Details
-
Bug
-
Status: Closed (View Workflow)
-
P2
-
Resolution: Done
-
5.0.0
-
folio-snapshot
-
-
ACQ Sprint 64
-
1
-
Thunderjet
Description
Overview:
It appears that we're missing a module permission for the following endpoints:
POST /orders/composite-orders
PUT /orders/composite-orders/<id>
Missing permission: inventory-storage.contributor-name-types.collection.get
This appears to have been introduced by MODORDERS-204 (PR)
Reproducer:
Originally discovered while placing orders from GOBI via mod-gobi using an institutional user w/ limited permissions (gobi.all)
$ curl 'https://folio-snapshot.aws.indexdata.com:8000/orders?type=GOBI' \
> -H 'Authorization: apikey eyJzIjoiNXNlNGdnbXk1TiIsInQiOiJkaWt1IiwidSI6ImRpa3UifQ==' \
> -H 'Content-Type: application/xml' \
> -XPOST \
> -d '<PurchaseOrder>
> <CustomerDetail>
> <BaseAccount>8910</BaseAccount>
> <SubAccount>891010</SubAccount>
> </CustomerDetail>
> <Order>
> <ListedPrintMonograph>
> <collection>
> <record>
> <leader>00000nam a2200000u 4500</leader>
> <controlfield tag="001">99974828471</controlfield>
> <controlfield tag="003">NhCcYBP</controlfield>
> <controlfield tag="005">20180905153857.0</controlfield>
> <controlfield tag="008">180905t20112011xx |||||||||||||| eng d</controlfield>
> <datafield tag="020" ind1=" " ind2=" ">
> <subfield code="a">9780547572482</subfield>
> <subfield code="c">14.95</subfield>
> </datafield>
> <datafield tag="035" ind1=" " ind2=" ">
> <subfield code="a">(OCoLC)717297695</subfield>
> </datafield>
> <datafield tag="100" ind1="1" ind2=" ">
> <subfield code="a">DICK, PHILIP K</subfield>
> </datafield>
> <datafield tag="245" ind1="1" ind2="0">
> <subfield code="a">MAN IN THE HIGH CASTLE.</subfield>
> </datafield>
> <datafield tag="260" ind1=" " ind2=" ">
> <subfield code="a">BOSTON</subfield>
> <subfield code="b">MARINER BOOKS</subfield>
> <subfield code="c">2011</subfield>
> </datafield>
> </record>
> </collection>
> <OrderDetail>
> <FundCode>USHIST</FundCode>
> <Location>KU/CC/DI/A</Location>
> <Quantity>2</Quantity>
> <YBPOrderKey>99974828471</YBPOrderKey>
> <OrderPlaced>2018-09-05T15:38:55</OrderPlaced>
> <Initials>Mark</Initials>
> <ListPrice>
> <Amount>14.95</Amount>
> <Currency>USD</Currency>
> </ListPrice>
> <NetPrice>
> <Amount>13.16</Amount>
> <Currency>USD</Currency>
> </NetPrice>
> <LocalData>
> <Description>LocalData1</Description>
> <Value>Book</Value>
> </LocalData>
> <LocalData>
> <Description>LocalData2</Description>
> <Value>Notify requester upon receipt</Value>
> </LocalData>
> <LocalData>
> <Description>LocalData3</Description>
> <Value>Anne Esterhazy</Value>
> </LocalData>
> <LocalData>
> <Description>LocalData4</Description>
> <Value>signed-edition,vip-order</Value>
> </LocalData>
> </OrderDetail>
> </ListedPrintMonograph>
> </Order>
> </PurchaseOrder>'
<?xml version='1.0' encoding='UTF-8'?>
<Response>
<Error>
<Code>INTERNAL_SERVER_ERROR</Code>
<Message>Failed to convert FOLIO response to XML</Message>
</Error>
</Response>
Log snippet:
3:33:27.133 [vert.x-eventloop-thread-0] ERROR org.folio.rest.impl.InventoryHelper - Exception calling GET /contributor-name-types?query=name==Personal+name
java.util.concurrent.CompletionException: org.folio.orders.rest.exceptions.HttpException: Access requires permission: inventory-storage.contributor-name-types.collection.get
at org.folio.orders.utils.HelperUtils.verifyAndExtractBody(HelperUtils.java:81) ~[mod-orders-fat.jar:?]
at org.folio.orders.utils.HelperUtils.lambda$handleGetRequest$21(HelperUtils.java:798) ~[mod-orders-fat.jar:?]
at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) ~[?:1.8.0_181]
at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) ~[?:1.8.0_181]
at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) ~[?:1.8.0_181]
at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) ~[?:1.8.0_181]
at org.folio.rest.tools.client.HTTPJsonResponseHandler.lambda$1(HTTPJsonResponseHandler.java:67) ~[mod-orders-fat.jar:?]
...elided ...
N.B. Beware that these values are cached, so if you have opened an order w/ a contributor of the type you're using, it will be cached for the tenant and subsequent orders opened for that tenant will not need to call the contributor-name-types endpoint. In this case the problem will not be evident.
TestRail: Results
Attachments
Issue Links
- relates to
-
MODORDERS-245
Update API tests to use a user account with limited permissions
-
- Closed
-
-
MODGOBI-77
Contributor-name-type is required for contributor added to POL
-
- Closed
-
-
-
- Closed
-
-
MODORDERS-247
Make contributor-name-type configurable
-
- Closed
-
-
UIOR-244
Allow user to specify a contributor-name-type for each contributor added to POL
-
- Closed
-
-
UXPROD-1606 Ordering quality assurance enhancements - Round 1
-
- Closed
-