Hybris UAC: Employee with user access rights to create Employee cannot create an Employee

1
votes

Hybris: 1905.9 (also tested with 1905.12)

I created a testEmployee Employee with a password of 1234 using the impex below. I configured the testEmployee to have user access rights to create Employees and Customers, as well as rights to see UserGroups.

Via Backoffice, this testEmployee can create a Customer, but causes an error when it tries to create an Employee.

What am I missing? Do I need to add UAC rights to other Types as well?

NOTES:

  • A testBackofficeAdmin that belongs to backofficeadmingroup is not able to create an Employee or a Customer
  • OOTB admin user can create an Employee
  • An Employee that belongs to admingroup can create an Employee

Impex:

$password=1234

INSERT_UPDATE Employee;UID[unique=true];password[default=$password];description;name;groups(uid);loginDisabled;backofficeLoginDisabled
;testEmployee;;description;name;employeegroup;false;false
;testBackofficeAdmin;;description;name;backofficeadmingroup;false;false

$START_USERRIGHTS;;;;;;;;;
Type;UID;MemberOfGroups;Password;Target;read;change;create;remove;change_perm
Employee;testEmployee;employeegroup;$password;;;;;;
;;;;Employee;+;+;+;+;;
;;;;Customer;+;+;+;+;;
;;;;UserGroup;+;-;-;-;;
$END_USERRIGHTS;;;;;

Screenshot:

enter image description here

Stacktrace:

INFO  [hybrisHTTP17] [fe80:0:0:0:0:0:0:1%1] [ConfigurableFlowController] Object sampleEmployee [sampleEmployee] could not be saved
 com.hybris.cockpitng.dataaccess.facades.object.exceptions.ObjectSavePermissionException: Object sampleEmployee [sampleEmployee] could not be saved
    at com.hybris.cockpitng.dataaccess.facades.object.impl.PermissionAwareObjectFacade.save(PermissionAwareObjectFacade.java:125) ~[cockpit-data-integration-19.05.12-RC5.jar:?]
    at com.hybris.cockpitng.dataaccess.facades.object.impl.DefaultObjectFacade.save(DefaultObjectFacade.java:137) ~[cockpit-data-integration-19.05.12-RC5.jar:?]
    at com.hybris.cockpitng.widgets.configurableflow.ConfigurableFlowController.persistWidgetProperty(ConfigurableFlowController.java:1132) [backoffice-widgets-19.05.12-RC5.jar:?]
    at com.hybris.cockpitng.widgets.configurableflow.ConfigurableFlowController.persistProperties(ConfigurableFlowController.java:531) [backoffice-widgets-19.05.12-RC5.jar:?]
    at com.hybris.cockpitng.widgets.configurableflow.ConfigurableFlowController.doDone(ConfigurableFlowController.java:882) [backoffice-widgets-19.05.12-RC5.jar:?]
    at com.hybris.cockpitng.widgets.configurableflow.ConfigurableFlowController.doDone(ConfigurableFlowController.java:869) [backoffice-widgets-19.05.12-RC5.jar:?]
    at com.hybris.cockpitng.widgets.configurableflow.listener.TransitionListener.onEvent(TransitionListener.java:43) [backoffice-widgets-19.05.12-RC5.jar:?]
    at com.hybris.cockpitng.widgets.configurableflow.renderer.ConfigurableFlowRenderer.lambda$createAndAppendButton$13(ConfigurableFlowRenderer.java:1145) [backoffice-widgets-19.05.12-RC5.jar:?]
    at org.zkoss.zk.ui.AbstractComponent.onEvent(AbstractComponent.java:3177) [zk-8.6.0.1.jar:8.6.0.1]
    at org.zkoss.zk.ui.AbstractComponent.service(AbstractComponent.java:3147) [zk-8.6.0.1.jar:8.6.0.1]
    at org.zkoss.zk.ui.AbstractComponent.service(AbstractComponent.java:3089) [zk-8.6.0.1.jar:8.6.0.1]
    at org.zkoss.zk.ui.impl.EventProcessor.process(EventProcessor.java:138) [zk-8.6.0.1.jar:8.6.0.1]
    at org.zkoss.zk.ui.impl.UiEngineImpl.processEvent(UiEngineImpl.java:1846) [zk-8.6.0.1.jar:8.6.0.1]
    at org.zkoss.zk.ui.impl.UiEngineImpl.process(UiEngineImpl.java:1618) [zk-8.6.0.1.jar:8.6.0.1]
    at org.zkoss.zk.ui.impl.UiEngineImpl.execUpdate(UiEngineImpl.java:1321) [zk-8.6.0.1.jar:8.6.0.1]
    at org.zkoss.zk.au.http.DHtmlUpdateServlet.process(DHtmlUpdateServlet.java:611) [zk-8.6.0.1.jar:8.6.0.1]
    at org.zkoss.zk.au.http.DHtmlUpdateServlet.doGet(DHtmlUpdateServlet.java:487) [zk-8.6.0.1.jar:8.6.0.1]
    at org.zkoss.zk.au.http.DHtmlUpdateServlet.doPost(DHtmlUpdateServlet.java:495) [zk-8.6.0.1.jar:8.6.0.1]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:660) [servlet-api.jar:?]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) [servlet-api.jar:?]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [catalina.jar:8.5.50]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-websocket.jar:8.5.50]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:209) [spring-security-web-5.1.4.RELEASE.jar:5.1.4.RELEASE]
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.1.4.RELEASE.jar:5.1.4.RELEASE]
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
    at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
    at com.hybris.backoffice.mobile.filter.BackofficeMobileFilter.doFilter(BackofficeMobileFilter.java:56) [classes/:?]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
    at de.hybris.platform.servicelayer.web.WebAppMediaFilter.doFilter(WebAppMediaFilter.java:129) [coreserver.jar:?]
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:329) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$StatisticsGatewayFilter.doFilter(AbstractPlatformFilterChain.java:417) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
    at com.hybris.backoffice.security.BackofficeDynamicCatalogVersionActivationFilter.doFilter(BackofficeDynamicCatalogVersionActivationFilter.java:81) [classes/:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.DataSourceSwitchingFilter.doFilter(DataSourceSwitchingFilter.java:66) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.SessionFilter.doFilter(SessionFilter.java:96) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.session.HybrisSpringSessionFilter.doFilter(HybrisSpringSessionFilter.java:74) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
    at com.hybris.cockpitng.modules.spring.filter.ExternalModuleContextClassLoaderFilter.doFilter(ExternalModuleContextClassLoaderFilter.java:37) [cockpit-module-aggregator-19.05.12-RC5.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.RedirectWhenSystemIsNotInitializedFilter.doFilter(RedirectWhenSystemIsNotInitializedFilter.java:101) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.TenantActivationFilter.doFilter(TenantActivationFilter.java:83) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.Log4JFilter.doFilter(Log4JFilter.java:44) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
    at com.hybris.backoffice.filter.responseheaders.BackofficeResponseHeadersFilter.doFilter(BackofficeResponseHeadersFilter.java:31) [classes/:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain.processStandardFilterChain(AbstractPlatformFilterChain.java:207) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain.doFilterInternal(AbstractPlatformFilterChain.java:184) [coreserver.jar:?]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
    at de.hybris.platform.servicelayer.web.XSSFilter.processPatternsAndDoFilter(XSSFilter.java:358) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.XSSFilter.doFilter(XSSFilter.java:306) [coreserver.jar:?]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [catalina.jar:8.5.50]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [catalina.jar:8.5.50]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543) [catalina.jar:8.5.50]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [catalina.jar:8.5.50]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [catalina.jar:8.5.50]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [catalina.jar:8.5.50]
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) [catalina.jar:8.5.50]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [catalina.jar:8.5.50]
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:609) [tomcat-coyote.jar:8.5.50]
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-coyote.jar:8.5.50]
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:810) [tomcat-coyote.jar:8.5.50]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1623) [tomcat-coyote.jar:8.5.50]
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:8.5.50]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.50]
    at java.lang.Thread.run(Thread.java:834) [?:?]
1
hybris

1 Answers

0
votes

On further investion, it seems that OOTB employeegroup has no access to create an Employee. Also, it explictly does not have any right to change the groups attribute.

enter image description here

If you create a usergroup that is a member of employeegroup, and explicitly define create access for Employee, it still won't be able to assign groups to an Employee.

I think this behavior is expected, and is probably the result of ECP-2722 Preventing employee to assign himself administrator permissions.

Workarounds can either be:

  • Create Employee using via a user that belongs to admingroup
  • Explictly define write access to Employee.groups