Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-9520

Update via REST with PUT removes private fields which are not included in the request

    Details

    • Target Version/s:
    • Verified Version/s:
    • Story Points:
      3
    • Sprint:
      OpenIDM Sprint 6.5-1

      Description

      1) Admin creates a user:

      curl -u openidm-admin:openidm-admin -k -X PUT --data '{"givenName":"Jake","sn":"Feasel","mail":"jfeasel@example.com","userName":"jfeasel","password":"Passw0rd"}' -H 'Content-type:application/json' https://localhost:8443/openidm/managed/user/jfeasel
      

      2) User can authenticate with credentials:

      curl -u jfeasel:Passw0rd -k https://localhost:8443/openidm/managed/user/jfeasel
      {"_id":"jfeasel","_rev":"00000000a471ded6","givenName":"Jake","sn":"Feasel","mail":"jfeasel@example.com","userName":"jfeasel","accountStatus":"active","lastChanged":{"date":"2017-10-19T17:19:21.142Z"},"effectiveRoles":[],"effectiveAssignments":[]}
      

      3) Admin uses "PUT" to update the givenName, using the output from the above read call as the basis for the update:

      curl -u openidm-admin:openidm-admin -k -X PUT --data '{"_id":"jfeasel","_rev":"00000000a471ded6","givenName":"Jake2","sn":"Feasel","mail":"jfeasel@example.com","userName":"jfeasel","accountStatus":"active","lastChanged":{"date":"2017-10-19T17:19:21.142Z"},"effectiveRoles":[],"effectiveAssignments":[]}' -H 'Content-type:application/json' https://localhost:8443/openidm/managed/user/jfeasel
      

      4) User attempts the same request as was done in 2:

      curl -u jfeasel:Passw0rd -k https://localhost:8443/openidm/managed/user/jfeasel
      

      Expected result:
      Same content that was uploaded by the admin in step 3

      Actual result:

      {"code":401,"reason":"Unauthorized","message":"Access Denied"}
      

      Reason: The "password" field is set to "private" in the managed user schema. Therefore, it is not returned in a read call that is performed via REST. When using this content to perform an update to an unrelated field (e.g., "givenName") the password field is lost. This prevents the user from being able to login, and therefore results in the 401 failure.

      Suggestion: When performing an update, preserve any private fields which are not included in the new content.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                cgdrake Chris Drake
                Reporter:
                jake.feasel Jake Feasel
                QA Assignee:
                Alexander Dracka
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: