[OPENIDM-14075] When filter present on privileges, edges for relationships may be left unresolved. Created: 12/Nov/19  Updated: 10/Sep/20  Resolved: 28/Jul/20

Status: Closed
Project: OpenIDM
Component/s: None
Affects Version/s: 7.0.0
Fix Version/s: 7.0.0

Type: Bug Priority: Major
Reporter: Katie Gonzalez Assignee: Katie Gonzalez
Resolution: Fixed Votes: 0
Labels: CLARK, DIXON, VerifiedManually
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:
Verified Version/s:
QA Assignee: Alexander Dracka
Story Points: 5
Sprint: 2020.04 - IDM, 2020.05 - IDM, 2020.06 - IDM
Epic Link: Delegated Admin Phase 2

 Description   
  • Requests performed internally to read a resource being patched/updated may not retrieve the relationship field being patch and not see the relationship that already exists for edges that need to be cleaned up. This is only happening when filters in the PrivilegeContext limit the relationship field from being viewed for certain objects. The object(s) appears to be null on the origin object, and allows for the relationship to be created even though the relationship already exists.
  • The request performed internally in ManagedObjectSet#deleteInstance & InternalObjectSet#deleteInstance reads the resource being deleted with all possible relationships of the resource. That response is being sent back to the requester. If the requestor asks for a relationship field in the delete request, the relationships for that field are returned in entirety even if requester only has privilege to view a subset. A read with filters should be performed (if needed) to gather an accurate ResourceResponse to return after delete has completed.

Any requests made for internal logic within MOS or IOS should not consider privileges. The only request that should consider filters for relationships should be the final request to read the resulting resource.



 Comments   
Comment by Katie Gonzalez [ 29/Jul/20 ]

Functional test could include:

For patch/update:

  • As openidm-admin, create an internal role for a delegated admin user that has VIIEW, UPDATE privileges on managed/user with a relationship, such as reports. This privilege should have a filter such as `"/userName sw \"s\""`
  • As openidm-admin, create a delegated admin user.
  • As openidm-admin, assign the role to the delegated admin.
  • As openidm-admin, create a user that has a report who's userName does not start with "s"
  • As openidm-admin, read this newly created user's reports `managed/user/<createdUserId>/reports` and retrieve/preserve the edge id of the relationship
  • As the delegated admin, attempt a PATCH to replace the user's reports with a managed/user who's userName does start with "s"
  • The delegated admin should be able to complete the PATCH, AND the relationship to the old report (that the DA did not have permission to read) should be cleaned up.
  • As openidm-admin, validate this by reading the edge `managed/user/<createdUserId>/reports/<edgeId>` or `repo/relationships/<edgeId>` and verify it is not found.

For delete:

  • As openidm-admin, create an internal role for a delegated admin user that has VIIEW, DELETE privileges on managed/user with a relationship, such as reports. This privilege should have a filter such as `"/userName sw \"s\""`
  • As openidm-admin, create a delegated admin user.
  • As openidm-admin, assign the role to the delegated admin.
  • As openidm-admin, create a user that has a report who's userName does not start with "s"
  • As openidm-admin, read this newly created user's reports `managed/user/<createdUserId>/reports` and retrieve/preserve the edge id of the relationship
  • As the delegated admin, attempt a DELETE to delete the newly created user who has a report the DA cannot VIEW
  • The delegated admin should be able to complete the DELETE, AND the relationship to the report (that the DA did not have permission to read) should be cleaned up.
  • As openidm-admin, validate this by reading the edge `repo/relationships/<edgeId>` and verify it is not found.
Comment by Alexander Dracka [ 10/Sep/20 ]

Fixed

Verified with theĀ OpenIDM version "7.0.0" (build: 20200807153350, revision: 755f6ae)

Functional tests added

Generated at Sat Nov 28 23:01:20 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.