Details
-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
4.6.x-dev, 4.5.1, 3.3.34
-
Ibexa Open Source
Description
/user/roles/{id}/policies endpoint accepts the following PolicyCreate payload:
<?xml version="1.0" encoding="UTF-8"?> <PolicyCreate> <module>content</module> <function>create</function> <limitations> <limitation identifier="Class"> <values> <ref href="2"/> </values> </limitation> <limitation identifier="ParentClass"> <values> <ref href="1"/> </values> </limitation> </limitations> </PolicyCreate>
The href attribute is clearly malformed. Either ref should provide it as its value or properly parse href attribute as it should be possible to reference every value passed here via REST resource. The latter option is a bit more challenging because we would need to provide BC for the current behavior.