[jira] [Closed] (OFBIZ-3699) ServiceDispatcher.checkAuth modifies the context if the invocation service has a permissionServiceName

Fri, 07 Feb 2020 01:16:18 -0800 


     [ 
https://issues.apache.org/jira/browse/OFBIZ-3699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nicolas Malin closed OFBIZ-3699.
--------------------------------
    Fix Version/s: Upcoming Branch
       Resolution: Done

This issue is include on STORE-7113

> ServiceDispatcher.checkAuth modifies the context if the invocation service 
> has a permissionServiceName
> ------------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-3699
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-3699
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Bob Morley
>            Assignee: Nicolas Malin
>            Priority: Major
>             Fix For: Upcoming Branch
>
>
> Created as a result of thread: 
> http://n4.nabble.com/Magically-converted-types-from-simpleTypeConvert-td1838891.html
> The follow code in the ServiceDispatcher ...
>         if (UtilValidate.isNotEmpty(origService.permissionServiceName)) {
>             ...
>             if (hasPermission.booleanValue()) {
>                 context.putAll(permResp);
>                 context = origService.makeValid(context, 
> ModelService.IN_PARAM); 
> ... causes the incoming context to be modified both by adding values from the 
> results of the permission service but also by converting any datatypes to 
> match those in the service definition.  This hides any invalid service 
> invocations (from a data type pov) and if the permisionServiceName is 
> removed, the code would start failing with the incorrect data types.
> Suggest is to change this to something like ...
> Map<String, Object> permRespContext = ServiceUtil.setServiceFields(dctx, 
> serviceName, permResp);
> context.putAll(permRespContext); 
> The concern is that by doing this there may be some services that were 
> relying on the data type conversion (because they were invalid requests) 
> which would start to fail.  Appropriate impact analysis of services that 
> define "permissionServiceName" and appropriate resolutions need to be 
> included with this change.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to