Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/report endpoint responds with 403 - VersionRepository.ensureExists #446

Closed
johan12345 opened this issue Aug 29, 2023 · 1 comment
Closed

/report endpoint responds with 403 - VersionRepository.ensureExists #446

johan12345 opened this issue Aug 29, 2023 · 1 comment

Comments

@johan12345
Copy link

I have a fresh install of Acrarium 2.0.0-beta03 using Docker and want to test it before introducing it as crash reporting backend for my app. However, all crash reports are rejected by the server with an error code 403. Enabling verbose logging shows the following:

  • Authentication seems to work, and the user is correctly given REPORTER authority:
UsernamePasswordAuthenticationToken [Principal=xxxxxxxxxxxxx, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=xx.xx.xx.xx, SessionId=xxxxxxxxxxxxxxxxx], Granted Authorities=[REPORTER]]]
  • After that, access is still denied, and the stack trace shows this happens when calling VersionRepository.ensureExists:
org.springframework.security.access.AccessDeniedException: Access Denied
        at org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor.attemptAuthorization(AuthorizationManagerBeforeMethodInterceptor.java:257) ~[spring-security-core-6.1.2.jar:6.1.2]
        at org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor.invoke(AuthorizationManagerBeforeMethodInterceptor.java:198) ~[spring-security-core-6.1.2.jar:6.1.2]
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184) ~[spring-aop-6.0.11.jar:6.0.11]
        at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:756) ~[spring-aop-6.0.11.jar:6.0.11]
        at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:708) ~[spring-aop-6.0.11.jar:6.0.11]
        at com.faendir.acra.persistence.version.VersionRepository$$SpringCGLIB$$0.ensureExists-TPuOtcY(<generated>) ~[classes/:2.0.0-beta03]
        at com.faendir.acra.domain.ReportService.create(ReportService.kt:71) ~[classes/:2.0.0-beta03]

VersionRepository.ensureExists is annotated with @PreAuthorize("hasEditPermission(#appId)") - but it seems that when the reporter user is created, it is never assigned edit permissions for the associated app. Looking at the database, the user_permissions table is empty.
@johan12345
Copy link
Author

after working around this by manually creating the permission in the database like this:

insert into user_permissions ('suEzGozbzlLIahr9', 1, EDIT);

it is now stuck at the next issue:

java.lang.IllegalArgumentException: Failed to evaluate expression 'hasViewPermission(#identifier.appId)'
        at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:33) ~[spring-security-core-6.1.2.jar:6.1.2]
        at org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager.check(PreAuthorizeAuthorizationManager.java:68) ~[spring-security-core-6.1.2.jar:6.1.2]
        at org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager.check(PreAuthorizeAuthorizationManager.java:40) ~[spring-security-core-6.1.2.jar:6.1.2]
        at org.springframework.security.authorization.ObservationAuthorizationManager.check(ObservationAuthorizationManager.java:57) ~[spring-security-core-6.1.2.jar:6.1.2]
        at org.springframework.security.config.annotation.method.configuration.DeferringObservationAuthorizationManager.check(DeferringObservationAuthorizationManager.java:47) ~[spring-security-config-6.1.2.jar:6.1.2]
        at org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor.attemptAuthorization(AuthorizationManagerBeforeMethodInterceptor.java:252) ~[spring-security-core-6.1.2.jar:6.1.2]
        at org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor.invoke(AuthorizationManagerBeforeMethodInterceptor.java:198) ~[spring-security-core-6.1.2.jar:6.1.2]
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184) ~[spring-aop-6.0.11.jar:6.0.11]
        at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:756) ~[spring-aop-6.0.11.jar:6.0.11]
        at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:708) ~[spring-aop-6.0.11.jar:6.0.11]
        at com.faendir.acra.persistence.bug.BugRepository$$SpringCGLIB$$0.findId-QTZCnnY(<generated>) ~[classes/:2.0.0-beta03]
        at com.faendir.acra.domain.ReportService.create(ReportService.kt:73) ~[classes/:2.0.0-beta03]
[...]
Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1008E: Property or field 'appId' cannot be found on object of type 'com.faendir.acra.persistence.bug.BugIdentifier' - maybe not public or not valid?
        at org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:222) ~[spring-expression-6.0.11.jar:6.0.11]
[...]

Is reporting in the 2.0.0-beta version actually working for anyone?

@johan12345 johan12345 mentioned this issue Aug 30, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@johan12345