Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-1941

"pattern" property in access.js rules does not work when used on system endpoints

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: OpenIDM 2.1.0
    • Fix Version/s: None
    • Component/s: Module - Authorization
    • Labels:
    • Environment:
      r1952
    • Sprint:
      Sprint 31

      Description

      (bug reported by Cyril G. on the mailing list)

      With OpenIDM 2.1, rules to open read access to managed/user like this works well:

      {
                  "pattern"   : "managed/user/*",
                  "roles"     : "monitoring",
                  "methods"   : "read",
                  "actions"   : ""
      },
      

      But when the pattern is a system endpoint, then it does not work.
      Here is the rule we add:

      {
                  "pattern"   : "system/*",
                  "roles"     : "monitoring",
                  "methods"   : "*",
                  "actions"   : "*"
      }
      

      Step to reproduce easily the problem

      • unzip OpenIDM
      • add custom rule in script/access.js (the second one mentioned earlier)
      • launch sample1: ./startup.sh -p samples/sample1
      • access an account in XML file as an admin:
        [MBP]$ curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" --request GET "http://localhost:8080/openidm/system/xmlfile/account/bjensen" | jq .
        {
          "email": "bjensen@example.com",
          "first name": "Barbara",......
        }
        

        => this is fine

      • create a manager user with role monitoring:
        [MBP]$ curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" --request PUT --data 
        '{"userName":"bill","givenName":"bill","familyName":"doe","phoneNumber":"12345678","active":"true","email":"bill@door.com","password":"Th3Password","roles":"monitoring"}' http://localhost:8080/openidm/managed/user/bill  | jq '.'
        
      • access an account in XML file as this user:
        [MBP]$ curl --header "X-OpenIDM-Username: bill" --header "X-OpenIDM-Password: Th3Password" --request GET "http://localhost:8080/openidm/system/xmlfile/account/bjensen" | jq .  
        {
          "message": "Access denied",
          "reason": "Forbidden",
          "error": 403
        }
        

        => this is a bug. We should have access

        Attachments

          Activity

            People

            Assignee:
            jbranch Jon Branch
            Reporter:
            laurent.bristiel Laurent Bristiel [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: