I have setup an Access Group Constraint against an entity named Asset for Update operations. The groovy script is simply checking the selected category of the record. The constraint seems to work as expected on Asset records however I am now getting an Access Denied error when updating other entities.
Maybe my understanding of how constraints work is incorrect but I was under the understanding that the constraint would only be applied to records of the selected Entity. Since no other constraints exist in the system I would expect that I could edit records of other entity types.
Please let me know if my understanding is incorrect or if this is a potential bug.
Unfortunately I am not able to replicate this issue in my sample project. I’ve performed some more debugging in my main project and am finding the following message being generated in the Abstract Generic Exception Handler class:
Could not read security token from entity com.cox.entity.Project-74035b05-2081-76b7-f042-039e9302ca73 [detached], even though there are active constraints for the related entities.
From here the exception is passed into the Row Level security handler and I am presented with the error message on the front end.
It is strange that the error message states that there are active constraints for the entity as this is not the case, the only constraint in the system is on the Asset entity.
Any ideas of next steps or what further information I can provide to assist in the resolution of this issue?
Could you please provide more information about relations between these entities and the steps to reproduce the problem? Also, it will be helpful if you share full stack trace of the exception.
The Asset entity extends our own State Machine Entity class which in turn extends the Categorized Entity class. Project extends our Work Order class which extends our State Machine Entity class. However the only relationship between the Asset and Project would be a foreign key relationship, one to many from Project to Asset. There was no relationship to an Asset established at the time of saving the Project when I received the error.
The steps to reproduce are simply create a single Access Group constraint against one entity (Asset in my case) checking that the category is not set to a particular value:
When this constraint is active and my user is part of the group with the constraint I can no longer make updates to any entity in the system except for Assets that do not have the category being tested for in the constraint.
As far as the stack trace, the error is throwing a friendly exception so I am not presented with a stack trace in the front end. Debugging the application I find the following call stack:
