Bug Report: Node JS: Multiple Roles not working

crystaltaggart · December 3, 2020, 4:28pm

OS info

Operating System : Mac OSX 20.1.0
Wappler Version : 3.5.6
**App Engine: NodeJs

Problem description

I have an admin page that I want to restrict to an Admin or Super Admin role. When I restrict the security, I’m always getting the ‘unauthorized’ error when accessing the api.

Steps to reproduce

I created 5 different roles in my Security Provider
I’ve tried 2 different ways to define the role:
Using Equals

Screen Shot 2020-12-01 at 6.29.36 AM757×553 30 KB

Or using an IN statement:

Screen Shot 2020-12-01 at 6.29.45 AM749×546 27.5 KB
On my server connect I have three permissions defined:

Screen Shot 2020-12-01 at 6.31.34 AM466×846 35.6 KB
I login with an admin user and the response is pulling back my 403 screen. Note on this page the first API call uses a Security Restrict (all users), second has no security restrict, third has the security restrict options from the screenshot above:

Screen Shot 2020-12-01 at 6.33.56 AM712×975 107 KB

Teodor · December 1, 2020, 1:39pm

patrick · December 1, 2020, 1:56pm

Perhaps it is not clear for a lot of users, but there is a difference between permission and role based security. Wappler uses permission based, which means you tell which permissions are required (read AND write), while with role based you tell which roles are allowed to access (admin OR user). The difference is that with permissions it must match all while with roles it must match one of them.

So the behavior is not a bug, but I will have a look if we perhaps could update the security provider to support AND and OR for the restrictions.

crystaltaggart · December 1, 2020, 2:07pm

That makes sense, however, I’m still getting the error when I tried the following:

I updated my Security Provider to have a permission name of ‘Admin’ using an IN statement, then using ‘Admin’ as the role and still get a 403 error:

And then set up my Security Restrict to only use Admin:

Still getting 403 error:
Screen Shot 2020-12-01 at 7.06.28 AM

Is there a different way that I should be setting up the permissions? I tried to follow that other article and came up with the above solution.

patrick · December 1, 2020, 10:12pm

Seems you found a bug, the in operator seems not to be working. Here an update, unzip in lib/auth.

database.zip (740 Bytes)

crystaltaggart · December 2, 2020, 12:35pm

I tried the update, still getting the same 403 error.

patrick · December 2, 2020, 12:41pm

I think you have the permission setup incorrectly. I see you set role as identity column (this should point to the column containing the user identity), I think this should be user_id seeing that it uses the user table.

crystaltaggart · December 2, 2020, 12:43pm

That was it. Thanks much!

Teodor · December 3, 2020, 4:28pm

Teodor · December 3, 2020, 4:28pm

Teodor · December 3, 2020, 4:29pm

This has been fixed in Wappler 3.5.7

Teodor · December 5, 2020, 4:00pm

This topic was automatically closed after 47 hours. New replies are no longer allowed.