0055952: Extra acess required when return full object is enabled on POST Synchronous requests

Openbravo Issue Tracking System - Openbravo ERP

View Issue Details

Project

Category

View Status

Date Submitted

Last Update

0055952

Openbravo ERP

A. Platform

public

2024-05-20 10:12

2024-07-11 14:32

Reporter

gorkaion

Assigned To

eugen_hamuraru

Priority

high

Severity

major

Reproducibility

always

Status

closed

Resolution

fixed

Platform

OS Version

Product Version

Target Version

PR24Q2.1

Fixed in Version

Merge Request Status

Review Assigned To

OBNetwork customer

Web browser

Modules

Core

Support ticket

Regression level

Regression date

Regression introduced in release

Regression introduced by commit

Triggers an Emergency Pack

Summary

0055952: Extra acess required when return full object is enabled on POST Synchronous requests

Description

On a POST endpoint with synchronous execution enabled and return object mapping configured.

When trying to consume these endpoints with a manual role some extra accesses are required:
- Read access to tables API_Export_Filter and OBEI_Entity_Mapping
- Access to a window where the object created by the api can be viewed.

By default only Giftcards allows sync execution and this endpoint does not require access to API_Export_Filter. Enabling the sync execution on other endpoints like business partner, coupons or suscriptions require the access to that table.

Steps To Reproduce

- Create a Manual Role with restricted backend access and web services enabled.
- Try to execute a POST request on an endpoint with _synchronous and _returnFullObject enabled.
- Check the response is an error 500 with a truncated response message
- Check there is no error in the openbravo.log

Proposed Solution

- Allow executing POST requests with roles that do not have access to backend.
- Do not require require access to API and EntityMapping tables if the role has the web service access granted.

Additional Information