Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-11878

Creation of Internal Role with empty name via REST for mysql repo should not be allowed

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 6.5.0
    • Fix Version/s: None
    • Component/s: Module - Authorization
    • Labels:
    • Environment:
       OpenIDM version "6.5.0-SNAPSHOT" (build: 20181010215532, revision: f82b647) jenkins-OpenIDM-build-master-597
      mysql-connector-java-5.1.34

      Description

      For mysql repo I am able to create an Internal Role with empty name using POST/PUT requests. This should not be allowed.

      Please note that this option is not allowed in admin UI. Also this validation (constraints) works with DJ.

      Steps to reproduce:

      1. Setup IDM with mysql repo
      2. Execute REST requests
        curl -X POST \
          'http://localhost:8080/openidm/internal/role?_action=create' \
          -H 'Cache-Control: no-cache' \
          -H 'Content-Type: application/json' \
          -H 'X-OpenIDM-Password: openidm-admin' \
          -H 'X-OpenIDM-Username: openidm-admin' \
          -d '{"name":"","description":"desc desc"}'
        
        curl -X PUT \
          http://localhost:8080/openidm/internal/role/postman-role \
          -H 'Cache-Control: no-cache' \
          -H 'Content-Type: application/json' \
          -H 'X-OpenIDM-Password: openidm-admin' \
          -H 'X-OpenIDM-Username: openidm-admin' \
          -d '{"name":"","description":"desc desc"}'

      Expected result: Request fails with 400 error code as empty name is not allowed.

      {
          "code": 400,
          "reason": "Bad Request",
          "message": "Invalid Attribute Syntax: Entry \"cn=postman-role,ou=roles,ou=internal,dc=openidm,dc=forgerock,dc=com\" contains a value \"\" for attribute fr-idm-name that is invalid according to the syntax for that attribute: The operation attempted to assign a zero-length value to an attribute with the directory string syntax"
      }
      

      Actual result: Request pass with 201 code

        Attachments

          Activity

            People

            Assignee:
            brmiller Brendan Miller
            Reporter:
            alexander.dracka Alexander Dracka
            QA Assignee:
            Alexander Dracka Alexander Dracka
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: