[OPENIDM-15086] Using POST "_action=patch&_queryId=for-userName" succeeds despite read-only flag - ForgeRock JIRA

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 6.5.0.2
Fix Version/s: 7.2.0, 2021.6, 2021.9
Component/s: Performance
Labels:
Environment:
6.5.0.2

Target Version/s:

7.2.0
Verified Version/s:

7.2.0, 2021.6, 2021.9
Story Points:
2
Sprint:
IDM - 2021.5, IDM - 2021.6
Support Ticket IDs:
Zendesk ID:
50491
Season:
2021.Fall
Support Ticket ID:

Description

Steps to reproduce:

Create an internal role, with readOnly set to true on attribute "description":

{
    "_id": "support",
    "_rev": "0000000049cdfdf3",
    "name": "support",
    "description": "Support Role",
    "temporalConstraints": null,
    "condition": null,
    "privileges": [
        {
            "name": "support",
            "description": "Support access to user information.",
            "path": "managed/user",
            "permissions": [
                "VIEW",
                "UPDATE",
                "CREATE",
                "DELETE",
                "ACTION"
            ],
            "actions": [
                "create",
                "patch"
            ],
            "filter": "/userName sw \"test1\"",
            "accessFlags": [
                {
                    "attribute": "userName",
                    "readOnly": false
                },
                {
                    "attribute": "mail",
                    "readOnly": false
                },
                {
                    "attribute": "givenName",
                    "readOnly": false
                },
                {
                    "attribute": "sn",
                    "readOnly": false
                },
                {
                    "attribute": "accountStatus",
                    "readOnly": false
                },
                {
                    "attribute": "myArray",
                    "readOnly": false
                },
                {
                    "attribute": "
description
",
                    "readOnly":
true

                }
            ]
        }
    ]
}

PATCH the description attribute fails:

curl --request PATCH 'http://localhost:8080/openidm/managed/user/bcc8b45f-36cb-4443-8a03-a07db01f9c05' \
--header 'x-openidm-username: manager1' \
--header 'x-openidm-password: Welcome1' \
--header 'Content-Type: application/json' \
--data '[{
  "operation":"replace",
  "field":"description",
  "value":"test7"
  }]'

Results:

{
    "code": 403,
    "reason": "Forbidden",
    "message": "No matching privileges found",
    "detail": {
        "failedPrivilegeRequirements": [
            [
                {
                    "property": "description",
                    "error": "No attribute level access"
                }
            ]
        ]
    }
}

But when we use a POST _action=patch it succeeds.

curl --request POST 'http://localhost:8080/openidm/managed/user?_action=patch&_queryId=for-userName&uid=test1' \
--header 'x-openidm-username: manager1' \
--header 'x-openidm-password: Welcome1' \
--header 'Content-Type: application/json' \
--data '[{
  "operation":"replace",
  "field":"description",
  "value":"test9"
  }]'

and updates the description field.

Attachments

Activity

People

Assignee:: Kyle Voos

Reporter:: Jesse Ontiveros

QA Assignee:: Garyl Erickson

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2020-06-30 9:56 PM

Updated:: 2021-11-01 7:07 PM

Resolved:: 2021-05-19 3:02 PM