Openbravo Issue Tracking System - Openbravo ERP |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0055517 | Openbravo ERP | A. Platform | public | 2024-05-20 10:12 | 2024-07-09 12:14 |
|
| Reporter | gorkaion | |
| Assigned To | eugen_hamuraru | |
| Priority | high | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | |
| Platform | | OS | 5 | OS Version | |
| Product Version | | |
| Target Version | | Fixed in Version | | |
| Merge Request Status | |
| Review Assigned To | |
| OBNetwork customer | |
| Web browser | |
| Modules | Core |
| Support ticket | |
| Regression level | |
| Regression date | |
| Regression introduced in release | |
| Regression introduced by commit | |
| Triggers an Emergency Pack | No |
|
| Summary | 0055517: Extra acess required when return full object is enabled on POST Synchronous requests |
| Description | On a POST endpoint with synchronous execution enabled and return object mapping configured.
When trying to consume these endpoints with a manual role some extra accesses are required:
- Read access to tables API_Export_Filter and OBEI_Entity_Mapping
- Access to a window where the object created by the api can be viewed.
By default only Giftcards allows sync execution and this endpoint does not require access to API_Export_Filter. Enabling the sync execution on other endpoints like business partner, coupons or suscriptions require the access to that table. |
| Steps To Reproduce | - Create a Manual Role with restricted backend access and web services enabled.
- Try to execute a POST request on an endpoint with _synchronous and _returnFullObject enabled.
- Check the response is an error 500 with a truncated response message
- Check there is no error in the openbravo.log |
| Proposed Solution | - Allow executing POST requests with roles that do not have access to backend.
- Do not require require access to API and EntityMapping tables if the role has the web service access granted. |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | | depends on | backport | 0055952 | PR24Q2.1 | closed | eugen_hamuraru | Openbravo ERP | Extra acess required when return full object is enabled on POST Synchronous requests | | related to | defect | 0055546 | | closed | Triage Platform Conn | Modules | Roles with restricted backend access cannot see the Swagger Doc |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2024-05-20 10:12 | gorkaion | New Issue | |
| 2024-05-20 10:12 | gorkaion | Assigned To | => Triage Platform Base |
| 2024-05-20 10:12 | gorkaion | Modules | => Core |
| 2024-05-20 10:12 | gorkaion | Triggers an Emergency Pack | => No |
| 2024-05-20 15:53 | hgbot | Note Added: 0164829 | |
| 2024-05-20 17:38 | hgbot | Note Added: 0164864 | |
| 2024-05-20 17:39 | hgbot | Note Added: 0164865 | |
| 2024-05-21 13:23 | hgbot | Note Added: 0164894 | |
| 2024-05-21 16:18 | caristu | Relationship added | related to 0048976 |
| 2024-05-21 16:33 | caristu | Description Updated | bug_revision_view_page.php?rev_id=27995#r27995 |
| 2024-05-21 16:36 | hgbot | Note Added: 0164907 | |
| 2024-05-22 09:46 | caristu | Relationship added | related to 0055546 |
| 2024-05-22 09:47 | caristu | Relationship deleted | related to 0048976 |
| 2024-05-22 15:47 | AugustoMauch | Assigned To | Triage Platform Base => eugen_hamuraru |
| 2024-05-22 16:49 | hgbot | Resolution | open => fixed |
| 2024-05-22 16:49 | hgbot | Status | new => closed |
| 2024-05-22 16:49 | hgbot | Note Added: 0164983 | |
| 2024-05-22 16:49 | hgbot | Note Added: 0164984 | |
| 2024-07-09 12:13 | alostale | Status | closed => new |
| 2024-07-09 12:13 | alostale | Resolution | fixed => open |
| 2024-07-09 12:13 | alostale | Status | new => acknowledged |
| 2024-07-09 12:14 | alostale | Status | acknowledged => scheduled |
| 2024-07-09 12:14 | alostale | Status | scheduled => resolved |
| 2024-07-09 12:14 | alostale | Fixed in SCM revision | => https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/commit/153b9955e6ccde35d16cb2faf598794bd5c7dc4f [^] |
| 2024-07-09 12:14 | alostale | Resolution | open => fixed |
| 2024-07-09 12:14 | alostale | Status | resolved => closed |
|
Notes |
|
|
(0164829)
|
|
hgbot
|
|
2024-05-20 15:53
|
|
|
|
|
(0164864)
|
|
hgbot
|
|
2024-05-20 17:38
|
|
|
|
|
(0164865)
|
|
hgbot
|
|
2024-05-20 17:39
|
|
|
|
|
(0164894)
|
|
hgbot
|
|
2024-05-21 13:23
|
|
|
|
|
(0164907)
|
|
hgbot
|
|
2024-05-21 16:36
|
|
|
|
|
(0164983)
|
|
hgbot
|
|
2024-05-22 16:49
|
|
Directly closing issue as related merge request is already approved.
Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.api [^]
Changeset: 153b9955e6ccde35d16cb2faf598794bd5c7dc4f
Author: Eugen Hamuraru <eugen.hamuraru@openbravo.com>
Date: 22-05-2024 14:49:07
URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/commit/153b9955e6ccde35d16cb2faf598794bd5c7dc4f [^]
Fixes BUG-55517: roles without explicit permissions cannot use the API WS
Fixes the problem by using the admin mode in the following cases:
- When reading the entity mapping configuration when creating the response of the import WS in synchronous mode.
- When reading the filter information in the export WS
- When reading the data of the entity to write it in the response of the export WS
---
M src/org/openbravo/api/ApiExportFilterProvider.java
M src/org/openbravo/api/service/ApiImportWebService.java
M src/org/openbravo/api/service/ApiWebService.java
M src/org/openbravo/api/service/JSONWebService.java
---
|
|
|
|
(0164984)
|
|
hgbot
|
|
2024-05-22 16:49
|
|
|