API subscription fails with insufficient rights error

[exalate-issue-sync]

Describe the bug :

When shared API keys are enabled, for the second API subscription, when the choice of whether or not a shared key is to be used must be made, the user must have the Application Definition Update permission. Subsequent subscriptions will all automatically use the shared key (or individual keys depending on the choice) and will not need this permission.

To Reproduce :

Steps to reproduce the behaviour:

1. Enable shared API keys in the Settings
2. Create an application with User 1 and give User 2 the Application USER role
3. As User 2, log in to the developer portal
4. Subscribe to the application with an API, and it should be successful
5. Subscribe to the application with another API. This time, the option to choose Shared API Key mode should appear and be selected. This results in an error.
6. The primary owner of the application, or any user with a role that has the Application Definition Update permission will be able to subscribe the second API, selecting the Shared API Key mode, and have it subscribe successfully.
7. Once Shared API Key mode has been selected, User 2 can successfully perform all subsequent subscriptions.

Expected behaviour :

There should be a way for one user with the Create Subscriptions permission to be able to create all subscriptions when a shared API key is to be used.

Current behaviour :

If using a shared API key, a user with the Definition Update permission is needed to complete the second API subscription, as the application definition is updated here and requires more than the Create Subscriptions permission.

Desktop :

• Environment: 3.20.20, 3.20.19

[exalate-issue-sync]

This issue will be fixed in versions 4.0.13, 3.20.24, 4.2.0, 4.1.4