DataManager doesn't check entityAttributePermissions
racoy opened this issue · 1 comments
racoy commented
Environment
- Platform version: 7.2.17
- Browser: Chrome
- Database: PostgreSQL
- Operating system: Windows
Description of the bug or enhancement
DataManager doesn't check @EntityAttributeAccess on Entity.
For example: StoreEmployeeRole can change importantField(view only in security settings)
@Role(name = StoreEmployeeRole.NAME)
public class StoreEmployeeRole extends AnnotatedRoleDefinition {
public final static String NAME = "StoreEmployee";
@EntityAccess(entityClass = Store.class, operations = {EntityOp.READ, EntityOp.UPDATE})
@Override
public EntityPermissionsContainer entityPermissions() {
return super.entityPermissions();
}
@EntityAttributeAccess(entityClass = Store.class, view = "*", modify = "notImportantField")
@Override
public EntityAttributePermissionsContainer entityAttributePermissions() {
return super.entityAttributePermissions();
}
@ScreenAccess(screenIds = {"seccollapse_Store.browse", "seccollapse_Store.edit", "network-menu", "application-seccollapse"})
@Override
public ScreenPermissionsContainer screenPermissions() {
return super.screenPermissions();
}
}- Create user with SoreEmployee role
- Create Store instance
- click on "just button" in store editor
@Subscribe("justBtn")
public void onJustBtnClick(Button.ClickEvent event) {
storeDc.getItem().setImportantField((long) (Math.random()*1000));
}- click "Ok" for save entity
ER-Exception
AR-successful commit
Simple demostrate project here:
seccollapse.zip
knstvk commented
DataManager checks entity attribute permissions only if you set cuba.entityAttributePermissionChecking to true.
See https://doc.cuba-platform.com/manual-7.2/data_access_checks.html