/report endpoint responds with 403 - VersionRepository.ensureExists
Closed this issue · 1 comments
I have a fresh install of Acrarium 2.0.0-beta03 using Docker and want to test it before introducing it as crash reporting backend for my app. However, all crash reports are rejected by the server with an error code 403. Enabling verbose logging shows the following:
- Authentication seems to work, and the user is correctly given
REPORTER
authority:
UsernamePasswordAuthenticationToken [Principal=xxxxxxxxxxxxx, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=xx.xx.xx.xx, SessionId=xxxxxxxxxxxxxxxxx], Granted Authorities=[REPORTER]]]
- After that, access is still denied, and the stack trace shows this happens when calling
VersionRepository.ensureExists
:
org.springframework.security.access.AccessDeniedException: Access Denied
at org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor.attemptAuthorization(AuthorizationManagerBeforeMethodInterceptor.java:257) ~[spring-security-core-6.1.2.jar:6.1.2]
at org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor.invoke(AuthorizationManagerBeforeMethodInterceptor.java:198) ~[spring-security-core-6.1.2.jar:6.1.2]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184) ~[spring-aop-6.0.11.jar:6.0.11]
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:756) ~[spring-aop-6.0.11.jar:6.0.11]
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:708) ~[spring-aop-6.0.11.jar:6.0.11]
at com.faendir.acra.persistence.version.VersionRepository$$SpringCGLIB$$0.ensureExists-TPuOtcY(<generated>) ~[classes/:2.0.0-beta03]
at com.faendir.acra.domain.ReportService.create(ReportService.kt:71) ~[classes/:2.0.0-beta03]
VersionRepository.ensureExists
is annotated with @PreAuthorize("hasEditPermission(#appId)")
- but it seems that when the reporter user is created, it is never assigned edit permissions for the associated app. Looking at the database, the user_permissions
table is empty.
after working around this by manually creating the permission in the database like this:
insert into user_permissions ('suEzGozbzlLIahr9', 1, EDIT);
it is now stuck at the next issue:
java.lang.IllegalArgumentException: Failed to evaluate expression 'hasViewPermission(#identifier.appId)'
at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:33) ~[spring-security-core-6.1.2.jar:6.1.2]
at org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager.check(PreAuthorizeAuthorizationManager.java:68) ~[spring-security-core-6.1.2.jar:6.1.2]
at org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager.check(PreAuthorizeAuthorizationManager.java:40) ~[spring-security-core-6.1.2.jar:6.1.2]
at org.springframework.security.authorization.ObservationAuthorizationManager.check(ObservationAuthorizationManager.java:57) ~[spring-security-core-6.1.2.jar:6.1.2]
at org.springframework.security.config.annotation.method.configuration.DeferringObservationAuthorizationManager.check(DeferringObservationAuthorizationManager.java:47) ~[spring-security-config-6.1.2.jar:6.1.2]
at org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor.attemptAuthorization(AuthorizationManagerBeforeMethodInterceptor.java:252) ~[spring-security-core-6.1.2.jar:6.1.2]
at org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor.invoke(AuthorizationManagerBeforeMethodInterceptor.java:198) ~[spring-security-core-6.1.2.jar:6.1.2]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184) ~[spring-aop-6.0.11.jar:6.0.11]
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:756) ~[spring-aop-6.0.11.jar:6.0.11]
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:708) ~[spring-aop-6.0.11.jar:6.0.11]
at com.faendir.acra.persistence.bug.BugRepository$$SpringCGLIB$$0.findId-QTZCnnY(<generated>) ~[classes/:2.0.0-beta03]
at com.faendir.acra.domain.ReportService.create(ReportService.kt:73) ~[classes/:2.0.0-beta03]
[...]
Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1008E: Property or field 'appId' cannot be found on object of type 'com.faendir.acra.persistence.bug.BugIdentifier' - maybe not public or not valid?
at org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:222) ~[spring-expression-6.0.11.jar:6.0.11]
[...]
Is reporting in the 2.0.0-beta version actually working for anyone?