assigned to user in claims. According to roles user getting access to Catalog & Order Management tab. Issue is with the Order Management where I can see blank data. 

However when checking in network tab I found one of the api call is giving Access Denied error

Api call which is returning access denied error for CustomerServiceRepresentatives role

Cart Tab - https://localhost:44323/csr/api/ColumnSettings/ExtendedColumns?tableName=ShoppingCart

Orders tab - https://localhost:44323/csr/api/ColumnSettings/ExtendedColumns?tableName=PurchaseOrder

Subscription tab - https://localhost:44323/csr/api/ColumnSettings/ExtendedColumns?tableName=PaymentPlan

Also I notice the other “csr/api” api works fine for CustomerServiceRepresentatives role for example

https://localhost:44323/csr/api/countries

https://localhost:44323/csr/api/markets

https://localhost:44323/csr/api/shippingMethods

https://localhost:44323/csr/api/orderstatuses

https://localhost:44323/csr/api/shipmentstatuses/

https://localhost:44323/csr/api/extensions

https://localhost:44323/csr/api/customers/iscustomerexisted

https://localhost:44323/csr/api/sites

Note: It works with user with Admins role that means some issue with CustomerServiceRepresentatives role

Is there any settings required in appsettings or any code to add in startup.cs to allow access to all csr/api call to CustomerServiceRepresentatives or other custom roles? 

This csr/api I guess belongs to Episerver.Commerce.UI.CustomerService package and we are using version 14.24.0

#326670
Aug 07, 2024 15:00
Vote:
 

Hi,

Unfortunately, all apis with base path "/csr/api" requires role "CommerceAdmins, CustomerServiceRepresentatives" except "/csr/api/ColumnSettings/". This "/csr/api/ColumnSettings/" requires Customers Policy. It means a user need to belongs CustomerManagers as well by default to get full access to Order Management or you can update CustomerRoles like this:

services.Configure<CommercePolicyOptions>(options => options.CustomersRoles = new string[] { "Administrators", "CommerceAdmins", "CustomerManagers",  "YourSomeCustomeRole" });
#326724
Aug 08, 2024 12:18
Vote:
 

That's work! Binh Nguyen Thi but user also got access to Customers tab which ideally user with CatalogMangers & CustomerServiceRepresentatives role should not get. Any idea to fix it without giving access to Customers Tab?

#326726
Aug 08, 2024 12:58
Vote:
 

Hi,

I am afraid that there is no other way. Column settings api requires Customer access, it means if we fix to allow to access column settings then the users could access to Customers tab as well. They are using same Customers authorize policy.

#326727
Aug 08, 2024 13:16
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.