-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 7.0.0
-
Fix Version/s: 7.0.0
-
Component/s: Module - Authorization, Module - Relationships, Module - Repository JDBC
-
Labels:
If no privilege is defined for an object type, then the default filter/access should be alwaysFalse.
This has implications when a Delegated Admin (DA) user is creating a new user. The DA would also need privs to read the 'internal/usermeta' object type.
This was discovered while working on OPENIDM-11773, which is adding JDBC relationship support to DA.
Change `PrivilegeContext`
public QueryFilter<JsonPointer> getCombinedPrivilegeFiltersByPath(String privilegePathKey) { return Optional.ofNullable(combinedPrivilegeFilters.get(privilegePathKey)) .orElse(QueryFilter.alwaysTrue()); }
To return `alwaysFalse()` instead of `alwaysTrue()`, and then run the pyforge delegated admin tests to see the failures.
Test instruction env={TESTING_SCOPE: '--include delegated_admin', OPENIDM_REPO_TYPE: 'postgres'}`
- depends on
-
OPENIDM-13665 PrivilegeContext should only set combined query filters by path once.
-
- Closed
-
-
OPENIDM-11773 Add privilege filtering to managed object relationship expansions - origin is a vertex
-
- Closed
-
-
OPENIDM-13732 Investigate options for retrieving/configuring internal system relationships
-
- Closed
-
- is related to
-
OPENIDM-13689 Test corrections for JDBC field expansion with privilege filters
-
- Closed
-
- is required by
-
OPENIDM-13771 Update/add tests for missing privilege on an object path
-
- Closed
-