Uploaded image for project: 'mod-inventory'
  1. mod-inventory
  2. MODINV-164

Missing module permission in GET "/inventory/instances"

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: P2
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 16.1.0
    • Labels:
      None
    • Template:
      Standard Bug Write-Up Format
    • Sprint:
      Core: F - Sprint 97
    • Development Team:
      Prokopovych

      Description

      When calling GET "/inventory/instances" with a user that has the required permission "inventory.instances.collection.get", but not any other inventory/inventory-storage related permissions, an internal call to "/instance-storage/instance-relationships" fails with a 403 due to the missing permission "inventory-storage.instances.item.get".

      It is possible that the mod-inventory-storage permission is a copy/paste error, since it is a "collection" API, but requires an "item" permission:

              }, {
                "methods": ["GET"],
                "pathPattern": "/instance-storage/instance-relationships",
                "permissionsRequired": ["inventory-storage.instances.item.get"]
              }, {
      

      If that is the case, then we should move this to MODINVSTOR since mod-inventory provides "inventory-storage.instances.collection.get" as a module permission. If not, we need to add "inventory-storage.instances.item.get" to the module permissions for "/inventory/instances".

      While the API does return, the side effect of the 403 is that none of the instance relationships are part of returned JSON.

        TestRail: Results

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                bohdan-suprun Bohdan Suprun
                Reporter:
                mreno Mathew Reno
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    TestRail: Runs

                      TestRail: Cases