Job runs by user not the one who created the job
Description
CSP Request Details
CSP Rejection Details
Potential Workaround
Attachments
- 23 Feb 2023, 01:23 PM
- 23 Feb 2023, 01:22 PM
is continued by
relates to
Checklist
hideTestRail: Results
Activity
Yauheniya KryshtafovichApril 3, 2023 at 1:26 PM
Verified on Orchid bf, NO mixed of userId appears, bulk edits completed successfully
Magda ZacharskaMarch 22, 2023 at 12:03 PM
Issue was related to spring update
Yauheniya KryshtafovichMarch 9, 2023 at 10:22 AMEdited
Hi, @Tatsiana Tarhonskaya
The issue was verified on Snapshot.
Run scenarios:
Scenario 1:
Running bulk edit by different Users with different permissions simultaneously – NO mixed of userId appears, bulk edit completed successfully
Scenario 2 https://folio-org.atlassian.net/browse/FAT-4926#icft=FAT-4926 :
1. Log into FOLIO as a User_1 with permissions:
Bulk Edit: In app - View
Bulk Edit: In app - Edit
Inventory: All permissions
2. Start bulk edit => Modify Items records
3. Repeat Bulk edit several times - up to 10 in a row
4. Log into FOLIO as a User_2 with permissions differ from the User_1:
Bulk edit: In app - Update user records
Users: Can view user profile
5. Start bulk edit => Modify Users profiles
6. Repeat Bulk edit several times - up to 10 in a row
NO mixed of userId appears, bulk edit completed successfully
Scenario 3 https://folio-org.atlassian.net/browse/FAT-4927#icft=FAT-4927:
1. Log into FOLIO as a User_1 with permissions:
Bulk Edit: In app - View
Bulk Edit: In app - Edit
Inventory: All permissions
2. Start bulk edit => Modify Items records
3. Repeat Bulk edit several times - up to 10 in a row
4. DELETE User_1 via API
5. Log into FOLIO as a User_2 with permissions differ from the User_1:
Bulk edit: In app - Update user records
Users: Can view user profile
6. Start bulk edit => Modify Users profiles
7. Repeat Bulk edit several times - up to 10 in a row
NO mixed of userId appears, bulk edit completed successfully
cc: @Magda Zacharska @Mikita Siadykh
Tatsiana TarhonskayaMarch 2, 2023 at 1:54 PMEdited
There was similar behavior in mod-bulk-operations and mod-data-export-worker modules, when headers from another user were sent by feign client which caused such issues. Fixed this by passing correct context to threads used by ExecutorService in mod-bulk-operations and async TaskExecutor in mod-data-export-worker
Overview:
User logged in as diku_admin in FOLIO https://folio-testing-sprint-diku.ci.folio.org/, goes to "Bulk edit" app and runs Query. Then an error "Something went wrong" occurs, from the Networks reads an error about the lack of permissions of another user
Steps to Reproduce:
Log into https://folio-testing-sprint-diku.ci.folio.org/ as admin users
Navigate to the "Bulk edit" app => Select "Query" toggle on "Set criteria" pane => Select the "Users" radio button on the "Record types" accordion
Enter a query to retrieve at least one matched record (e.g. barcode=123)=> Click "Search" button
Expected Results:
The "Preview of records matched" is populated with records matched search query criteria
Actual Results:
errorMessage with another Username:
"Object does not exist (ErrorResponseException)\n[403 Forbidden] during [GET] to http://groups/ad0bc554-d5bc-463c-85d1-5562127ae91b [GroupClient#getGroupById(String)]:[Access for user 'Test_All' (1d97841d-068f-4586-9535-826ddfbcb137) requires permission: usergroups.item.get] (Forbidden)"
Additional Information:
Reproduced on https://folio-testing-sprint-diku.ci.folio.org/ and https://folio-dev-firebird-diku.ci.folio.org/ from time to time
Interested parties: