Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
3.24.0
-
n/a
Description
Using REST one can create a local realm user referencing a role which does not exist in the system.
curl -X POST "http://localhost:8081/service/rest/beta/security/users" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"userId\": \"sonatype\", \"firstName\": \"string\", \"lastName\": \"string\", \"emailAddress\": \"string@example.com\", \"password\": \"string\", \"status\": \"active\", \"roles\": [ \"doesnotexist\" ]}"
On the other hand, creating a user in the UI, one cannot create a user without assigning at least one known role at the time of creation.
When the user record is viewed in the UI, the non-existent roles will not appear in the active role list.
The database will still contain the role mapping to the user:
{
"@type": "d",
"@rid": "#298:1",
"@version": 1,
"@class": "user_role_mapping",
"userId": "sonatype",
"source": "default",
"roles": [
"doesnotexist"
],
"@fieldTypes": "roles=e"
},
Expected
Be consistent in validation. Error the REST API call if a local realm user is being created with any single invalid role reference. Respond with a contextual error message as to why the call failed. Document this possible failure in the API doc
