Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-13650

Missing Privilege on an object path should default access to alwaysFalse().

    Details

    • Target Version/s:
    • Verified Version/s:
    • Story Points:
      3
    • Sprint:
      2019.12 - IDM, 2019.13 - IDM

      Description

      If no privilege is defined for an object type, then the default filter/access should be alwaysFalse.
      This has implications when a Delegated Admin (DA) user is creating a new user. The DA would also need privs to read the 'internal/usermeta' object type.

      This was discovered while working on OPENIDM-11773, which is adding JDBC relationship support to DA.

      Change `PrivilegeContext`

          public QueryFilter<JsonPointer> getCombinedPrivilegeFiltersByPath(String privilegePathKey) {
              return Optional.ofNullable(combinedPrivilegeFilters.get(privilegePathKey))
                      .orElse(QueryFilter.alwaysTrue());
          }
      

      To return `alwaysFalse()` instead of `alwaysTrue()`, and then run the pyforge delegated admin tests to see the failures.

      Test instruction
      env={TESTING_SCOPE: '--include delegated_admin', OPENIDM_REPO_TYPE: 'postgres'}`

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                katie.gonzalez Katie Gonzalez
                Reporter:
                jason.vincent jason vincent
                QA Assignee:
                Alexander Dracka
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: