Configuration user roles and permissions via API

ianlgnk · September 14, 2022, 7:22pm

Hello, there.

I’m using OpenBoxes to manage my stock on a system that I work for, and I have already done some things using OpenBoxes API. The problem is: I need to have an “Authorizations” Tab to manage on my system what my users can do on OpenBoxes, which means that I need to pass those roles returned by the endpoint “generic/api/role” and create this relation with a user. Table user_role on database.

Although, I’m using only the API to use OpenBoxes, and I couldn’t find a way to associate those roles with an user using API, only on the web application. I’ve already tried to pass the id of the Role on POST or PUT at the endpoint “generic/api/user” in the json like “roles”: [rulesId] but it gives me an internal error.

Does anyone has already faced this problem? Is there a new endpoint to manage this situation in development?

jmiranda · September 14, 2022, 8:17pm

Oooh that one is tricky. Let me play around with postman and try to see if I can do it.

jmiranda · September 14, 2022, 9:28pm

Something like this should work for adding a role to a user.

curl --location 
--request POST 'https://openboxes.ngrok.io/openboxes/api/generic/user/2' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data-raw '{
    "roles[0].id": "1"
}'

You can also clear roles by passing in an empty array

curl --location --request POST 'https://openboxes.ngrok.io/openboxes/api/generic/user/2' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data-raw '{
    "roles": []
}'

However, if you’re doing anything more complicated (i.e. adding multiple roles, removing specific roles, adding location roles, etc) then we’ll need to add a legitimate user management API.

For example, if I pass in the following payload

{
    "roles[0].id": "3",
    "roles[1].id": "5"
}

I would expect to see two roles (Browser, Superuser), but I get the Browser role twice for some reason.

mysql> select * from user_role where user_id = 2;
+---------+---------+
| user_id | role_id |
+---------+---------+
| 2       | 3       |
| 2       | 3       |
+---------+---------+
2 rows in set (0.01 sec)

Anyway, I hope this helps.

If you would like to see a User Management API, please raise a ticket and include your requirements. I can’t guarantee we’ll be able to get it done in a timely manner, but if it’s simple we’ll try to get it done for the next release.

ianlgnk · September 15, 2022, 12:17pm

Thanks! That should work, I’ll give a try right now.

Just another doubt, is there an endpoint to catch by user id his roles and permissions?

jmiranda · September 15, 2022, 1:54pm

You can retrieve the user’s “highest role” for the currently logged in user. As far as I remember, there’s currently no way to get all roles for any user.

As for permissions, roles are currently static so there are no permissions, just ACLs. In 0.8.19, the access rules are slightly configurable through runtime configuration (openboxes-config.groovy). See openboxes.security.rbac.rules in Config.groovy for more information.

openboxes.security.rbac.rules = [
        [controller: '*', actions: ['delete'], accessRules: [ minimumRequiredRole: RoleType.ROLE_SUPERUSER ]],
        [controller: '*', actions: ['remove'], accessRules: [ minimumRequiredRole: RoleType.ROLE_SUPERUSER ]],
        [controller: '*', actions: ['removeItem'],  accessRules: [ minimumRequiredRole: RoleType.ROLE_MANAGER ]],
        [controller: 'order', actions: ['remove'], accessRules: [ minimumRequiredRole: RoleType.ROLE_ASSISTANT ]],
        [controller: 'order', actions: ['removeOrderItem'], accessRules: [ minimumRequiredRole: RoleType.ROLE_MANAGER ]],
        ...
]

However, moving to a more dynamic role / permission mapping (i.e. allow system admins to configure roles and permissions in the database) will need to wait until we finish our migration to Grails 3.

And finally, here’s how to request the “highest role” data point from the API.

Request

GET https://<your-hostname>/openboxes/api/getAppContext

Response

{
   "data":{
      "user":{
         "id":"3",
         "name":"Justin Miranda",
         "firstName":"Justin",
         "lastName":"Miranda",
         "email":"justin@openboxes.com",
         "username":"jmiranda"
      },
      "location":{
         "id":"8a8a9e9665c4f59d0165c54ec6b10027",
         "name":"Distribution Center",
         // The following data was omitted for the sake of brevity
         // ...
      },
      "isSuperuser":true,
      "isUserAdmin":true,
      "supportedActivities":[
         "SEND_STOCK",
         "EXTERNAL",
         "ADJUST_INVENTORY",
         "RECEIVE_STOCK",
         "REQUIRE_ACCOUNTING",
         "MANAGE_INVENTORY",
         "PICK_STOCK",
         "FULFILL_REQUEST",
         "PLACE_REQUEST",
         "PUTAWAY_STOCK"
      ],
      "grailsVersion":"1.3.9",
      "appVersion":"0.8.19",
      "branchName":"master",
      "buildNumber":"v0.8.19",
      "environment":"production",
      "buildDate":"31 Aug 2022 08:14:01 PM",
      "ipAddress":"<redacted>",
      "hostname":"<redacted>",
      "timezone":"GMT",
      "activeLanguage":"en",      
      "highestRole":"Superuser",     
      "currencyCode":"USD",
      "localizedHelpScoutKey":"<redacted>",
      "isHelpScoutEnabled":true
   }
}