Uploaded image for project: 'mod-finance'
  1. mod-finance
  2. MODFIN-129

Mod-finance calls api without requesting permissions for it.

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • P3
    • Resolution: Done
    • 2.0.1
    • 3.0.0
    • None
    • ACQ Sprint 88, ACQ Sprint 89
    • 1
    • Thunderjet

    Description

      Mod-finance uses api:
      GET /finance-storage/fiscal-years/

      {id}

      called from:
      POST /finance/budgets

      without declaring the required permission:

      finance-storage.fiscal-years.item.get

      in the module descriptor as seen here:

      { "methods": ["POST"], "pathPattern": "/finance/budgets", "permissionsRequired": ["finance.budgets.item.post"], "modulePermissions": [ "finance-storage.budgets.item.post", "finance-storage.group-fund-fiscal-years.collection.get", "finance-storage.group-fund-fiscal-years.item.put", "finance-storage.transactions.item.post" ] }

      TestRail: Results

        Attachments

          Issue Links

            Activity

              People

                Andrei_Makaranka Andrei Makaranka
                evaluk Eric Valuk
                Andrei Makaranka Andrei Makaranka
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases