/report endpoint responds with 403 - VersionRepository.ensureExists

Question

/report endpoint responds with 403 - VersionRepository.ensureExists

Closed this issue a year ago · 1 comments

I have a fresh install of Acrarium 2.0.0-beta03 using Docker and want to test it before introducing it as crash reporting backend for my app. However, all crash reports are rejected by the server with an error code 403. Enabling verbose logging shows the following:

Authentication seems to work, and the user is correctly given REPORTER authority:

UsernamePasswordAuthenticationToken [Principal=xxxxxxxxxxxxx, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=xx.xx.xx.xx, SessionId=xxxxxxxxxxxxxxxxx], Granted Authorities=[REPORTER]]]

After that, access is still denied, and the stack trace shows this happens when calling VersionRepository.ensureExists:

org.springframework.security.access.AccessDeniedException: Access Denied
        at org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor.attemptAuthorization(AuthorizationManagerBeforeMethodInterceptor.java:257) ~[spring-security-core-6.1.2.jar:6.1.2]
        at org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor.invoke(AuthorizationManagerBeforeMethodInterceptor.java:198) ~[spring-security-core-6.1.2.jar:6.1.2]
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184) ~[spring-aop-6.0.11.jar:6.0.11]
        at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:756) ~[spring-aop-6.0.11.jar:6.0.11]
        at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:708) ~[spring-aop-6.0.11.jar:6.0.11]
        at com.faendir.acra.persistence.version.VersionRepository$$SpringCGLIB$$0.ensureExists-TPuOtcY(<generated>) ~[classes/:2.0.0-beta03]
        at com.faendir.acra.domain.ReportService.create(ReportService.kt:71) ~[classes/:2.0.0-beta03]

VersionRepository.ensureExists is annotated with @PreAuthorize("hasEditPermission(#appId)") - but it seems that when the reporter user is created, it is never assigned edit permissions for the associated app. Looking at the database, the user_permissions table is empty.

Answer 1 · 2023-08-29T20:26:32.000Z

after working around this by manually creating the permission in the database like this:

insert into user_permissions ('suEzGozbzlLIahr9', 1, EDIT);

it is now stuck at the next issue:

java.lang.IllegalArgumentException: Failed to evaluate expression 'hasViewPermission(#identifier.appId)'
        at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:33) ~[spring-security-core-6.1.2.jar:6.1.2]
        at org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager.check(PreAuthorizeAuthorizationManager.java:68) ~[spring-security-core-6.1.2.jar:6.1.2]
        at org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager.check(PreAuthorizeAuthorizationManager.java:40) ~[spring-security-core-6.1.2.jar:6.1.2]
        at org.springframework.security.authorization.ObservationAuthorizationManager.check(ObservationAuthorizationManager.java:57) ~[spring-security-core-6.1.2.jar:6.1.2]
        at org.springframework.security.config.annotation.method.configuration.DeferringObservationAuthorizationManager.check(DeferringObservationAuthorizationManager.java:47) ~[spring-security-config-6.1.2.jar:6.1.2]
        at org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor.attemptAuthorization(AuthorizationManagerBeforeMethodInterceptor.java:252) ~[spring-security-core-6.1.2.jar:6.1.2]
        at org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor.invoke(AuthorizationManagerBeforeMethodInterceptor.java:198) ~[spring-security-core-6.1.2.jar:6.1.2]
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184) ~[spring-aop-6.0.11.jar:6.0.11]
        at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:756) ~[spring-aop-6.0.11.jar:6.0.11]
        at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:708) ~[spring-aop-6.0.11.jar:6.0.11]
        at com.faendir.acra.persistence.bug.BugRepository$$SpringCGLIB$$0.findId-QTZCnnY(<generated>) ~[classes/:2.0.0-beta03]
        at com.faendir.acra.domain.ReportService.create(ReportService.kt:73) ~[classes/:2.0.0-beta03]
[...]
Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1008E: Property or field 'appId' cannot be found on object of type 'com.faendir.acra.persistence.bug.BugIdentifier' - maybe not public or not valid?
        at org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:222) ~[spring-expression-6.0.11.jar:6.0.11]
[...]

Is reporting in the 2.0.0-beta version actually working for anyone?