-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent returning password field from SCIM #56
Comments
I'll get to this as soon as I can. Proposed idea in general looks OK though might need a bit of work to avoid lots of on-the-fly calculated hashes and intermediate objects. Sorry for the delay in responding - I was in the UK for 2 weeks (where my family lives - first trip back there for 5 years!) but thanks to lots of people coughing without masks on both of the long haul flights home, I came down with flu the day after I got back. Illness combined with 11 hours of jet lag (to NZ) hit rather hard and I'm only just starting to catch back up on everything now. |
Sorry to hear that you are affected with flu, @pond! Thanks for acknowledging this as a bug. I just realized this hack won't work unless one more change. Here is the monkey patch that I added in my application when I completed E2E testing.
module ScimitarResourceJSONOverride
def as_json(options = {})
return super unless options.key?(:layout) # this change is needed to parse password SCIM params from request when passing from Controller to UserResource else password will not be passed from Controller to model.
non_returnable_attributes = self.class.schemas.flat_map(&:scim_attributes).filter_map { |attribute| attribute.name if attribute.returned == 'never' }
super.except(*non_returnable_attributes)
end
end
Scimitar::Resources::Base.include(ScimitarResourceJSONOverride) |
@kuldeepaggarwal This took far too long, sorry. Once I got back there was a backlog of work and things snowballed from there. #80 implements (I think!) your initial suggestion, but without the amendment you have patched in with #56 (comment) - I don't think it's necessary (but don't entirely understand it so could be very wrong). Please can you check the PR and see if that looks OK, and/or otherwise elaborate on the |
…e-fields Implement solution to issue #56, as suggested therein
@kuldeepaggarwal This should now be fixed via 2.6.0/2.6.1, or 1.7.0/1.7.1 all now on RubyGems. Please let me know if you agree and, if so, we can close this issue |
I think it's been long enough on this to just go ahead and close it. If you see problems, please open a new issue. Thanks! |
This reverts commit 413280a.
Scimitar::Schema::User
has a password attribute:and as per the definition, it should never be returned in the response. However, if client sends a password and Service provider stores the password using the
scim_attributes_map
then SCIMitar is responding back with the password value.I believe, the issue is in
Scimitar::Resources::Base#as_json
, when we are callingscimitar/app/models/scimitar/resources/base.rb
Line 143 in 914c0e1
without excluding those files which has a property
returned='never'
.Proposed Solution
The text was updated successfully, but these errors were encountered: