Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0055952Openbravo ERPA. Platformpublic2024-05-20 10:122024-07-11 14:32
Reportergorkaion 
Assigned Toeugen_hamuraru 
PriorityhighSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target VersionPR24Q2.1Fixed in Version 
Merge Request Statusapproved
Review Assigned To
OBNetwork customerGold
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0055952: Extra acess required when return full object is enabled on POST Synchronous requests
DescriptionOn a POST endpoint with synchronous execution enabled and return object mapping configured.

When trying to consume these endpoints with a manual role some extra accesses are required:
- Read access to tables API_Export_Filter and OBEI_Entity_Mapping
- Access to a window where the object created by the api can be viewed.

By default only Giftcards allows sync execution and this endpoint does not require access to API_Export_Filter. Enabling the sync execution on other endpoints like business partner, coupons or suscriptions require the access to that table.
Steps To Reproduce- Create a Manual Role with restricted backend access and web services enabled.
- Try to execute a POST request on an endpoint with _synchronous and _returnFullObject enabled.
- Check the response is an error 500 with a truncated response message
- Check there is no error in the openbravo.log
Proposed Solution- Allow executing POST requests with roles that do not have access to backend.
- Do not require require access to API and EntityMapping tables if the role has the web service access granted.
Additional Information
TagsNo tags attached.
Relationships
blocks defect 0055517 closed eugen_hamuraru Extra acess required when return full object is enabled on POST Synchronous requests 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2024-07-09 12:14alostaleTypedefect => backport
2024-07-09 12:14alostaleTarget Version => PR24Q2.1
2024-07-09 12:18hgbotNote Added: 0166834
2024-07-11 14:32hgbotResolutionopen => fixed
2024-07-11 14:32hgbotStatusscheduled => closed
2024-07-11 14:32hgbotNote Added: 0166901
2024-07-11 14:32hgbotNote Added: 0166902

Notes
(0166834)
hgbot   
2024-07-09 12:18   
Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/merge_requests/292 [^]
(0166901)
hgbot   
2024-07-11 14:32   
Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.api [^]
Changeset: 97a030bd568543a7362d770657c6f0de523af9b2
Author: Eugen Hamuraru <eugen.hamuraru@openbravo.com>
Date: 09-07-2024 12:15:36
URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/commit/97a030bd568543a7362d770657c6f0de523af9b2 [^]

Fixes BUG-55952: roles without explicit permissions cannot use the API WS

24Q2 backport from 24Q3

  Fixes the problem by using the admin mode in the following cases:
  - When reading the entity mapping configuration when creating the response of the import WS in synchronous mode.
  - When reading the filter information in the export WS
  - When reading the data of the entity to write it in the response of the export WS

---
M src/org/openbravo/api/ApiExportFilterProvider.java
M src/org/openbravo/api/service/ApiImportWebService.java
M src/org/openbravo/api/service/ApiWebService.java
M src/org/openbravo/api/service/JSONWebService.java
---
(0166902)
hgbot   
2024-07-11 14:32   
Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/merge_requests/292 [^]