Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-25867

Users can contain non-existent groups using REST

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 9.10, 10.2
    • Fix Version/s: 9.10-HF26, 10.10
    • Component/s: Rest API
    • Release Notes Summary:
      REST calls to create/update a user enforce group existence.
    • Tags:
    • Backlog priority:
      900
    • Sprint:
      nxcore 10.10.5
    • Story Points:
      2

      Description

      1. install Nuxeo
      2. start Nuxeo
      3. create a user robert with : 
        curl -X POST -H "Content-Type: application/json" -u Administrator:Administrator -d '{ "entity-type": "user", "id":"rraynes", "properties":{"username":"rraynes", "email":"robert@nuxeosupport.com", "lastName":"Raynes", "firstName":"Raynes", "password":"pouetword" } }' http://localhost:8080/nuxeo/api/v1/user
      4. observe the user exists in Nuxeo using a UI (JSF or Web UI)
      5. modify the user to add a non-existing group: 
        curl -X PUT -H "Content-Type: application/json" -u Administrator:Administrator -d '{ "entity-type": "user", "id":"rraynes", "properties":{"groups":["IdontexistandIwillcorruptyourdatas"]}}' http://localhost:8080/nuxeo/api/v1/user/rraynes
      6. observe there are no errors returned: 
        {"entity-type":"user","id":"rraynes","properties":{"firstName":"Raynes","lastName":"Raynes","tenantId":null,"groups":["IdontexistandIwillcorruptyourdatas"],"company":null,"email":"robert@nuxeosupport.com","username":"rraynes"},"extendedGroups":[],"isAdministrator":false,"isAnonymous":false}
      7. observe the user has now a non-existing group (using JSF or Web UI)
      8. observe through REST this is also visible: 
        curl -s -X GET -u Administrator:Administrator http://localhost:8080/nuxeo/api/v1/user/rraynes | jq .

{
  "entity-type": "user",
  "id": "rraynes",
  "properties": {
    "firstName": "Raynes",
    "lastName": "Raynes",
    "tenantId": null,
    "groups": [
      "IdontexistandIwillcorruptyourdatas"
    ],
    "company": null,
    "email": "robert@nuxeosupport.com",
    "username": "rraynes"
  },
  "extendedGroups": [],
  "isAdministrator": false,
  "isAnonymous": false
}

        Expected behavior: adding a non-existing group should be forbidden and return an error.
        Note: the current issue may lead to errors like the following in the server logs:

        2018-10-10 09:56:31,471 ERROR [http-nio-0.0.0.0-8080-exec-10] [org.nuxeo.ecm.platform.usermanager.NuxeoPrincipalImpl] User rraynes references the IdontexistandIwillcorruptyourdatas group that does not exists

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day
                1d