Additional security config needs and use of constraint

mortoza_khan · September 7, 2019, 6:23am

I want to add additional access control for users for some selection of Entities at record level across the application suite. For example, An user has access to all products but only to a specific warehouse. in order to maintain this access control at the record level, I have a table in the database where the access to a list of the warehouse is maintained. When the user logs-in the application he will only see those warehouse which is authorized for him.

Is it something we can use through constraint? If so, I could appreciate sharing how to use it.

krivopustov · September 11, 2019, 2:08pm

Yes you can do it with security constraints.
Provided that you have app_Warehouse entity, and app_WarehouseAccess which contains wharehouse and user attributes, the constraint should be as follows:

Entity: app_Warehouse
Join clause: join app_WarehouseAccess a on a.warehouse = {E}
Where clause: a.user.id = :session$userId

mortoza_khan · September 11, 2019, 10:56pm

Hi Konstantin
Thank you for your help. Here is what I did following your code-snippet…

and the result I get when click the test button :

        An error occurred while running resulting query.

    com.haulmont.cuba.core.sys.jpql.JpqlSyntaxException: Errors found for input JPQL:[select e from erp$Plant e join erp_PlantAccess a on a.plant = e join erp_PlantAccess a on a.plant = e where ((a.user.id = :session_userId and a.accessGranted = true) and (a.user.id = :session$userId and a.accessGranted = true)) and (e.tenantId = 'assurance')] The identification variable 'a' cannot be declared more than once

krivopustov · September 12, 2019, 8:46am

Looks like the constraint is applied twice. Ensure it is present only once in the groups tree.

mortoza_khan · September 12, 2019, 1:11pm

That’s what I am wondering of, where is the error as it seems there is no such duplicate constraint used here as you see.

Note that I am trying to use it in multi tenant environment. When I test it in Admin access (not a tenant admin) then test passes. It doesn’t pass when I test as a tenant user where the tenant. Is it a bug?

krivopustov · September 17, 2019, 1:18pm

Can you replicate it on a test project?

stefan.kraus · September 17, 2019, 3:54pm

Hi @mortozakhan

I saw in another topic that the suggested syntax for the join clause in the form (your picture) should NOT have the word ‘join’ included in the text field.

@knstvk maybe you can correct me if I’m wrong.

Regards,
Steven

krivopustov · September 18, 2019, 11:29am

No, the syntax is correct (see context help button “?” next to the field):

A value of this field is added to the “from” query clause. It should begin with a comma, “join” or “left join”.
The {E} placeholder should be used as an alias of the entity being extracted. On execution of the query, it will be replaced with a real alias, specified in the query.
For example:
join {E}.seller s

mortoza_khan · September 25, 2019, 2:17am

Hi Konstantin
Sorry for the delayed reply as I was on a business trip.

I have attached a demo app where you will find Warehouse and WarehouseAccess used for this test.
demo-cuba.zip (137.8 KB)
Here is the exception:

Syntax errors found while parsing 'where' and 'join' clauses:
CommonErrorNode [,1:6], resync=where a.user.id = :session$userId>]

Here is the constraint used:

23%20PM

Looking forward to your further help.

regards
Mortoza

krivopustov · September 26, 2019, 3:33pm

In the “Where Clause” field you should not add the where keyword. It is mentioned in the docs and in the context help.