Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0055952
TypeCategorySeverityReproducibilityDate SubmittedLast Update
backport[Openbravo ERP] A. Platformmajoralways2024-05-20 10:122024-07-11 14:32
ReportergorkaionView Statuspublic 
Assigned Toeugen_hamuraru 
PriorityhighResolutionfixedFixed in Version
StatusclosedFix in branchFixed in SCM revision
ProjectionnoneETAnoneTarget VersionPR24Q2.1
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned To
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0055952: Extra acess required when return full object is enabled on POST Synchronous requests

DescriptionOn a POST endpoint with synchronous execution enabled and return object mapping configured.

When trying to consume these endpoints with a manual role some extra accesses are required:
- Read access to tables API_Export_Filter and OBEI_Entity_Mapping
- Access to a window where the object created by the api can be viewed.

By default only Giftcards allows sync execution and this endpoint does not require access to API_Export_Filter. Enabling the sync execution on other endpoints like business partner, coupons or suscriptions require the access to that table.
Steps To Reproduce- Create a Manual Role with restricted backend access and web services enabled.
- Try to execute a POST request on an endpoint with _synchronous and _returnFullObject enabled.
- Check the response is an error 500 with a truncated response message
- Check there is no error in the openbravo.log
Proposed Solution- Allow executing POST requests with roles that do not have access to backend.
- Do not require require access to API and EntityMapping tables if the role has the web service access granted.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
blocks defect 0055517 closedeugen_hamuraru Extra acess required when return full object is enabled on POST Synchronous requests 

-  Notes
(0166834)
hgbot (developer)
2024-07-09 12:18

Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/merge_requests/292 [^]
(0166901)
hgbot (developer)
2024-07-11 14:32

Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.api [^]
Changeset: 97a030bd568543a7362d770657c6f0de523af9b2
Author: Eugen Hamuraru <eugen.hamuraru@openbravo.com>
Date: 09-07-2024 12:15:36
URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/commit/97a030bd568543a7362d770657c6f0de523af9b2 [^]

Fixes BUG-55952: roles without explicit permissions cannot use the API WS

24Q2 backport from 24Q3

  Fixes the problem by using the admin mode in the following cases:
  - When reading the entity mapping configuration when creating the response of the import WS in synchronous mode.
  - When reading the filter information in the export WS
  - When reading the data of the entity to write it in the response of the export WS

---
M src/org/openbravo/api/ApiExportFilterProvider.java
M src/org/openbravo/api/service/ApiImportWebService.java
M src/org/openbravo/api/service/ApiWebService.java
M src/org/openbravo/api/service/JSONWebService.java
---
(0166902)
hgbot (developer)
2024-07-11 14:32

Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/merge_requests/292 [^]

- Issue History
Date Modified Username Field Change
2024-07-09 12:14 alostale Type defect => backport
2024-07-09 12:14 alostale Target Version => PR24Q2.1
2024-07-09 12:18 hgbot Note Added: 0166834
2024-07-11 14:32 hgbot Resolution open => fixed
2024-07-11 14:32 hgbot Status scheduled => closed
2024-07-11 14:32 hgbot Note Added: 0166901
2024-07-11 14:32 hgbot Note Added: 0166902


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker