Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

REST API Ignores User Role Scope #35465

Closed
engcom-Delta opened this issue May 12, 2022 · 4 comments
Closed

REST API Ignores User Role Scope #35465

engcom-Delta opened this issue May 12, 2022 · 4 comments
Labels
Adobe Commerce The issue related to the Adobe Commerce(EE) or B2B functionality Area: APIs Issue: Confirmed Gate 3 Passed. Manual verification of the issue completed. Issue is confirmed Priority: P2 A defect with this priority could have functionality issues which are not to expectations. Progress: done Reproduced on 2.4.x The issue has been reproduced on latest 2.4-develop branch

Comments

@engcom-Delta
Copy link
Contributor

Description:
https://github.com/magento/partners-magento2ee/issues/92

Preconditions (*)

  1. Magento 2.2.10 & 2.3.x EE
  2. Multi-site installation (min 2 store views)
  3. Orders placed against multiple store views

Steps to reproduce (*)

  1. Create a new admin user role in a multi-site setup
    2.Assign the user role's scope to 1 store view
    76516401-087ae380-6464-11ea-88c3-75c000a4782e
  2. Create a new admin user and attach the previously created role to the new user
  3. Create an admin token via a REST call using the newly created user (/V1/integration/admin/token)
  4. Call the orders REST API with the above token (/V1/orders)
    76516236-b76aef80-6463-11ea-9d73-8f0cfe9b79d8

Expected result (*)

  1. Only orders in the store view that matches the admin user's role scope will be returned

Actual result (*)

  1. All orders for all store views are returned and ignoring the User role scope
  2. screenshot for reference

Screenshot 2022-05-12 at 8 23 42 PM
@m2-assistant
Copy link

m2-assistant bot commented May 12, 2022

Hi @engcom-Delta. Thank you for your report.
To speed up processing of this issue, make sure that you provided the following information:

  • Summary of the issue
  • Information on your environment
  • Steps to reproduce
  • Expected and actual results

Make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:

@magento give me 2.4-develop instance - upcoming 2.4.x release

For more details, review the Magento Contributor Assistant documentation.

Add a comment to assign the issue: @magento I am working on this

To learn more about issue processing workflow, refer to the Code Contributions.

⚠️ According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.

🕙 You can find the schedule on the Magento Community Calendar page.

📞 The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

✏️ Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

@engcom-Delta engcom-Delta added Component: Api Use with concrete module component label E.g. "Component: Api" + "Catalog" Reproduced on 2.4.x The issue has been reproduced on latest 2.4-develop branch Area: APIs and removed Component: Api Use with concrete module component label E.g. "Component: Api" + "Catalog" Issue: ready for confirmation labels May 12, 2022
@engcom-Delta engcom-Delta added Issue: Confirmed Gate 3 Passed. Manual verification of the issue completed. Issue is confirmed and removed Issue: ready for confirmation labels May 12, 2022
@engcom-Delta engcom-Delta added Adobe Commerce The issue related to the Adobe Commerce(EE) or B2B functionality Priority: P2 A defect with this priority could have functionality issues which are not to expectations. labels May 12, 2022
@engcom-Delta engcom-Delta added Area: APIs Reproduced on 2.4.x The issue has been reproduced on latest 2.4-develop branch Issue: Confirmed Gate 3 Passed. Manual verification of the issue completed. Issue is confirmed and removed Issue: Confirmed Gate 3 Passed. Manual verification of the issue completed. Issue is confirmed Reproduced on 2.4.x The issue has been reproduced on latest 2.4-develop branch Area: APIs Progress: ready for dev labels May 12, 2022
@engcom-Delta engcom-Delta removed Issue: Confirmed Gate 3 Passed. Manual verification of the issue completed. Issue is confirmed Reproduced on 2.4.x The issue has been reproduced on latest 2.4-develop branch Area: APIs Progress: ready for dev labels May 12, 2022
@engcom-Delta engcom-Delta added Reproduced on 2.4.x The issue has been reproduced on latest 2.4-develop branch and removed Progress: ready for dev labels May 12, 2022
@engcom-Delta engcom-Delta added Issue: Confirmed Gate 3 Passed. Manual verification of the issue completed. Issue is confirmed and removed Progress: ready for dev labels May 12, 2022
@engcom-Hotel engcom-Hotel added Issue: Confirmed Gate 3 Passed. Manual verification of the issue completed. Issue is confirmed Reproduced on 2.4.x The issue has been reproduced on latest 2.4-develop branch Area: APIs and removed Issue: Confirmed Gate 3 Passed. Manual verification of the issue completed. Issue is confirmed Reproduced on 2.4.x The issue has been reproduced on latest 2.4-develop branch Area: APIs labels May 12, 2022
@engcom-Hotel engcom-Hotel added Issue: Confirmed Gate 3 Passed. Manual verification of the issue completed. Issue is confirmed Reproduced on 2.4.x The issue has been reproduced on latest 2.4-develop branch Area: APIs and removed Issue: Confirmed Gate 3 Passed. Manual verification of the issue completed. Issue is confirmed Reproduced on 2.4.x The issue has been reproduced on latest 2.4-develop branch Area: APIs labels May 20, 2022
@github-jira-sync-bot
Copy link

✅ Jira issue https://jira.corp.magento.com/browse/AC-3124 is successfully created for this GitHub issue.

@m2-assistant
Copy link

m2-assistant bot commented May 20, 2022

✅ Confirmed by @engcom-Hotel. Thank you for verifying the issue.
Issue Available: @engcom-Hotel, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

@engcom-Delta
Copy link
Contributor Author

engcom-Delta commented Jul 15, 2022
edited
Loading

Further investigation and confirmation from @glo82145 we found out that currently in the existing system, this is the default behaviour and filtering of data, store scope wise is not done according to user role scope. Scopes of users which is define in acl.xml file in any module is just used to provide access to api. (which user can access which api) and currently not working on data filter.

Hence, This is working according to default behaviour.

Hence closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Adobe Commerce The issue related to the Adobe Commerce(EE) or B2B functionality Area: APIs Issue: Confirmed Gate 3 Passed. Manual verification of the issue completed. Issue is confirmed Priority: P2 A defect with this priority could have functionality issues which are not to expectations. Progress: done Reproduced on 2.4.x The issue has been reproduced on latest 2.4-develop branch
Projects
High Priority Backlog
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@engcom-Delta @engcom-Hotel @github-jira-sync-bot