Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-24606

possible to create a local realm user referencing a role which does not exist using REST API

    Details

    • Type: Bug
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.24.0
    • Fix Version/s: None
    • Component/s: REST, Security
    • Labels:
    • Notability:
      n/a

      Description

      Using REST one can create a local realm user referencing a role which does not exist in the system.

      curl -X POST "http://localhost:8081/service/rest/beta/security/users" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"userId\": \"sonatype\", \"firstName\": \"string\", \"lastName\": \"string\", \"emailAddress\": \"string@example.com\", \"password\": \"string\", \"status\": \"active\", \"roles\": [ \"doesnotexist\" ]}" 

      On the other hand, creating a user in the UI, one cannot create a user without assigning at least one known role at the time of creation.

      When the user record is viewed in the UI, the non-existent roles will not appear in the active role list.

       

      The database will still contain the role mapping to the user:

      {
            "@type": "d",
            "@rid": "#298:1",
            "@version": 1,
            "@class": "user_role_mapping",
            "userId": "sonatype",
            "source": "default",
            "roles": [
              "doesnotexist"
            ],
            "@fieldTypes": "roles=e"
          }, 

       

      Expected

      Be consistent in validation. Error the REST API call if a local realm user is being created with any single invalid role reference. Respond with a contextual error message as to why the call failed. Document this possible failure in the API doc

       

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Wes Wannemacher Wes Wannemacher
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Date of First Response:

                tigCommentSecurity.panel-title