API permissions - User who has permission on DataSource cannot create Datapoint to that source.

Balistar

A attempt will be awarded a 422 http code. "Must retain permission". Not a 401 "Not Authorized". So perhaps I am missing something.

I am not sure if this makes sense. If the admin chooses to give a user edit access to a DataSource, it seems logical that that user should also be able to create DataPoints. If the admin is concerned with DataSource security, the admin should not give the user edit permission to the DataSource, but only to DataPoints.

MattFox

What version of mango are you using?
I've got users who have edit access to virtual datasources and are able to create their own points/save tags etc on the fly.

Fox

Balistar

Fox. Running Core 3.7.3.

Admin creates new USER. Admin creates DataSource and gives READ and WRITE access to new user ONLY for that DataPoint.

New USER can EDIT DataSource, but cannot create DataPoints .Both through GUI and API with JWT.

Once Admin Creates a new DataPoint for that DataSource new user can edit that DataPoint.

The intent of Permission to a DataSource works correctly after Admin has created one and assigned read/write permissions for that DataSource to a User, that User has edit/set ability to all DataPoints of that DataSource without that user having explicit read/write permission to those DataPoints. I guess permission inheritance works for this.

MattFox

@balistar Correct, you need edit permissions for a Datasource for a user because what they are doing is amending the datasource in the order of its points. The read/edit permissions for points more directly relate to point values rather than amending the points themselves.

Balistar

Thanks for your fast response.

I am probably missing something.

New DataSource created by Admin. User (emon3175585) given permission to edit the DataSource.

Yet, when user (emon3175585) logs in, the user cannot create new DataPoint.

MattFox

@balistar said in API permissions - User who has permission on DataSource cannot create Datapoint to that source.:

emon3175585

Your user emon3175585
must have permission emon3175585 assigned to it for it to work.

Fox

Balistar

Naturally. But that was set already:

MattFox

Strange the lack of role would explain the error...
console is still giving you the same exact error??

Balistar

There is no console error because there is no SAVE button to press.

Using the API with JWT issued to user emon3175585:

curl --location --request POST 'http://xx.xx.xx.xx:8080/rest/v2/data-points' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJFUzUxMiJ9.eyJzdWIiOiJlbW9uMzE3NTU4NSIsImV4cCI6MTU4MTk5NjgxMywiaWQiOjQsInYiOjEsInR5cCI6ImF1dGgifQ.AClqeOT6yAQCjGMYfXaMlDVgAcVOftGy3TSCrjxWat-Iz2yFut5nP4wntnE1xas3VtieFbxVwffbhmXwngPhHi8VAEFPPoaCD11unJ5_VTVWJkwnx73Eq8L2sbI9abLVM_CXXXXXXXXXXXXXX' \
--data-raw '{
  "name": "test12-test2",
  "xid": "test12-test2",
  "dataSourceXid" : "test12",
  "pointLocator" : {
       "startValue" : "0",
       "modelType" : "PL.VIRTUAL",
       "dataType" : "NUMERIC",
       "settable" : true,
       "changeType" : "NO_CHANGE",
       "max": 100,
       "maxChange": 0.01,
       "min": 0
    }
}'

Results in error: 422 Unprocessable Entity

{
  "result": {
    "messages": [
      {
        "level": "ERROR",
        "message": "Must retain permission",
        "property": "readPermission"
      },
      {
        "level": "ERROR",
        "message": "Must retain permission",
        "property": "setPermission"
      }
    ]
  },
  "mangoStatusCode": 4002,
  "mangoStatusName": "VALIDATION_FAILED",
  "localizedMessage": "Validation failed"
}

MattFox

I see now, I think you're missing properties!
If you go to the swagger ui and pull a point by it's xid for an example, use that as a foundation and make your amendments, then fire that back in.
EDIT: at least add your user to have read only permission or else it cannot pull it through,

Fox

Balistar

Thanks. My goal is to keep the API request JSON as small as possible, so I omitted as much as possible to the POST request to create a DP. Too much.

You are right.

  "readPermission":"emon3175585",
  "setPermission":"emon3175585",

needed to be added.

{
  "name": "test12-test2",
  "xid": "test12-test2",
  "dataSourceXid" : "test12",
  "readPermission":"emon3175585",
  "setPermission":"emon3175585",
  "pointLocator" : {
       "startValue" : "0",
       "modelType" : "PL.VIRTUAL",
       "dataType" : "NUMERIC",
       "settable" : true,
       "changeType" : "NO_CHANGE",
       "max": 100,
       "maxChange": 0.01,
       "min": 0
    }
}

My concern is the API, so that is solved.

The GUI DP creation permission may still have a problem as there is no SAVE button.

MattFox

Save is a private call inside mango's mangoUI.
You may as well use a controller, create a new point instance from the maPoint service, amend all of the values you need, then call

myNewPoint.$save(); //this is a post call

For amendments use

myNewPoint.$update(); //this is a put call

Attach those function calls to your own buttons, unless you're saying you're still having issues with the UI....

Balistar

No need for MangoUI other than now and then do Admin stuff, We use our own Dashboards.

The API will be used in device on-boarding. Admin creates User, JWT, DataSource (device). Sets new user role to DataSource. This info will be set in device, which creates its own DataPoints (15 to 50) and uploads measuring data to the system from then on.

The JWT is not ideal from a security stand point, but good enough got us at the moment.

MattFox

Looks like you've got it sorted, nicely done.