Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

CAP Unrestricted User Attribute Access

former_member194549
Contributor

on ‎2020 May 05 9:24 AM

0 Likes
1,727

Hello

according to the documentation, a WHERE comparison with a user attribute from the JWT token, which is not present in the token, always results in TRUE.

If a user attribute used in a WHERE clause isn’t provided in JWT, then the corresponding attribute comparison in the WHERE clause is evaluated to TRUE.

In our application, however, this is not the case.
I have assigned a role in which the attribute is marked as unrestricted.
This attribute is then not present in the JWT token, but the user has the scope associated with the role.

However, the executed SELECT does not return any results and also contains a restriction to the attribute..

I would expect that no restriction to this user attribute would be applied here. Does anyone have an idea why no results are returned? If values for the attribute are assigned to the role, results are returned.

Regards
Simon

Created Role:

Where Restriction:

User Context:

Check Scope:

Created SQL-Statement:

SELECT a.VName AS "a_VName", a.VDivision_VId AS "a_VDivision_VId", a.VPlant_VId AS "a_VPlant_VId", a.VPlant_VName AS "a_VPlant_VName", a.VId AS "a_VId", b.VId AS "b_VId", b.VName AS "b_VName" FROM P20GService_EnrichedPlanningUnits a INNER JOIN P20GService_Divisions b ON ( b.VId = a.VDivision_VId ) WHERE ( ( ( a.VDivision_VId IN ( ? ) ) ) AND ( ? = ? OR ? = ? OR ? = ? ) ) ORDER BY a.VId ASC LIMIT ?

SQL-Values:

CDS-Version:

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
mariya_yordanova
Advisor
Advisor
‎2020 May 06 10:46 AM

Hi Simon,

it looks like there is a problem with the where restriction. We will take a look and inform you about the fix.

Thanks for reporting the issue.

Best Regards

Maria

former_member194549
Contributor
‎2020 Jun 03 8:50 AM
0 Likes

Hi mariya.yordanova

are there any news on this topic?

Best Regards
Simon

Accepted Solutions (0)

Answers (1)

Answers (1)

matthias_buehl
Advisor
Advisor
‎2020 Jun 04 9:06 AM
0 Likes

Hi

In the current implementation the non existance of an attribute in the JWT shall be handled as "unrestricted" access. We will change this behaviour in the next weeks aund roll it out.

The new behaviour will then be that there will be a specifiv value $UNRESTRICTED in the JWT .

In the xs-security.json you will be able to switch between the old and the new behaviour but for CAP we will move to the new version as the CAP authorization check runtimes will move to the new behaviour.

Best regards

Matthias

Show replies
Show replies
Ask a Question