Disabling ACLs has no effect


#1

On 7.6, I’m trying to disable ACLs so that I gain access to all instances of Facility, I tried the following:

> EnableAclPrivilege.get('facility_acl_controlled')
{enabled: false, id: "facility_acl_controlled", version: 1, name: "Facility Acl Controlled", meta: C3.t…s.Obj, …}
> EnableAclPrivilege.get('facility_acl_controlled').putField('enabled', false).merge()
{enabled: true, id: "facility_acl_controlled", version: 1, meta: C3.t…s.Obj, versionEdits: Array(0), …}

The returned object has enabled set to true which is weird, because enabled was false and reset to false.
I have the same strange behavior when disabling EnableAclPrivilege with id fixedAsset_acl_controlled.
I tried to remove these EnableAclPrivilege but it with no effect, same behavior persists:

EnableAclPrivilege.removeSeedData(EnableAclPrivilege.get('fixedAsset_acl_controlled'))

Now when I try to fetch facilities I see nothing, which confirm that the ACLs are still enforced even after multiple calls to:

> Facility.populateAcl()
 4

Am I disabling ACLs the wrong way?


#2

That is a valid method of updating EnableAclPrivilege.

If no other user or process has updated facility_acl_controlled to set it to true after you set it to false, the behavior you describe sounds to me like an error.


#3

I have noticed this behavior (bug) also. It appears to be related to the recently introduced “facadedFetchTags” feature.

I bet you can get around it until the bug is fixed with the following command: EnableAclPrivilege.merge({id: 'facility_acl_controlled', enabled: false}, {ignoreFacadeWriteTag: true})


#4

There is another possibility though:

The default value on EnableAclPrivilege is true, so I suspect that what actually may be happening is:

  1. the EnableAclPrivilege is set to false, but since only the id of the object is returned from the call to merge, you are seeing instead the default value being listed
  2. if you then retrieved the value with get you would see false
  3. when you call removeSeedData, you remove the object where you have set it to false

#5

Thanks @seth.horrigan that may explain the returned true on merge!
Thanks @rileysiebel for the suggesting, but it seems that ignoreFacadeWriteTag does not exist on MergeSpec:

C3Error: Cannot convert object to MergeSpec for merge argument spec: Extraneous property "ignoreFacadeWriteTag" on object type "MergeSpec".
value: {"type":"MergeSpec"} [InvalidInputParam]
    at convertValue (https://tenant.c3iot.com/typesys/1/all.js?env=browser&compat:1459:11)
    at Object._call (https://tenant.c3iot.com/typesys/1/all.js?env=browser&compat:2555:23)
    at Object.eval (eval at get (https://tenant.c3iot.com/typesys/1/all.js?env=browser&compat:2961:20), <anonymous>:5:15)
    at <anonymous>:1:20

#6

It appears the update did not take place ( see the version number). It may be due to fetchTags defined on EnableAclPrivilege type. Also EnableAclPrivilege is not a SeedData type.
Can you switch to tenant/c3 tag and update that. ( It appears the this bug might have been fixed in later version)


#7

Good catch for the version, but what I have to do after switching to tenant/c3 tag? just update this EnableAclPrivilege?

But it mixes PrivilegeBase which itself mixes SeedData!


#8

try updating value to false, see if it fixes. I see, it may be SeedData.


#9

The following should work:

EnableAclPrivilege.merge({id:"facility_acl_controlled", enabled:false}, {ignoreFacadeWriteTag:true})

Please refer to the UpsertSpec type to understand the implications of ignoreFacadeWriteTag.


#10

Does not exists, neither on UpsertSpec nor on MergeSpec, I’m on 7.6! I’ve the Extraneous error as above


#11

@pavan.nandikonda same thing when switching to tag c3, cannot update it to false !

> EnableAclPrivilege.merge({id: 'facility_acl_controlled', enabled: false})
{enabled: true, id: "facility_acl_controlled", version: 1, meta: C3.t…s.Obj, versionEdits: Array(0), …}

> EnableAclPrivilege.get('facility_acl_controlled').putField('enabled', false).merge()
{enabled: true, id: "facility_acl_controlled", version: 1, meta: C3.t…s.Obj, versionEdits: Array(0), …}

#12

@bachr have you tried:
EnableAclPrivilege.merge({id: 'facility_acl_controlled', enabled: false}).get()?


#13

Oh this gives the right false value, but I still cannot see the facilities!

> EnableAclPrivilege.merge({id: 'facility_acl_controlled', enabled: false}).get()
{enabled: false, id: "facility_acl_controlled", version: 1, name: "Facility Acl Controlled", meta: C3.t…s.Obj, …}
> c3Count(Facility)
1
> Facility.populateAcl()
4
> c3Count(Facility)
1

#14

see AclPrivilegesCache.isEnabled({typeName: ‘Facility’});
AclPrivilegesCache.clear()


#15

@pavan.nandikonda we did that and it didn’t help, still cannot see all facilities


#16

It turns out the Facility data had a wrong typeIdent due to the migration from 7.2, we just fixed this field (manually) and data became fetch-able.