Cannot use entity-permission for the url-policy #37

stcarrez · 2022-12-04T08:06:03Z

When we have an entity permission like:

  <entity-permission>
    <name>member-view</name>
    <entity-type>awa_workspace</entity-type>
    <description>Grant the member view </description>
    <sql>
       SELECT acl.id FROM awa_acl AS acl
            WHERE acl.entity_type = :entity_type
            AND acl.user_id = :user_id
            AND acl.entity_id = 1
            AND acl.permission = $permission[member-view]
    </sql>
  </entity-permission>

if we want to use the permission in an url-policy like:

  <url-policy>
    <permission>member-view</permission>
    <url-pattern>/members/admin/.*</url-pattern>
    <url-pattern>/members/.*</url-pattern>
  </url-policy>

then the entity-permission is always rejected because when we evaluate it there is no entity-id to evaluate and the permission controller immediately reject the permission even if the SQL query does not make reference to the entity-id.

If the SQL does not references the :entity_id parameter, then the controller should proceed and run the SQL query to check the permission (instead of rejecting without checking).

The text was updated successfully, but these errors were encountered:

stcarrez added the bug label Dec 4, 2022

stcarrez changed the title ~~Fix using entity-permission in the url-policy~~ Cannot use entity-permission for the url-policy Dec 4, 2022

stcarrez closed this as completed in cb64b77 Dec 4, 2022

stcarrez pushed a commit that referenced this issue Dec 4, 2022

Mention fix #37 for entity-permission

cb41e0a

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cannot use entity-permission for the url-policy #37

Cannot use entity-permission for the url-policy #37

stcarrez commented Dec 4, 2022

Cannot use entity-permission for the url-policy #37

Cannot use entity-permission for the url-policy #37

Comments

stcarrez commented Dec 4, 2022