Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access denied to parent entity attribute for user without system-full-access role #61

Open
owlet1997 opened this issue Apr 2, 2021 · 1 comment
Open

Access denied to parent entity attribute for user without system-full-access role #61

owlet1997 opened this issue Apr 2, 2021 · 1 comment

Comments

@owlet1997
Copy link

based on forum's question

Environment

CUBA Platform version: 7.2.12
CUBA Studio plugin version: 15.3-202
IntelliJ version: IntelliJ IDEA 2020.3.1 (Community Edition)

Description of the bug

  • Minimal reproducible example
  1. Open attached project -> open data store settings and set right credentials -> create database
  2. Run app -> login as admin
  3. Create any students in student browser
  4. Open tenant management -> create tenant name 'user' -> generate group -> create admin for this tenant
  5. Set name 'user', password 'user', add role 'default-admin-tenant' -> Save
  6. Create role 'newrole' with access to entity Student, screens Student browser and Student Reports, menu items Application, reports -> save -> add to user 'user' this role -> save
  7. Logout and login as user -> open Student Reports screen

AR:
image

15:17:45.732 ERROR c.h.cuba.core.sys.ServiceInterceptor    - Exception in DataService.loadValues(..): com.haulmont.cuba.core.global.AccessDeniedException: ENTITY_ATTR testapp_Student.e.nation
15:17:45.737 ERROR com.haulmont.cuba.web.log.AppLog        - Exception in com.haulmont.cuba.web.widgets.CubaSideMenu: com.haulmont.cuba.core.global.AccessDeniedException: ENTITY_ATTR testapp_St

udent.e.nation

user has no access to attributes of entity NationEntity which is parent for Student
even admin has no opportunity to get access to parent entity because it's a mappedsuperclass

ER:
user should have access to parent entity attributes if access to child entity was permitted
@trx0eth7
Copy link

trx0eth7 commented Jun 1, 2021

In our project, we use default permission for any role, so maybe it's useful to someone as a workaround.
You should set up the next to app.properties:

cuba.security.defaultPermissionValuesConfigEnabled = true
cuba.defaultPermissionValuesConfig = +/com/path/some-permission-values.xml

some-permission-values.xml:

<default-permission-values xmlns="http://schemas.haulmont.com/cuba/default-permission-values.xsd">
    <!-- Entities -->
    <permission target="prefix$MappedSuperClass:property" value="1" type="30"/>
</default-permission-values>`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@trx0eth7 @owlet1997