View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005926 | OXID ERP Interface | OXID ERP Interface - sub | public | 2014-10-22 13:40 | 2025-01-23 09:56 |
| Reporter | michael_keiluweit | Assigned To | |||
| Priority | high | Severity | major | Reproducibility | always |
| Status | confirmed | Resolution | open | ||
| Product Version | 2.13.0 | ||||
| Summary | 0005926: Rights and Roles doesn't work with ERP / CSV module... | ||||
| Description | ... except for the two objects oxarticle and oxcategory. Because those two objects are handled seperatly as the other objects. Please have a look at our docu https://www.oxid-esales.com/fileadmin/files/TechDok/Documents/Rights_and_Roles.pdf especially 4.2.3 Object control . | ||||
| Steps To Reproduce | Requirements: - EE 5.1.7 - ERP 2.13.0 - One non-admin user, because admin users are not changeable from Rights and Roles (RR) and ERP. 1. Goto Administer Users -> Users and create a customer for shop id 1. 2. Goto Administer Users -> Users and create a new mall admin for shop id 1 (don't forget the admingroup). 3. Goto Administer Roles -> Admin Roles and create a new role. name it: read-only 4. Goto Administer Roles -> Admin Roles -> 'read only' -> Users and add the mall admin from step 1. 5. Set the rights for the user menu to K (in English D for Deny). 6. Execute the login query (I use SoapUI 4.6.4): <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:oxer="OXERPService"> <soapenv:Header/> <soapenv:Body> <oxer:OXERPLogin> <oxer:sUserName>[email protected]</oxer:sUserName> <oxer:sPassword>[email protected]</oxer:sPassword> <oxer:iShopID>1</oxer:iShopID> <oxer:iLanguage></oxer:iLanguage> </oxer:OXERPLogin> </soapenv:Body> </soapenv:Envelope> 7. Execute the setUser query: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:oxer="OXERPService"> <soapenv:Header/> <soapenv:Body> <oxer:OXERPSetUser> <oxer:sSessionID>c0i53u052rtkf5eqaesmi4cif4</oxer:sSessionID> <oxer:aUser> <oxer:OXERPType> <oxer:aResult> <oxer:ArrayOfString> <oxer:string>OXID</oxer:string> <oxer:string>[OXID OF THE NEW USER FROM STEP 1]</oxer:string> </oxer:ArrayOfString> <oxer:ArrayOfString> <oxer:string>OXUSTID</oxer:string> <oxer:string>667</oxer:string> </oxer:ArrayOfString> </oxer:aResult> <oxer:blResult>?</oxer:blResult> <oxer:sMessage>?</oxer:sMessage> </oxer:OXERPType> </oxer:aUser> </oxer:OXERPSetUser> </soapenv:Body> </soapenv:Envelope> 8. As result we expect false, but we will get true. Have a look in the database. The field OXUSTID will have the value 665. | ||||
| Additional Information | It seems that the information is missing which objects are accessible and which not. When using the backend the array aViewRights is empty. Which is technically correct but there is currently no other variable to mark which objects are accessible. | ||||
| Tags | CSV, EE, ERP, Rights & Roles, SOAP | ||||
|
|
Would be nice when instead of a fix the functionality of the accessible objects would be increased. So the shop can give the option to make precise rules for many scenarios. It is described in the mentioned document at the topic 4.2.3 Object control. |
|
|
After working with this module for about 10 years, I learned yesterday that this ticket is indeed invalid. It is entirely possible and there are more some misconceptions about how the UI and the options interact with the Rights and Roles. Thus I will keep this ticket open as a reminder to improve the documentation on this. TL;DR: you can adapt the object_rights.xml and just add the table and fields that you want different rights for, re-login to the admin, set some rights, save and from then on more objects will be under the control of the rights&roles system. That also means the permissions in the ERP module will be checked accordingly. |
