Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-5791

Request roles (self-service) allows requesting roles with non-default relation even if the authz prohibits it on submit

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.0.1
    • Fix Version/s: 4.0.1
    • Component/s: GUI
    • Labels:
    • Subscription:
      Internal

      Description

      1. my end user role contains:

       <authorization id="12">
              <name>assign-requestable-roles</name>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
              <phase>request</phase>
              <object id="25">
                  <special>self</special>
              </object>
              <target id="26">
                  <type>RoleType</type>
                  <filter>
                      <q:equal>
                          <q:path>requestable</q:path>
                          <q:value>true</q:value>
                      </q:equal>
                  </filter>
              </target>
              <relation>default</relation>
          </authorization>
      

      2. I login as end user who has this role and try to request a role
      3. before submitting I set relation to non-default, e.g. "Approver".
      4. GUI allows this in request phase even if it should not as the relation is non-default. Submitting the request fails obviously because of the authorizations. (So from security point of view, it behaves correctly, just UX is not good.)

      The combo box for relations in Request role should consider this and not allow selection of relation that I cannot use because of authz...

        Attachments

          Activity

            People

            Assignee:
            vix Ivan Noris
            Reporter:
            vix Ivan Noris
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: