Project:
View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
ID | ||||||||
0055952 | ||||||||
Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
backport | [Openbravo ERP] A. Platform | major | always | 2024-05-20 10:12 | 2024-07-11 14:32 | |||
Reporter | gorkaion | View Status | public | |||||
Assigned To | eugen_hamuraru | |||||||
Priority | high | Resolution | fixed | Fixed in Version | ||||
Status | closed | Fix in branch | Fixed in SCM revision | |||||
Projection | none | ETA | none | Target Version | PR24Q2.1 | |||
OS | Any | Database | Any | Java version | ||||
OS Version | Database version | Ant version | ||||||
Product Version | SCM revision | |||||||
Review Assigned To | ||||||||
Web browser | ||||||||
Modules | Core | |||||||
Regression level | ||||||||
Regression date | ||||||||
Regression introduced in release | ||||||||
Regression introduced by commit | ||||||||
Triggers an Emergency Pack | No | |||||||
Summary | 0055952: Extra acess required when return full object is enabled on POST Synchronous requests | |||||||
Description | On a POST endpoint with synchronous execution enabled and return object mapping configured. When trying to consume these endpoints with a manual role some extra accesses are required: - Read access to tables API_Export_Filter and OBEI_Entity_Mapping - Access to a window where the object created by the api can be viewed. By default only Giftcards allows sync execution and this endpoint does not require access to API_Export_Filter. Enabling the sync execution on other endpoints like business partner, coupons or suscriptions require the access to that table. | |||||||
Steps To Reproduce | - Create a Manual Role with restricted backend access and web services enabled. - Try to execute a POST request on an endpoint with _synchronous and _returnFullObject enabled. - Check the response is an error 500 with a truncated response message - Check there is no error in the openbravo.log | |||||||
Proposed Solution | - Allow executing POST requests with roles that do not have access to backend. - Do not require require access to API and EntityMapping tables if the role has the web service access granted. | |||||||
Tags | No tags attached. | |||||||
Attached Files | ||||||||
Relationships [ Relation Graph ] [ Dependency Graph ] | ||||||||
|
Notes | |
(0166834) hgbot (developer) 2024-07-09 12:18 |
Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/merge_requests/292 [^] |
(0166901) hgbot (developer) 2024-07-11 14:32 |
Directly closing issue as related merge request is already approved. Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.api [^] Changeset: 97a030bd568543a7362d770657c6f0de523af9b2 Author: Eugen Hamuraru <eugen.hamuraru@openbravo.com> Date: 09-07-2024 12:15:36 URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/commit/97a030bd568543a7362d770657c6f0de523af9b2 [^] Fixes BUG-55952: roles without explicit permissions cannot use the API WS 24Q2 backport from 24Q3 Fixes the problem by using the admin mode in the following cases: - When reading the entity mapping configuration when creating the response of the import WS in synchronous mode. - When reading the filter information in the export WS - When reading the data of the entity to write it in the response of the export WS --- M src/org/openbravo/api/ApiExportFilterProvider.java M src/org/openbravo/api/service/ApiImportWebService.java M src/org/openbravo/api/service/ApiWebService.java M src/org/openbravo/api/service/JSONWebService.java --- |
(0166902) hgbot (developer) 2024-07-11 14:32 |
Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/merge_requests/292 [^] |
Issue History | |||
Date Modified | Username | Field | Change |
2024-07-09 12:14 | alostale | Type | defect => backport |
2024-07-09 12:14 | alostale | Target Version | => PR24Q2.1 |
2024-07-09 12:18 | hgbot | Note Added: 0166834 | |
2024-07-11 14:32 | hgbot | Resolution | open => fixed |
2024-07-11 14:32 | hgbot | Status | scheduled => closed |
2024-07-11 14:32 | hgbot | Note Added: 0166901 | |
2024-07-11 14:32 | hgbot | Note Added: 0166902 |
Copyright © 2000 - 2009 MantisBT Group |