Not able to see actions granted by instance delegation on apps #664
Labels
Milestone
Comments
github-project-automation
bot
moved this to Nye issues
in ⚠️ Dialogporten / Arbeidsflate - GAMMEL - se https://github.com/orgs/Altinn/projects/146 ⚠️
7 tasks
elsand
added a commit
that referenced
this issue
Apr 22, 2024
In order to support app instances in the Dialogporten, we need to be able to refer to apps as service resources ## Description This adds support for urn:altinn:app in dialog validator and Altinn auth helpers, and changes the Resource Registry client to use the "resourcelist" endpoint, which includes Altinn 3 apps (unfortunately this also includes Altinn 2 services, which baloons the response size considerably, but this is filtered before storing to cache). The Fusion cache settings has been changed to reflect this (ie. increasing factory timeouts). Yet to be fixed: - [x] ~~Handling of "ttd" services (the Digdir test organization). These contain an empty string as "organization" in the RR, where there usually is a organization number. Special code will be required to handle TTD service authorization and dialog.org population.~~ Moved to #663 - [x] ~~Handling of app instance delegations. Since app instance ids are a bit weird (has the form `{partyId}/{instanceId}`) we cannot just map the dialogId to `urn:altinn:instance-id` (like we do with resource id) as this will cause an exception in the PDP API. Preferably the PDP context handler should be able to deal with this, and map the missing partyId into the instance-id (since it needs to get the partyId for organizationnumbers/SSNs anyway)~~ Moved to #664 - [x] ~~Handling of resource constraints for app in the authorization requests for search. Currently we assume name of the resource to be unique, but an app-name may be reused between service owners.~~ Edit: we include the reserved `app_{org}_` prefix, avoiding this potential ambiguity. ## Related Issue(s) - #651 ## Verification - [x] **Your** code builds clean without any errors or warnings - [x] Manual testing done (required) - [x] Relevant automated test added (if you find this hard, leave it and we'll help out) ## Documentation - [ ] Documentation is updated (either in `docs`-directory, Altinnpedia or a separate linked PR in [altinn-studio-docs.](https://github.com/Altinn/altinn-studio-docs), if applicable)
elsand
moved this from Nye issues
to Backlog
in ⚠️ Dialogporten / Arbeidsflate - GAMMEL - se https://github.com/orgs/Altinn/projects/146 ⚠️
|
This should be taken into account in #56 |
elsand
added
the
waiting
|
Blocked until Altinn/altinn-access-management#658 is delivered |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
The process to acertain authorized actions/subresources for a detail view of a dialog does not take into account instance delegations of apps. We assume that the dialogId is the same as the app instance id. This is due to the Altinn PDP requiring a party-id being presented along side the instance-id as the
urn:altinn:instance-idattribute. Dialogporten does not (without performing a look) have any information about partyId, and thus cannot include a valid instance id in the PDP request.Reproduction
(this cannot be reproduced as of now, due to missing functionality)
Expected behavior
The user should be authorized for the write actions
Actual behavior
The user is not authorized for the write action
Additional information
This will probably have to be fixed within the PDP/context handler, and not via Dialogporten.
See Slack thread.
The text was updated successfully, but these errors were encountered: