key/fqfield error when requesting restricted field #789
Comments
|
Sending the correct status is quite important here as the client uses that information to control certain recovery logic. When resolving a long polling connection with a status code 200 the client currently assumes that the connection could be reopened immediately after a health check (for example after a reboot of the service). |
|
I can not reproduce the error. I saved your request in a file called When anonymous is disabled, I get an empty response: This is correct, since the anonymous can not see the user. When I activate anonymous user for meeting 1, I get the following response: To enable the anonymous user, I called: |
|
I cannot reproduce this anymore. |
|
I ran into this issue again today with current main. |
Can you tell me as detailed as possible, how I can reproduce it? |
|
I am using the dev setup with its unchanged example data ( When I do the first step as you described it: I get |
|
I can reproduce this. |
When the restrictor depends on db-values of the request user, then it has to pay attanchen, that the request is not send for the anonsmous user (userID==0) since the anonyomus user is not in the database. There were two cases, where a check was missing. This PR adds these checks. Fixes OpenSlides#789
|
I had another look and was able to reproduce it. The problem was the field The reason for that error was, that I checked the DB-Field I checked all other places, where I do a DB request for the request user and found another case for the personal_note. I am confident, that I found all places and that the error should not happen again (future changes not included). |
When the restrictor depends on db-values of the request user, then it has to pay attanchen, that the request is not send for the anonsmous user (userID==0) since the anonyomus user is not in the database. There were two cases, where a check was missing. This PR adds these checks. Fixes #789
When the restrictor depends on db-values of the request user, then it has to pay attanchen, that the request is not send for the anonsmous user (userID==0) since the anonyomus user is not in the database. There were two cases, where a check was missing. This PR adds these checks. Fixes #789
When requesting the following payload without an authentication token set an error is sent which does not seem right.
Request:
[ { "collection": "user", "ids": [ 1 ], "fields": { "default_password": null, "can_change_own_password": null, "title": null, "first_name": null, "last_name": null, "pronoun": null, "username": null, "gender": null, "default_number": null, "default_structure_level": null, "default_vote_weight": null, "is_physical_person": null, "is_active": null, "meeting_ids": null, "saml_id": null, "email": null, "last_email_sent": null, "last_login": null, "organization_management_level": null, "committee_ids": null, "committee_management_ids": null, "meeting_user_ids": { "type": "relation-list", "collection": "meeting_user", "fields": { "about_me": null, "user_id": null, "meeting_id": null, "group_ids": null, "vote_delegated_to_id": null, "vote_delegations_from_ids": { "type": "relation-list", "collection": "meeting_user", "fields": { "meeting_id": null, "group_ids": null, "id": null, "user_id": { "type": "relation", "collection": "user", "fields": { "title": null, "first_name": null, "last_name": null, "pronoun": null, "username": null, "gender": null, "default_number": null, "default_structure_level": null, "default_vote_weight": null, "meeting_user_ids": null, "id": null } } } }, "vote_weight": null, "comment": null, "structure_level": null, "number": null, "id": null } }, "is_present_in_meeting_ids": null, "id": null } } ]Error:
{ "error": { "type": "invalid", "msg": "the key/fqfield is invalid: user/0/organization_management_level" } }Besides from that the error message is sent with a status code 200. It would be better to receive an authentication error or at least a non ok status code in that case.
The text was updated successfully, but these errors were encountered: