Anonymous | Login

Project:

News | My View | View Issues | Roadmap | Summary

View Issue Details[ Jump to Notes ]

[ Issue History ] [ Print ]

ID

0055952

Type

Category

Severity

Reproducibility

Date Submitted

Last Update

backport

[Openbravo ERP] A. Platform

major

always

2024-05-20 10:12

2024-07-11 14:32

Reporter

gorkaion

View Status

public

Assigned To

eugen_hamuraru

Priority

high

Resolution

fixed

Fixed in Version

Status

closed

Fix in branch

Fixed in SCM revision

Projection

none

ETA

none

Target Version

PR24Q2.1

OS

Any

Database

Any

Java version

OS Version

Database version

Ant version

Product Version

SCM revision

Review Assigned To

Web browser

Modules

Core

Regression level

Regression date

Regression introduced in release

Regression introduced by commit

Triggers an Emergency Pack

No

Summary

0055952: Extra acess required when return full object is enabled on POST Synchronous requests

Description

On a POST endpoint with synchronous execution enabled and return object mapping configured.

When trying to consume these endpoints with a manual role some extra accesses are required:
- Read access to tables API_Export_Filter and OBEI_Entity_Mapping
- Access to a window where the object created by the api can be viewed.

By default only Giftcards allows sync execution and this endpoint does not require access to API_Export_Filter. Enabling the sync execution on other endpoints like business partner, coupons or suscriptions require the access to that table.

Steps To Reproduce

- Create a Manual Role with restricted backend access and web services enabled.
- Try to execute a POST request on an endpoint with _synchronous and _returnFullObject enabled.
- Check the response is an error 500 with a truncated response message
- Check there is no error in the openbravo.log

Proposed Solution

- Allow executing POST requests with roles that do not have access to backend.
- Do not require require access to API and EntityMapping tables if the role has the web service access granted.

Tags

No tags attached.

Relationships [ Relation Graph ] [ Dependency Graph ]

blocks

defect

closed

Extra acess required when return full object is enabled on POST Synchronous requests

Notes
(0166834) hgbot (developer) 2024-07-09 12:18	Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/merge_requests/292 [^]

(0166901) hgbot (developer) 2024-07-11 14:32	Directly closing issue as related merge request is already approved. Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.api [^] Changeset: 97a030bd568543a7362d770657c6f0de523af9b2 Author: Eugen Hamuraru <eugen.hamuraru@openbravo.com> Date: 09-07-2024 12:15:36 URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/commit/97a030bd568543a7362d770657c6f0de523af9b2 [^] Fixes BUG-55952: roles without explicit permissions cannot use the API WS 24Q2 backport from 24Q3 Fixes the problem by using the admin mode in the following cases: - When reading the entity mapping configuration when creating the response of the import WS in synchronous mode. - When reading the filter information in the export WS - When reading the data of the entity to write it in the response of the export WS --- M src/org/openbravo/api/ApiExportFilterProvider.java M src/org/openbravo/api/service/ApiImportWebService.java M src/org/openbravo/api/service/ApiWebService.java M src/org/openbravo/api/service/JSONWebService.java ---

(0166902) hgbot (developer) 2024-07-11 14:32	Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/merge_requests/292 [^]

Issue History
Date Modified	Username	Field	Change
2024-07-09 12:14	alostale	Type	defect => backport
2024-07-09 12:14	alostale	Target Version	=> PR24Q2.1
2024-07-09 12:18	hgbot	Note Added: 0166834
2024-07-11 14:32	hgbot	Resolution	open => fixed
2024-07-11 14:32	hgbot	Status	scheduled => closed
2024-07-11 14:32	hgbot	Note Added: 0166901
2024-07-11 14:32	hgbot	Note Added: 0166902

Copyright © 2000 - 2009 MantisBT Group