Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-15086

Using POST "_action=patch&_queryId=for-userName" succeeds despite read-only flag

    XMLWordPrintable

    Details

    • 2
    • IDM - 2021.5, IDM - 2021.6
    • 50491
    • 2021.Fall

      Description

      Steps to reproduce:

      Create an internal role, with readOnly set to true on attribute "description":

       

      {
          "_id": "support",
          "_rev": "0000000049cdfdf3",
          "name": "support",
          "description": "Support Role",
          "temporalConstraints": null,
          "condition": null,
          "privileges": [
              {
                  "name": "support",
                  "description": "Support access to user information.",
                  "path": "managed/user",
                  "permissions": [
                      "VIEW",
                      "UPDATE",
                      "CREATE",
                      "DELETE",
                      "ACTION"
                  ],
                  "actions": [
                      "create",
                      "patch"
                  ],
                  "filter": "/userName sw \"test1\"",
                  "accessFlags": [
                      {
                          "attribute": "userName",
                          "readOnly": false
                      },
                      {
                          "attribute": "mail",
                          "readOnly": false
                      },
                      {
                          "attribute": "givenName",
                          "readOnly": false
                      },
                      {
                          "attribute": "sn",
                          "readOnly": false
                      },
                      {
                          "attribute": "accountStatus",
                          "readOnly": false
                      },
                      {
                          "attribute": "myArray",
                          "readOnly": false
                      },
                      {
                          "attribute": "
      description
      ",
                          "readOnly":
      true
      
                      }
                  ]
              }
          ]
      }
      

       

      PATCH the description attribute fails:

      curl --request PATCH 'http://localhost:8080/openidm/managed/user/bcc8b45f-36cb-4443-8a03-a07db01f9c05' \
      --header 'x-openidm-username: manager1' \
      --header 'x-openidm-password: Welcome1' \
      --header 'Content-Type: application/json' \
      --data '[{
        "operation":"replace",
        "field":"description",
        "value":"test7"
        }]'

      Results:

       

      {
          "code": 403,
          "reason": "Forbidden",
          "message": "No matching privileges found",
          "detail": {
              "failedPrivilegeRequirements": [
                  [
                      {
                          "property": "description",
                          "error": "No attribute level access"
                      }
                  ]
              ]
          }
      }
       
      

      But when we use a POST _action=patch it succeeds.

      curl --request POST 'http://localhost:8080/openidm/managed/user?_action=patch&_queryId=for-userName&uid=test1' \
      --header 'x-openidm-username: manager1' \
      --header 'x-openidm-password: Welcome1' \
      --header 'Content-Type: application/json' \
      --data '[{
        "operation":"replace",
        "field":"description",
        "value":"test9"
        }]'

      and updates the description field.   

       

        Attachments

          Activity

            People

            kyle.voos Kyle Voos
            jesse.ontiveros Jesse Ontiveros
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: