Analyse Security Issue

michael.carell · February 20, 2021, 11:48am

Hello,

It seeams to me that I have an security configuration problem within my application. I added an Invoice-Browse Table. The invoices are linked to a contract, and the contract as references to a product and a customer.

I added a role customer and the role should be able to see its invoices. I implemented a delegate for the collection datasource and the collection contains the invoice items. But the table, that is linked to the datasource, displays no items. I added the table counter, and the table counter displays the right amount of entries my loader-delegate queried.

The table displayes all entries, when I am logged in with super-user rights. I checked all entities an the access rights but I cannot find the fault. Even if I add the read, update right for all entries … the invoices are not shown within the table.

So I am searching for a way to get the source of the problem. Can I enable some logging / tracing to get the some more informations what is happening inside the framework?

Best regards
Michael

albudarov · February 20, 2021, 1:08pm

Hi,
Haven’t you forgot to setup Attribute permissions, in addition to Entity permissions?
The table will show zero rows and columns if at least one attribute of the entity shown isn’t explicitly permitted.

michael.carell · February 20, 2021, 2:02pm

You are right. After setting attribute permissions to read-all, it worked fine. But I do not understand why I have to set them after I had created a new view for the invoices. Till now I thought that setting the entity access attributes is enough.

Best regards
Michael