Uploaded image for project: 'mod-finance'
  1. mod-finance
  2. MODFIN-129

Mod-finance calls api without requesting permissions for it.

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: P3
    • Resolution: Done
    • Affects Version/s: 2.0.1
    • Fix Version/s: 3.0.0
    • Labels:
      None
    • Template:
    • Sprint:
      ACQ Sprint 88, ACQ Sprint 89
    • Story Points:
      1
    • Development Team:
      Thunderjet

      Description

      Mod-finance uses api:
      GET /finance-storage/fiscal-years/

      {id}

      called from:
      POST /finance/budgets

      without declaring the required permission:

      finance-storage.fiscal-years.item.get

      in the module descriptor as seen here:

      { "methods": ["POST"], "pathPattern": "/finance/budgets", "permissionsRequired": ["finance.budgets.item.post"], "modulePermissions": [ "finance-storage.budgets.item.post", "finance-storage.group-fund-fiscal-years.collection.get", "finance-storage.group-fund-fiscal-years.item.put", "finance-storage.transactions.item.post" ] }

        TestRail: Results

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                Andrei_Makaranka Andrei Makaranka
                Reporter:
                evaluk Eric Valuk
                Tester Assignee:
                Andrei Makaranka Andrei Makaranka
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    TestRail: Runs

                      TestRail: Cases