Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-15086

Using POST "_action=patch&_queryId=for-userName" succeeds despite read-only flag

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.5.0.2
    • Fix Version/s: None
    • Component/s: Performance
    • Environment:
      6.5.0.2
    • Target Version/s:
    • Story Points:
      1
    • Support Ticket IDs:
    • Zendesk ID:
      50491
    • Season:
      2021.Spring

      Description

      Steps to reproduce:

      Create an internal role, with readOnly set to true on attribute "description":

       

      {
    "_id": "support",
    "_rev": "0000000049cdfdf3",
    "name": "support",
    "description": "Support Role",
    "temporalConstraints": null,
    "condition": null,
    "privileges": [
        {
            "name": "support",
            "description": "Support access to user information.",
            "path": "managed/user",
            "permissions": [
                "VIEW",
                "UPDATE",
                "CREATE",
                "DELETE",
                "ACTION"
            ],
            "actions": [
                "create",
                "patch"
            ],
            "filter": "/userName sw \"test1\"",
            "accessFlags": [
                {
                    "attribute": "userName",
                    "readOnly": false
                },
                {
                    "attribute": "mail",
                    "readOnly": false
                },
                {
                    "attribute": "givenName",
                    "readOnly": false
                },
                {
                    "attribute": "sn",
                    "readOnly": false
                },
                {
                    "attribute": "accountStatus",
                    "readOnly": false
                },
                {
                    "attribute": "myArray",
                    "readOnly": false
                },
                {
                    "attribute": "
description
",
                    "readOnly":
true

                }
            ]
        }
    ]
}

       

      PATCH the description attribute fails:

      curl --request PATCH 'http://localhost:8080/openidm/managed/user/bcc8b45f-36cb-4443-8a03-a07db01f9c05' \
--header 'x-openidm-username: manager1' \
--header 'x-openidm-password: Welcome1' \
--header 'Content-Type: application/json' \
--data '[{
  "operation":"replace",
  "field":"description",
  "value":"test7"
  }]'

      Results:

       

      {
    "code": 403,
    "reason": "Forbidden",
    "message": "No matching privileges found",
    "detail": {
        "failedPrivilegeRequirements": [
            [
                {
                    "property": "description",
                    "error": "No attribute level access"
                }
            ]
        ]
    }
}
 

      But when we use a POST _action=patch it succeeds.

      curl --request POST 'http://localhost:8080/openidm/managed/user?_action=patch&_queryId=for-userName&uid=test1' \
--header 'x-openidm-username: manager1' \
--header 'x-openidm-password: Welcome1' \
--header 'Content-Type: application/json' \
--data '[{
  "operation":"replace",
  "field":"description",
  "value":"test9"
  }]'

      and updates the description field.   

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              jesse.ontiveros Jesse Ontiveros
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: