Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
6.5.0.2
-
6.5.0.2
-
2
-
IDM - 2021.5, IDM - 2021.6
-
-
50491
-
2021.Fall
-
Description
Steps to reproduce:
Create an internal role, with readOnly set to true on attribute "description":
{
"_id": "support",
"_rev": "0000000049cdfdf3",
"name": "support",
"description": "Support Role",
"temporalConstraints": null,
"condition": null,
"privileges": [
{
"name": "support",
"description": "Support access to user information.",
"path": "managed/user",
"permissions": [
"VIEW",
"UPDATE",
"CREATE",
"DELETE",
"ACTION"
],
"actions": [
"create",
"patch"
],
"filter": "/userName sw \"test1\"",
"accessFlags": [
{
"attribute": "userName",
"readOnly": false
},
{
"attribute": "mail",
"readOnly": false
},
{
"attribute": "givenName",
"readOnly": false
},
{
"attribute": "sn",
"readOnly": false
},
{
"attribute": "accountStatus",
"readOnly": false
},
{
"attribute": "myArray",
"readOnly": false
},
{
"attribute": "
description
",
"readOnly":
true
}
]
}
]
}
PATCH the description attribute fails:
curl --request PATCH 'http://localhost:8080/openidm/managed/user/bcc8b45f-36cb-4443-8a03-a07db01f9c05' \ --header 'x-openidm-username: manager1' \ --header 'x-openidm-password: Welcome1' \ --header 'Content-Type: application/json' \ --data '[{ "operation":"replace", "field":"description", "value":"test7" }]'
Results:
{
"code": 403,
"reason": "Forbidden",
"message": "No matching privileges found",
"detail": {
"failedPrivilegeRequirements": [
[
{
"property": "description",
"error": "No attribute level access"
}
]
]
}
}
But when we use a POST _action=patch it succeeds.
curl --request POST 'http://localhost:8080/openidm/managed/user?_action=patch&_queryId=for-userName&uid=test1' \ --header 'x-openidm-username: manager1' \ --header 'x-openidm-password: Welcome1' \ --header 'Content-Type: application/json' \ --data '[{ "operation":"replace", "field":"description", "value":"test9" }]'
and updates the description field.