Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-13650

Missing Privilege on an object path should default access to alwaysFalse().

    XMLWordPrintable

    Details

    • Target Version/s:
    • Verified Version/s:
    • Story Points:
      3
    • Sprint:
      2019.12 - IDM, 2019.13 - IDM

      Description

      If no privilege is defined for an object type, then the default filter/access should be alwaysFalse.
      This has implications when a Delegated Admin (DA) user is creating a new user. The DA would also need privs to read the 'internal/usermeta' object type.

      This was discovered while working on OPENIDM-11773, which is adding JDBC relationship support to DA.

      Change `PrivilegeContext`

          public QueryFilter<JsonPointer> getCombinedPrivilegeFiltersByPath(String privilegePathKey) {
        return Optional.ofNullable(combinedPrivilegeFilters.get(privilegePathKey))
                .orElse(QueryFilter.alwaysTrue());
    }

      To return `alwaysFalse()` instead of `alwaysTrue()`, and then run the pyforge delegated admin tests to see the failures.

      Test instruction
env={TESTING_SCOPE: '--include delegated_admin', OPENIDM_REPO_TYPE: 'postgres'}`

        Attachments

          Issue Links

          depends on

          Bug - A problem which impairs or prevents the functions of the product. OPENIDM-13665 PrivilegeContext should only set combined query filters by path once.

          • Major - Major loss of function.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. OPENIDM-11773 Add privilege filtering to managed object relationship expansions - origin is a vertex

          • Major - Major loss of function.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. OPENIDM-13732 Investigate options for retrieving/configuring internal system relationships

          • Major - Major loss of function.
          • Closed
          is related to

          QA Task - A task which needs to be performed by QA OPENIDM-13689 Test corrections for JDBC field expansion with privilege filters

          • Major - Major loss of function.
          • Closed
          is required by

          QA Task - A task which needs to be performed by QA OPENIDM-13771 Update/add tests for missing privilege on an object path

          • Major - Major loss of function.
          • Closed

            Activity

              People

              Assignee:
              katie.gonzalez Katie Gonzalez
              Reporter:
              jason.vincent jason vincent
              QA Assignee:
              Alexander Dracka Alexander Dracka
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: