View Issue Details

Jump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0005926OXID ERP InterfaceOXID ERP Interface - subpublic2014-10-22 13:402023-12-13 09:28
Reportermichael_keiluweit Assigned To 
PriorityhighSeveritymajorReproducibilityalways
Status acknowledgedResolutionopen 
Product Version2.13.0 
Summary0005926: Rights and Roles doesn't work with ERP / CSV module...
Description... except for the two objects oxarticle and oxcategory. Because those two objects are handled seperatly as the other objects. Please have a look at our docu https://www.oxid-esales.com/fileadmin/files/TechDok/Documents/Rights_and_Roles.pdf especially 4.2.3 Object control .




Steps To ReproduceRequirements:

- EE 5.1.7
- ERP 2.13.0
- One non-admin user, because admin users are not changeable from Rights and Roles (RR) and ERP.



1. Goto Administer Users -> Users and create a customer for shop id 1.
2. Goto Administer Users -> Users and create a new mall admin for shop id 1 (don't forget the admingroup).
3. Goto Administer Roles -> Admin Roles and create a new role. name it: read-only
4. Goto Administer Roles -> Admin Roles -> 'read only' -> Users and add the mall admin from step 1.
5. Set the rights for the user menu to K (in English D for Deny).

    
  
6. Execute the login query (I use SoapUI 4.6.4):

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:oxer="OXERPService">
       <soapenv:Header/>
       <soapenv:Body>
          <oxer:OXERPLogin>
             <oxer:sUserName>[email protected]</oxer:sUserName>
             <oxer:sPassword>[email protected]</oxer:sPassword>
             <oxer:iShopID>1</oxer:iShopID>
             <oxer:iLanguage></oxer:iLanguage>
          </oxer:OXERPLogin>
       </soapenv:Body>
    </soapenv:Envelope>
    
    
7. Execute the setUser query:

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:oxer="OXERPService">
       <soapenv:Header/>
       <soapenv:Body>
          <oxer:OXERPSetUser>
             <oxer:sSessionID>c0i53u052rtkf5eqaesmi4cif4</oxer:sSessionID>
             <oxer:aUser>
                <oxer:OXERPType>
                   <oxer:aResult>
                      <oxer:ArrayOfString>
                         <oxer:string>OXID</oxer:string>
                         <oxer:string>[OXID OF THE NEW USER FROM STEP 1]</oxer:string>
                      </oxer:ArrayOfString>
                      <oxer:ArrayOfString>
                         <oxer:string>OXUSTID</oxer:string>
                         <oxer:string>667</oxer:string>
                      </oxer:ArrayOfString>
                   </oxer:aResult>
                   <oxer:blResult>?</oxer:blResult>
                   <oxer:sMessage>?</oxer:sMessage>
                </oxer:OXERPType>
             </oxer:aUser>
          </oxer:OXERPSetUser>
       </soapenv:Body>
    </soapenv:Envelope>
        
        
8. As result we expect false, but we will get true. Have a look in the database. The field OXUSTID will have the value 665.
Additional InformationIt seems that the information is missing which objects are accessible and which not.
When using the backend the array aViewRights is empty. Which is technically correct but there is currently no other variable to mark which objects are accessible.
TagsCSV, EE, ERP, Rights & Roles, SOAP

Relationships

related to 0005927 acknowledged oxarticle and oxcategory Objects are deleteable without having the permission by Rights and Roles when using ERP / CSV. 

Activities

michael_keiluweit

2014-10-22 13:44

administrator   ~0010259

Would be nice when instead of a fix the functionality of the accessible objects would be increased. So the shop can give the option to make precise rules for many scenarios. It is described in the mentioned document at the topic 4.2.3 Object control.