Details
-
Bug
-
Status: Closed
-
Resolution: Fixed
-
6.1.X EE, 6.2.X EE, 7.0.X, 7.1.X, Master
-
7.1.x, 7.0.x
-
Committed
-
3
-
Accessibility
Description
We're running into this exception (403 Forbidden) when trying to invoke get-company-users and then get-contact for each returned user.
2018-07-19 21:52:33.023 INFO 54 --- [Timer-0] c.l.o.a.d.e.dog.impl.UserDogImpl : Body: {"$user = /user/get-company-users":{"companyId":20115,"start":0,"end":500,"$contact = /contact/get-contact":{"@contactId":"$user.contactId"}}} 2018-07-19 21:52:33.439 ERROR 54 --- [Timer-0] .a.d.e.b.OSBAsahDXPExtractorBotTimerTask : org.springframework.web.client.HttpClientErrorException: 403 Forbidden org.springframework.web.client.HttpClientErrorException: 403 Forbidden at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:63) ~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE] at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:700) ~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE] at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:653) ~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE] at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:613) ~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE] at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:531) ~[spring-web-4.3.11.RELEASE.jar:4.3.11.RELEASE] at com.liferay.osb.asah.dxp.extractor.spring.http.HttpUtil.get(HttpUtil.java:67) ~[main/:na] at com.liferay.osb.asah.dxp.extractor.client.impl.DXPClientImpl._get(DXPClientImpl.java:83) ~[main/:na] at com.liferay.osb.asah.dxp.extractor.client.impl.DXPClientImpl.getJSONArray(DXPClientImpl.java:44) ~[main/:na] at com.liferay.osb.asah.dxp.extractor.dog.impl.UserDogImpl.getCompanyUsersJSONArray(UserDogImpl.java:58) ~[main/:na] at com.liferay.osb.asah.dxp.extractor.bot.OSBAsahDXPExtractorBot$4.paginate(OSBAsahDXPExtractorBot.java:301) ~[main/:na] at com.liferay.osb.asah.common.json.JSONArrayPaginator.<init>(JSONArrayPaginator.java:37) ~[com.liferay.osb.asah.common-1.0.0-20180712.210807-37.jar:na] at com.liferay.osb.asah.common.json.JSONArrayPaginator.<init>(JSONArrayPaginator.java:25) ~[com.liferay.osb.asah.common-1.0.0-20180712.210807-37.jar:na] at com.liferay.osb.asah.dxp.extractor.bot.OSBAsahDXPExtractorBot$4.<init>(OSBAsahDXPExtractorBot.java:295) ~[main/:na] at com.liferay.osb.asah.dxp.extractor.bot.OSBAsahDXPExtractorBot.populateUsers(OSBAsahDXPExtractorBot.java:295) ~[main/:na] at com.liferay.osb.asah.dxp.extractor.bot.OSBAsahDXPExtractorBot.populateCompanies(OSBAsahDXPExtractorBot.java:161) ~[main/:na] at com.liferay.osb.asah.dxp.extractor.bot.OSBAsahDXPExtractorBot.populate(OSBAsahDXPExtractorBot.java:133) ~[main/:na] at com.liferay.osb.asah.dxp.extractor.bot.OSBAsahDXPExtractorBot.run(OSBAsahDXPExtractorBot.java:79) ~[main/:na] at com.liferay.osb.asah.dxp.extractor.bot.OSBAsahDXPExtractorBotTimerTask._run(OSBAsahDXPExtractorBotTimerTask.java:143) ~[main/:na] at com.liferay.osb.asah.dxp.extractor.bot.OSBAsahDXPExtractorBotTimerTask.run(OSBAsahDXPExtractorBotTimerTask.java:62) ~[main/:na] at java.util.TimerThread.mainLoop(Timer.java:555) [na:1.8.0_171] at java.util.TimerThread.run(Timer.java:505) [na:1.8.0_171]
We figured that omniuser doesn't have permission to VIEW default user.
We confirmed with these steps:
1. Spin up a fresh DXP instance
2. Log in with omniadmin user [email protected]
3. Through /api/jsonws, invoke get-companies to get companyId
[ { "accountId": "20117", "active": true, "companyId": "20115", "homeURL": "", "key": "/Y4qoMyBD164al+vwqY9LA==", "logoId": "0", "maxUsers": 0, "mvccVersion": "1", "mx": "liferay.com", "system": false, "webId": "liferay.com" } ]
4. Invoke get-company-users with companyId from result above (20115) (start -1, end -1)
[ { "agreedToTermsOfUse": true, "comments": "", "companyId": "20115", "contactId": "20120", "createDate": 1532021961711, "defaultUser": true, "emailAddress": "", "emailAddressVerified": false, "facebookId": "0", "failedLoginAttempts": 0, "firstName": "", "googleUserId": "", "graceLoginCount": 0, "greeting": "Welcome!", "jobTitle": "", "languageId": "en_US", "lastFailedLoginDate": null, "lastLoginDate": null, "lastLoginIP": "", "lastName": "", "ldapServerId": "0", "lockout": false, "lockoutDate": null, "loginDate": 1532021961407, "loginIP": "", "middleName": "", "modifiedDate": 1532022110986, "mvccVersion": "2", "openId": "", "portraitId": "0", "reminderQueryAnswer": "", "reminderQueryQuestion": "", "screenName": "20119", "status": 0, "timeZoneId": "UTC", "userId": "20119", "uuid": "63fd8e01-5c28-5398-45ed-bb4b37d4e8a0" }, { "agreedToTermsOfUse": true, "comments": "", "companyId": "20115", "contactId": "20157", "createDate": 1532021963255, "defaultUser": false, "emailAddress": "[email protected]", "emailAddressVerified": true, "facebookId": "0", "failedLoginAttempts": 0, "firstName": "Test", "googleUserId": "", "graceLoginCount": 0, "greeting": "Welcome Test Test!", "jobTitle": "", "languageId": "en_US", "lastFailedLoginDate": null, "lastLoginDate": 1532022616837, "lastLoginIP": "10.255.0.13", "lastName": "Test", "ldapServerId": "-1", "lockout": false, "lockoutDate": null, "loginDate": 1532037295748, "loginIP": "10.255.0.13", "middleName": "", "modifiedDate": 1532037295748, "mvccVersion": "9", "openId": "", "portraitId": "0", "reminderQueryAnswer": "test", "reminderQueryQuestion": "what-is-your-father's-middle-name", "screenName": "test", "status": 0, "timeZoneId": "UTC", "userId": "20155", "uuid": "41e1579e-c58e-4012-d02b-4538c760351b" } ]
5. Invoke get-user-by-id with the Id of the default user from result #4 (20119)
"User 20155 must have VIEW permission for com.liferay.portal.kernel.model.User 20119"
6. Invoke get-contact with the contactId of the default user from result #4 (20120)
"User 20155 must have VIEW permission for com.liferay.portal.kernel.model.User 20119"
Expected:
Omniadmin user should be able to "VIEW" default user using get-user-by-id and get-contact, since it was able to "VIEW" default user using get-company-users