Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10810

Operations on uma/policies endpoint in the API explorer are performed under the wrong user

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 14.0.0
    • Fix Version/s: None
    • Component/s: API descriptor, XUI
    • Labels:
    • Rank:
      1|hzt1sf:

      Description

      Prerequisite
      1) set up UMA, create 2 users: Bob and Alice
      2) register a resource set for Bob (postman)

      Steps to reproduce

      1. CREATE: go to API explorer and try performing Create:
        PUT /users/bob/uma/policies/{resourceId}#1.0_create_put

        observe 403. This is incorrect behaviour, as this operation should be performed under Bob, not amAdmin, allowing to create a policy

      2. UPDATE: go to UI/postman
        1. log in as Bob and share the resource with Alice
        2. go to API explorer and try performing Update:
          PUT /users/bob/uma/policies/{resourceId}#1.0_update

          , observe 200. It gives a false feeling that the operation went well, but if you go to UI and check Bob's policies, there will be 0 of them. Again, this operation was performed under amAdmin, rather Bob, so the policy still exists, just not under Bob

        3. try creating a policy under Bob (UI/postman) => it fails
      3. DELETE: no visible problems with that, but worth checking as well

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            eugenia.sergueeva Eugenia Sergueeva [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: