OFBiz
  1. OFBiz
  2. OFBIZ-3699

ServiceDispatcher.checkAuth modifies the context if the invocation service has a permissionServiceName

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: Trunk
    • Fix Version/s: None
    • Component/s: framework
    • Labels:
      None

      Description

      Created as a result of thread: http://n4.nabble.com/Magically-converted-types-from-simpleTypeConvert-td1838891.html

      The follow code in the ServiceDispatcher ...

      if (UtilValidate.isNotEmpty(origService.permissionServiceName)) {
      ...
      if (hasPermission.booleanValue()) {
      context.putAll(permResp);
      context = origService.makeValid(context, ModelService.IN_PARAM);

      ... causes the incoming context to be modified both by adding values from the results of the permission service but also by converting any datatypes to match those in the service definition. This hides any invalid service invocations (from a data type pov) and if the permisionServiceName is removed, the code would start failing with the incorrect data types.

      Suggest is to change this to something like ...

      Map<String, Object> permRespContext = ServiceUtil.setServiceFields(dctx, serviceName, permResp);
      context.putAll(permRespContext);

      The concern is that by doing this there may be some services that were relying on the data type conversion (because they were invalid requests) which would start to fail. Appropriate impact analysis of services that define "permissionServiceName" and appropriate resolutions need to be included with this change.

        Activity

          People

          • Assignee:
            Unassigned
            Reporter:
            Bob Morley
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:

              Development