Change password via REST not possible for non-administrator / HTTP 403 Forbidden

1
+1
-1

Hi dear community,
I've built a Live Application that is called "Set your password".

This live application just has two input fields and one button.
The button sends the request to the Bonita API via put.

The payload is generated via Javascript:
var payload = { "password": $data.newPass, "password_confirm": $data.newPassRepeat };

The API is called via:
../API/identity/user/{{ userId.user_id }}

If I use this as an administrator, it works, as a user I get a 403 forbidden error. Why?

And if this is meant to be: How to have a self service password setting (not resetting) tool? I didn't want to set up a process just for that and also not to involve another backend...

Maybe the role settings can be adjusted somewhere?

Thank you for ideas & help!
Valerio

Comments

Submitted by Quentin Choulet on Wed, 02/10/2016 - 10:36

This is wierd, I've implemented it for my own application and it works fine. Did you change any REST API authorization settings ?

Submitted by valerioneri.de on Wed, 02/10/2016 - 14:30

Thank you for your answer, no I haven't changed anything
In the response I get:
Access to the specified resource () has been forbidden.

Any ideas?? :)
Thanks!

Submitted by Quentin Choulet on Wed, 02/10/2016 - 16:25

With the defaults settings any user should be able to do a request on the REST API to change his password. Are you sure you use the id of the connected user ?

Submitted by valerioneri.de on Wed, 02/10/2016 - 17:24

I do a put on this
/bonita/API/identity/user/{{ userId.user_id }}

and get via API like this
userId /bonita/API/system/session/unusedid

and I get username and userId, and use it in the PUT

Where can I check the authorization settings?
Thanks Quentin

Submitted by Quentin Choulet on Wed, 02/10/2016 - 17:32

Authorization are set in several files located in
BONITA_HOME\client\tenants\1\conf

Take a look at the documentation to understand the role of each file

Submitted by valerioneri.de on Fri, 02/12/2016 - 11:38

Hi Quentin, thank you again.
I've checked the static permissions and the line that should be taken into accout is the following:

PUT|identity/user=[organization_management]

Has it something to do with this maybe?
compund permissions
custompage_passwordReset=[profile_visualization, tenant_platform_visualization, organization_visualization]

If yes: can I just set it in this file or will it be overwritten with every resource update? Or when can it be set in the designer?

Thank you very much! (no one else had this problem yet? ) :)
Valerio

Submitted by Quentin Choulet on Fri, 02/12/2016 - 15:23

If I remember well, static permissions defines wich permissions are needed to access an API resource and compound permissions defines which permissions are needed by the page. Here organization_management is missing from the list. Try adding it and restart the web server.

Submitted by Quentin Choulet on Fri, 02/12/2016 - 15:44

No wait, I'm wrong :

The compound-permissions-mapping.properties file defines sets of simple permissions that are grouped together into a compound permission. You can use a compound permission as "shorthand" for a list of simple permissions. By default, the file contains a compound permission that corresponds to each page of the Bonita BPM Portal, including custom pages.

So, custompage_passwordReset is a set of permissions but I don't know if Bonita is granting this set of permissions to any user by default, which might be the problem. You can solve your problem by adding organization_management to the custompage set and add the following line in custom permissions maping : profile|User=[custompage_passwordReset]. However, this will allow every user to change the password of any other.

**Edit ** : Actually, you can do something more clever with dynamic checks. Locate the line corresponding to PUT|identity/user in dynamic-permissions-checks.properties, uncomment it an voilĂ  ! Users can now change only their own password.

Dynamic checks are groovy rules granting access to API resource, Bonita provides a bunch of them but they are all deactivated by default. I strongly recommend you to activate most them to secure the REST API.

Submitted by valerioneri.de on Fri, 02/12/2016 - 15:39

Thanks Quentin, I was fearing this

However, this will allow every user to change the password of any other.

I will call a backend and the backend will impersonate the admin... I could be anyway useful for the future versions, to allow users to change their own password/profile information

Thank you
Valerio

Submitted by Quentin Choulet on Fri, 02/12/2016 - 15:45

Actually, there is another way, I updated my previous comment

1 answer

1
+1
-1
This one is the BEST answer!

Thank you Quentin, it works!

So: BONITA_HOME\client\tenants\1\conf\dynamic-permissions-checks.properties
uncomment this:

PUT|identity/user=[profile|Administrator, check|UserPermissionRule]

Restart Bonita & Application Server

@Quentin: could you post this as an answer, so I can mark the question as answered, for the posterity...

Notifications