Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
0055952Openbravo ERPA. Platformpublic2024-05-20 10:122024-07-11 14:32
gorkaion 
eugen_hamuraru 
highmajoralways
closedfixed 
5
 
PR24Q2.1 
Core
No
0055952: Extra acess required when return full object is enabled on POST Synchronous requests
On a POST endpoint with synchronous execution enabled and return object mapping configured.

When trying to consume these endpoints with a manual role some extra accesses are required:
- Read access to tables API_Export_Filter and OBEI_Entity_Mapping
- Access to a window where the object created by the api can be viewed.

By default only Giftcards allows sync execution and this endpoint does not require access to API_Export_Filter. Enabling the sync execution on other endpoints like business partner, coupons or suscriptions require the access to that table.
- Create a Manual Role with restricted backend access and web services enabled.
- Try to execute a POST request on an endpoint with _synchronous and _returnFullObject enabled.
- Check the response is an error 500 with a truncated response message
- Check there is no error in the openbravo.log
- Allow executing POST requests with roles that do not have access to backend.
- Do not require require access to API and EntityMapping tables if the role has the web service access granted.
No tags attached.
blocks defect 0055517 closed eugen_hamuraru Extra acess required when return full object is enabled on POST Synchronous requests 
Issue History
2024-07-09 12:14alostaleTypedefect => backport
2024-07-09 12:14alostaleTarget Version => PR24Q2.1
2024-07-09 12:18hgbotNote Added: 0166834
2024-07-11 14:32hgbotResolutionopen => fixed
2024-07-11 14:32hgbotStatusscheduled => closed
2024-07-11 14:32hgbotNote Added: 0166901
2024-07-11 14:32hgbotNote Added: 0166902

Notes
(0166834)
hgbot   
2024-07-09 12:18   
Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/merge_requests/292 [^]
(0166901)
hgbot   
2024-07-11 14:32   
Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.api [^]
Changeset: 97a030bd568543a7362d770657c6f0de523af9b2
Author: Eugen Hamuraru <eugen.hamuraru@openbravo.com>
Date: 09-07-2024 12:15:36
URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/commit/97a030bd568543a7362d770657c6f0de523af9b2 [^]

Fixes BUG-55952: roles without explicit permissions cannot use the API WS

24Q2 backport from 24Q3

  Fixes the problem by using the admin mode in the following cases:
  - When reading the entity mapping configuration when creating the response of the import WS in synchronous mode.
  - When reading the filter information in the export WS
  - When reading the data of the entity to write it in the response of the export WS

---
M src/org/openbravo/api/ApiExportFilterProvider.java
M src/org/openbravo/api/service/ApiImportWebService.java
M src/org/openbravo/api/service/ApiWebService.java
M src/org/openbravo/api/service/JSONWebService.java
---
(0166902)
hgbot   
2024-07-11 14:32   
Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/merge_requests/292 [^]