-
Commerce Order successfully created a through the storefront and has View access to it (because of Author Permission), but receives a 403 Forbidden error when attempting to update order information’s of their own order. This happens because Liferay Commerce does not seem to support order-level permissions, meaning there is no way to grant a specific user the ability to act on their own individual order. How can we grant the author/owner permission to update the order info of only their own specific order without over-provisioning access across all orders?
-
The Seller Acceptance Workflow is successfully configured at the channel level, and when an customer places an order it correctly enters a pending approval state. However, the assigned reviewer is unable to view that specific order because Liferay Commerce does not seem to support order-level permissions, leaving no way to grant visibility on a single order instance to a specific reviewer without over-provisioning access across all orders. How can we assign view permission on that specific order to the designated reviewer so the approval workflow can function as intended?
Both problems root down to the same gap: Order-level permissions, so how can we control access on a specific order for a specific user without broadening permissions across all orders?
What is the Liferay version ?
– Ahmad_QasemLiferay 2026.Q1.3 : The single order endpoint works correctly when an orderId is provided: GET /o/headless-commerce-delivery-order/v1.0/placed-orders/{orderId}However, the channel-level endpoint to retrieve all orders does not work: GET /o/headless-commerce-delivery-order/v1.0/channels/{channelId}/placed-orders. The pattern is consistent, any endpoint that does not require an orderId parameter fails, while endpoints that include a specific orderId respond correctly.
– Jay_Vanpariya1679