Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0055517
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] A. Platformmajoralways2024-05-20 10:122024-07-09 12:14
ReportergorkaionView Statuspublic 
Assigned Toeugen_hamuraru 
PriorityhighResolutionfixedFixed in Version
StatusclosedFix in branchFixed in SCM revision153b9955e6cc
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned To
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0055517: Extra acess required when return full object is enabled on POST Synchronous requests

DescriptionOn a POST endpoint with synchronous execution enabled and return object mapping configured.

When trying to consume these endpoints with a manual role some extra accesses are required:
- Read access to tables API_Export_Filter and OBEI_Entity_Mapping
- Access to a window where the object created by the api can be viewed.

By default only Giftcards allows sync execution and this endpoint does not require access to API_Export_Filter. Enabling the sync execution on other endpoints like business partner, coupons or suscriptions require the access to that table.
Steps To Reproduce- Create a Manual Role with restricted backend access and web services enabled.
- Try to execute a POST request on an endpoint with _synchronous and _returnFullObject enabled.
- Check the response is an error 500 with a truncated response message
- Check there is no error in the openbravo.log
Proposed Solution- Allow executing POST requests with roles that do not have access to backend.
- Do not require require access to API and EntityMapping tables if the role has the web service access granted.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
depends on backport 0055952PR24Q2.1 closedeugen_hamuraru Openbravo ERP Extra acess required when return full object is enabled on POST Synchronous requests 
related to defect 0055546 closedTriage Platform Conn Modules Roles with restricted backend access cannot see the Swagger Doc 

-  Notes
(0164829)
hgbot (developer)
2024-05-20 15:53

 Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/1250 [^]
(0164864)
hgbot (developer)
2024-05-20 17:38

 Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/merge_requests/273 [^]
(0164865)
hgbot (developer)
2024-05-20 17:39

 Merge request closed: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/1250 [^]
(0164894)
hgbot (developer)
2024-05-21 13:23

 Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/1251 [^]
(0164907)
hgbot (developer)
2024-05-21 16:36

 Merge request closed: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/1251 [^]
(0164983)
hgbot (developer)
2024-05-22 16:49

 Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.api [^]
Changeset: 153b9955e6ccde35d16cb2faf598794bd5c7dc4f
Author: Eugen Hamuraru <eugen.hamuraru@openbravo.com>
Date: 22-05-2024 14:49:07
URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/commit/153b9955e6ccde35d16cb2faf598794bd5c7dc4f [^]

Fixes BUG-55517: roles without explicit permissions cannot use the API WS

  Fixes the problem by using the admin mode in the following cases:
  - When reading the entity mapping configuration when creating the response of the import WS in synchronous mode.
  - When reading the filter information in the export WS
  - When reading the data of the entity to write it in the response of the export WS

---
M src/org/openbravo/api/ApiExportFilterProvider.java
M src/org/openbravo/api/service/ApiImportWebService.java
M src/org/openbravo/api/service/ApiWebService.java
M src/org/openbravo/api/service/JSONWebService.java
---
(0164984)
hgbot (developer)
2024-05-22 16:49

 Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/merge_requests/273 [^]

- Issue History
Date Modified Username Field Change
2024-05-20 10:12 gorkaion New Issue
2024-05-20 10:12 gorkaion Assigned To => Triage Platform Base
2024-05-20 10:12 gorkaion Modules => Core
2024-05-20 10:12 gorkaion Triggers an Emergency Pack => No
2024-05-20 15:53 hgbot Note Added: 0164829
2024-05-20 17:38 hgbot Note Added: 0164864
2024-05-20 17:39 hgbot Note Added: 0164865
2024-05-21 13:23 hgbot Note Added: 0164894
2024-05-21 16:18 caristu Relationship added related to 0048976
2024-05-21 16:33 caristu Description Updated View Revisions
2024-05-21 16:36 hgbot Note Added: 0164907
2024-05-22 09:46 caristu Relationship added related to 0055546
2024-05-22 09:47 caristu Relationship deleted related to 0048976
2024-05-22 15:47 AugustoMauch Assigned To Triage Platform Base => eugen_hamuraru
2024-05-22 16:49 hgbot Resolution open => fixed
2024-05-22 16:49 hgbot Status new => closed
2024-05-22 16:49 hgbot Note Added: 0164983
2024-05-22 16:49 hgbot Note Added: 0164984
2024-07-09 12:13 alostale Status closed => new
2024-07-09 12:13 alostale Resolution fixed => open
2024-07-09 12:13 alostale Status new => acknowledged
2024-07-09 12:14 alostale Status acknowledged => scheduled
2024-07-09 12:14 alostale Status scheduled => resolved
2024-07-09 12:14 alostale Fixed in SCM revision => https://gitlab.com/openbravo/product/pmods/org.openbravo.api/-/commit/153b9955e6ccde35d16cb2faf598794bd5c7dc4f [^]
2024-07-09 12:14 alostale Resolution open => fixed
2024-07-09 12:14 alostale Status resolved => closed

Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker