Hybris UA C: Сотрудник с правами доступа пользователя для создания Сотрудник не может создать Сотрудника

Question

Hybris: 1905.9 (также протестировано с 1905.12)

Я создал testEmployee Employee с паролем 1234, используя приведенный ниже импекс. Я настроил testEmployee, чтобы иметь права доступа пользователя для создания сотрудников и клиентов, а также права на просмотр групп пользователей.

Через Backoffice этот testEmployee может создать клиента, но при попытке вызвать ошибку создать сотрудника.

Что мне не хватает? Нужно ли добавлять права UA C также к другим типам?

ПРИМЕЧАНИЯ:

• A testBackofficeAdmin, принадлежащий backofficeadmingroup, не может создать сотрудника или Клиент
• OOTB admin пользователь может создать Сотрудника
• Сотрудник, принадлежащий admingroup, может создать Сотрудника

Impex:

$password=1234

INSERT_UPDATE Employee;UID[unique=true];password[default=$password];description;name;groups(uid);loginDisabled;backofficeLoginDisabled
;testEmployee;;description;name;employeegroup;false;false
;testBackofficeAdmin;;description;name;backofficeadmingroup;false;false

$START_USERRIGHTS;;;;;;;;;
Type;UID;MemberOfGroups;Password;Target;read;change;create;remove;change_perm
Employee;testEmployee;employeegroup;$password;;;;;;
;;;;Employee;+;+;+;+;;
;;;;Customer;+;+;+;+;;
;;;;UserGroup;+;-;-;-;;
$END_USERRIGHTS;;;;;

Снимок экрана:

Stacktrace:

INFO  [hybrisHTTP17] [fe80:0:0:0:0:0:0:1%1] [ConfigurableFlowController] Object sampleEmployee [sampleEmployee] could not be saved
 com.hybris.cockpitng.dataaccess.facades.object.exceptions.ObjectSavePermissionException: Object sampleEmployee [sampleEmployee] could not be saved
    at com.hybris.cockpitng.dataaccess.facades.object.impl.PermissionAwareObjectFacade.save(PermissionAwareObjectFacade.java:125) ~[cockpit-data-integration-19.05.12-RC5.jar:?]
    at com.hybris.cockpitng.dataaccess.facades.object.impl.DefaultObjectFacade.save(DefaultObjectFacade.java:137) ~[cockpit-data-integration-19.05.12-RC5.jar:?]
    at com.hybris.cockpitng.widgets.configurableflow.ConfigurableFlowController.persistWidgetProperty(ConfigurableFlowController.java:1132) [backoffice-widgets-19.05.12-RC5.jar:?]
    at com.hybris.cockpitng.widgets.configurableflow.ConfigurableFlowController.persistProperties(ConfigurableFlowController.java:531) [backoffice-widgets-19.05.12-RC5.jar:?]
    at com.hybris.cockpitng.widgets.configurableflow.ConfigurableFlowController.doDone(ConfigurableFlowController.java:882) [backoffice-widgets-19.05.12-RC5.jar:?]
    at com.hybris.cockpitng.widgets.configurableflow.ConfigurableFlowController.doDone(ConfigurableFlowController.java:869) [backoffice-widgets-19.05.12-RC5.jar:?]
    at com.hybris.cockpitng.widgets.configurableflow.listener.TransitionListener.onEvent(TransitionListener.java:43) [backoffice-widgets-19.05.12-RC5.jar:?]
    at com.hybris.cockpitng.widgets.configurableflow.renderer.ConfigurableFlowRenderer.lambda$createAndAppendButton$13(ConfigurableFlowRenderer.java:1145) [backoffice-widgets-19.05.12-RC5.jar:?]
    at org.zkoss.zk.ui.AbstractComponent.onEvent(AbstractComponent.java:3177) [zk-8.6.0.1.jar:8.6.0.1]
    at org.zkoss.zk.ui.AbstractComponent.service(AbstractComponent.java:3147) [zk-8.6.0.1.jar:8.6.0.1]
    at org.zkoss.zk.ui.AbstractComponent.service(AbstractComponent.java:3089) [zk-8.6.0.1.jar:8.6.0.1]
    at org.zkoss.zk.ui.impl.EventProcessor.process(EventProcessor.java:138) [zk-8.6.0.1.jar:8.6.0.1]
    at org.zkoss.zk.ui.impl.UiEngineImpl.processEvent(UiEngineImpl.java:1846) [zk-8.6.0.1.jar:8.6.0.1]
    at org.zkoss.zk.ui.impl.UiEngineImpl.process(UiEngineImpl.java:1618) [zk-8.6.0.1.jar:8.6.0.1]
    at org.zkoss.zk.ui.impl.UiEngineImpl.execUpdate(UiEngineImpl.java:1321) [zk-8.6.0.1.jar:8.6.0.1]
    at org.zkoss.zk.au.http.DHtmlUpdateServlet.process(DHtmlUpdateServlet.java:611) [zk-8.6.0.1.jar:8.6.0.1]
    at org.zkoss.zk.au.http.DHtmlUpdateServlet.doGet(DHtmlUpdateServlet.java:487) [zk-8.6.0.1.jar:8.6.0.1]
    at org.zkoss.zk.au.http.DHtmlUpdateServlet.doPost(DHtmlUpdateServlet.java:495) [zk-8.6.0.1.jar:8.6.0.1]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:660) [servlet-api.jar:?]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) [servlet-api.jar:?]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [catalina.jar:8.5.50]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-websocket.jar:8.5.50]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:209) [spring-security-web-5.1.4.RELEASE.jar:5.1.4.RELEASE]
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.1.4.RELEASE.jar:5.1.4.RELEASE]
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
    at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
    at com.hybris.backoffice.mobile.filter.BackofficeMobileFilter.doFilter(BackofficeMobileFilter.java:56) [classes/:?]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
    at de.hybris.platform.servicelayer.web.WebAppMediaFilter.doFilter(WebAppMediaFilter.java:129) [coreserver.jar:?]
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:329) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$StatisticsGatewayFilter.doFilter(AbstractPlatformFilterChain.java:417) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
    at com.hybris.backoffice.security.BackofficeDynamicCatalogVersionActivationFilter.doFilter(BackofficeDynamicCatalogVersionActivationFilter.java:81) [classes/:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.DataSourceSwitchingFilter.doFilter(DataSourceSwitchingFilter.java:66) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.SessionFilter.doFilter(SessionFilter.java:96) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.session.HybrisSpringSessionFilter.doFilter(HybrisSpringSessionFilter.java:74) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
    at com.hybris.cockpitng.modules.spring.filter.ExternalModuleContextClassLoaderFilter.doFilter(ExternalModuleContextClassLoaderFilter.java:37) [cockpit-module-aggregator-19.05.12-RC5.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.RedirectWhenSystemIsNotInitializedFilter.doFilter(RedirectWhenSystemIsNotInitializedFilter.java:101) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.TenantActivationFilter.doFilter(TenantActivationFilter.java:83) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.Log4JFilter.doFilter(Log4JFilter.java:44) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
    at com.hybris.backoffice.filter.responseheaders.BackofficeResponseHeadersFilter.doFilter(BackofficeResponseHeadersFilter.java:31) [classes/:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain.processStandardFilterChain(AbstractPlatformFilterChain.java:207) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain.doFilterInternal(AbstractPlatformFilterChain.java:184) [coreserver.jar:?]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
    at de.hybris.platform.servicelayer.web.XSSFilter.processPatternsAndDoFilter(XSSFilter.java:358) [coreserver.jar:?]
    at de.hybris.platform.servicelayer.web.XSSFilter.doFilter(XSSFilter.java:306) [coreserver.jar:?]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [catalina.jar:8.5.50]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [catalina.jar:8.5.50]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543) [catalina.jar:8.5.50]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [catalina.jar:8.5.50]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [catalina.jar:8.5.50]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [catalina.jar:8.5.50]
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) [catalina.jar:8.5.50]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [catalina.jar:8.5.50]
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:609) [tomcat-coyote.jar:8.5.50]
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-coyote.jar:8.5.50]
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:810) [tomcat-coyote.jar:8.5.50]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1623) [tomcat-coyote.jar:8.5.50]
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:8.5.50]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.50]
    at java.lang.Thread.run(Thread.java:834) [?:?]

Answer 1

При дальнейшем инвестировании кажется, что OOTB employeegroup не имеет доступа для создания Employee. Кроме того, он явно не имеет права изменять атрибут groups.

Если вы создаете группу пользователей, которая является членом employeegroup и явно определите доступ для создания для Employee, он все равно не сможет назначать группы Сотруднику.

Я думаю, что такое поведение ожидается, и, вероятно, является результатом ECP- 2722 Запрещение сотруднику назначать себе права администратора .

Обходными путями могут быть:

• Создание сотрудника с использованием пользователя, принадлежащего к группе admingroup
• Точное определение доступ на запись к Employee.groups