[OPENIDM-14387] DA: Too many objects returned from an edge's relationship field when privilege filter should limit Created: 18/Feb/20  Updated: 11/Mar/20  Resolved: 02/Mar/20

Status: Closed
Project: OpenIDM
Component/s: None
Affects Version/s: 7.0.0
Fix Version/s: 7.0.0

Type: Bug Priority: Major
Reporter: Katie Gonzalez Assignee: Katie Gonzalez
Resolution: Fixed Votes: 0
Labels: DIXON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
is required by OPENIDM-14370 Requests for edge returning too many ... Closed
is related to OPENIDM-14388 QA: Privilege filter for edge's relat... Closed
Target Version/s:
Verified Version/s:
Story Points: 3
Sprint: 2020.03 - IDM
Epic Link: Delegated Admin Phase 2


On a request such as: 


if there is a privilege filter that should limit members objects, the total objects are still
being returned. For example, a privilege of "/userName eq 'scarter'" on "managed/user" should limit the results for scarter's roles' members to only those with userName equal to scarter, yet all members are returned.

A filter (conditionalFilter(matchResourcePath("^.(managed|internal)/.$"), privilegeExecutorContextFilter)) is added to the AugmentingIDMConnectionFactoryProxy which would add a PrivilegeExecutorContext to an "external" Context so that privilege filters will be considered during reads and queries. 

The connection used to be passed to this Class's Constructor, retaining the type of connection the filters are used for.

After the commit, 5cbad98a4cb, the connection used for field augmentation is the INTERNAL_ROUTER_COMPONENT_NAME_FILTER and this connection does not have the filter to add the PrivilegeExecutorContext to the Context, so privilege filters are not getting considered and too many results are being returned.

Need to apply the PrivilegeExecutorContextFilter at a lower level in the ServletConnectionFactory, or need to change field augmentation to use the AugmentingIDMConnectionFactoryProxy through constructor (by reference will not work, that causes circular reference). Research other solutions to possibly remove PrivilegeExecutorContextFilter.

Comment by Alexander Dracka [ 11/Mar/20 ]

Tested with the OpenIDM version "7.0.0-SNAPSHOT" (build: 20200311031540, revision: 791434a)

Generated at Tue Mar 09 09:42:53 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.