Details
-
Bug
-
Status: Closed (View Workflow)
-
P2
-
Resolution: Done
-
None
-
None
-
Core: F - Sprint 97
-
Prokopovych
Description
When calling GET "/inventory/instances" with a user that has the required permission "inventory.instances.collection.get", but not any other inventory/inventory-storage related permissions, an internal call to "/instance-storage/instance-relationships" fails with a 403 due to the missing permission "inventory-storage.instances.item.get".
It is possible that the mod-inventory-storage permission is a copy/paste error, since it is a "collection" API, but requires an "item" permission:
}, {
"methods": ["GET"],
"pathPattern": "/instance-storage/instance-relationships",
"permissionsRequired": ["inventory-storage.instances.item.get"]
}, {
If that is the case, then we should move this to MODINVSTOR since mod-inventory provides "inventory-storage.instances.collection.get" as a module permission. If not, we need to add "inventory-storage.instances.item.get" to the module permissions for "/inventory/instances".
While the API does return, the side effect of the 403 is that none of the instance relationships are part of returned JSON.
TestRail: Results
Attachments
Issue Links
- has to be done after
-
-
- Closed
-