Rest api Role Read-Only

Hi Cuba Team!
I have Role read-only an enitity ( can’t create , update or delete ), but when I use rest-api to test , It’s still can create /update , How do I make it read-only?

Hi,
Which CUBA version do you use?

Maybe you are using legacy roles scheme? This scheme was used in CUBA pre-7.2, and is used by default in old projects migrated to 7.2 from earlier platform versions.
https://doc.cuba-platform.com/manual-7.2/legacy_roles.html

In the legacy scheme all objects are permitted by default. If you want everything to be denied by default, you need to create role with “Denying” type and assign this role to all non-admin users.

Hi @albudarov , Thanks for your support ,
I use Cuba version 7.2.11 , I don’t know how to create role with “Denying” type , Can you please share some examples with me ? ( Or Maybe I need to update latest CuBa version ??? )
Thanks !!!

Do you have such properties in your app.properties file?

cuba.security.rolesPolicyVersion = 1
cuba.security.defaultPermissionValuesConfigEnabled = true
cuba.security.minimalRoleIsDefault = false

If not, then you aren’t using legacy roles system.

Then the only answer is that user that you use to access REST API, has some other role assigned that allows him to create / update the corresponding entity.

@albudarov As you said that, I don’t have “cuba.security.rolesPolicyVersion = 1
cuba.security.defaultPermissionValuesConfigEnabled = true
cuba.security.minimalRoleIsDefault = false” in my app-properties ,that mean I’m not using legacy roles
So I created new role VNPT_Role for user "username71"
The user “username71” only has VNPT_Role - Read-only on all entities but the user still can update entities by using REST API.

On your first screenshot the security scope of the role is “REST”.
On the second screenshot - VNPT_Role has “Generic UI” scope.

Aren’t you having two roles with the same name in your system? This may be the source of confusion.

P.S. if you will be able to reproduce the problem in a small test project, we will have a look at this probable bug.

@albudarov , the second screenshot is an accident , I forgot to change “Generic UI” to “REST” before take a screenshot , below is my small project demo , plz review it and give me the solution , many thanks for your support !
cuba.zip (1.0 MB)

Hi.

I tried to reproduce issue using Postman with your project but it works. Updating is forbidden:


So is creation:
image

Have you set read-only properties to entity in Attributes tab during role configuring? It looks like that:

Regards,
Nadezhda.

@n.shatalova well it seems like we use “enitites” is ok , but I use service api and it is still updated
serviceAPI.postman_collection.json (890 Bytes)

REST service method parameters and results are not checked for compliance to access group constraints. The service behavior with respect to constraints is defined by how it loads and saves data, for example whether it uses DataManager or DataManager.secure() .

So you should use DataManager.secure() in your service method:

 @Override
    public Profile createProfile(){
       Profile profile = dataManager.create(Profile.class);
        profile.setName("user"+ System.nanoTime());
        profile.setSex("female");
        profile.setAddress("HN");
        profile.setPhone("+84.0123456789");
        return dataManager.secure().commit(profile);
    }

More information about data access checks.

Regards,
Nadezhda.

1 Like

@n.shatalova thanks , It’s work even thought it throws an AccessDeniedException , Seems like I should be check it more