Share thing works with users from different domains

Question

Share thing works with users from different domains

nyagamunene opened this issue 22 days ago · comments

Steve Munene commented 22 days ago

What were you trying to achieve?

I'm trying to share and unshare a thing between domain mambers,

What are the expected results?

To successfully share thing between domain members only.

What are the received results?

It is possible to share a thing between members from different domains. Also unshare thing with a correct thing ID and a random user ID passes successfully, and it can be done multiple times successfully.

In what environment did you encounter the issue?

Docker

Steps To Reproduce

Create Domain1
create Domain2
Create User1 with the relation member in Domain1
As User1, create thing1 in Domain1
Create User2 with the relation member in Domain2
As User1, share thing1 with User2 with the following comand:

magistrala-cli things share <Thing_id> <User2_id> <User1_relation> <User1_token>

To unshare use this command:

 magistrala-cli things unshare <Thing_id> <User2_id> <User1_relation> <User1_token>

JMboya · Answer 1 · Tue Jun 18 2024 15:19:14 GMT+0800 (China Standard Time)

@dborovcanin @arvindh123 I tried to recreate this issue and found that user1 who has relationmember in domain1 cannot share thing1 which is in domain1 with user2 who has relation member in domain2. However, I did realize that super admin can share thing1 with user2. Is this supposed to be the case i.e super admin sharing thing between domains?

Arvindh · Answer 2 · Tue Jun 18 2024 15:32:26 GMT+0800 (China Standard Time)

@dborovcanin @arvindh123 I tried to recreate this issue and found that user1 who has relationmember in domain1 cannot share thing1 which is in domain1 with user2 who has relation member in domain2. However, I did realize that super admin can share thing1 with user2. Is this supposed to be the case i.e super admin sharing thing between domains?

@JeffMboya No it should not happen if user_2 is not in domain_1.

Dušan Borovčanin · Answer 3 · Tue Jun 18 2024 15:39:20 GMT+0800 (China Standard Time)

I confirm this is a bug. @JeffMboya please take this one.

Steve Munene · Answer 4 · Tue Jun 18 2024 21:42:18 GMT+0800 (China Standard Time)

@dborovcanin @arvindh123. On further testing with @JeffMboya, there was an oversight which we have caught and the superadmin cannot share a thing between users in different domains. The issue is on unsharing an entity with non exist users. The operation can be done multiple times as per this comment by @WashingtonKK.

Arvindh · Answer 5 · Tue Jun 18 2024 21:56:25 GMT+0800 (China Standard Time)

@dborovcanin @arvindh123. On further testing with @JeffMboya, there was an oversight which we have caught and the superadmin cannot share a thing between users in different domains. The issue is on unsharing an entity with non exist users. The operation can be done multiple times as per this comment by @WashingtonKK.

Yes , For unhare, the response should be no content , It doesn't tell you it is removed successfully.
This made like this to avoid finding the entity ids with brut force.
May be we can return 404 instead of no content

JMboya · Answer 6 · Tue Jun 18 2024 22:57:12 GMT+0800 (China Standard Time)

It doesn't tell you it is removed successfully.
This made like this to avoid finding the entity ids with brut force.
May be we can return 404 instead of no content

@nyagamunene for unshare operation, the policy is deleted for all users (whether the user is part of magistrala or non-existent/random) by design