There seems to be some relatively new issue with contextual security roles. This is a new issue and this previously worked fine.

Steps to reproduce:

1. Create a new security role and select the ‘Contextual role’ option
2. Populate the expression with → has(resource, “recordID”)
3. Verify with a logged in user, non-admin, they can see all records
4. Update the newly created security role with the expression → resource.recordID == 213
   — This example uses a recordID of 213 but choose a recordID that exists for some module in your Corteza instance.
5. As a non-admin user, Navigate to whatever module has a record with that particular recordID and verify it is not visible.

Expressions that work:
resource.moduleID == someModuleID
any expression that checks for the existence of a field

Expressions that do not work:
Anything that involves reading the value of either the recordID or any field under values, like resource.values.SomeField == xyz

Version: 2023.3.7
Seems to be broken on 2023.3.6 as well.

I’ll create a github issue for this but wondering if anyone else has experienced this or if the engineers are already tracking this issue.

Thank you for reporting it, we’ll try to address it for 2023.3.8
Did you by any chance already create the issue?

Will create it now. Thank you!

Do we know how far back this used to work?

I tested the .6 and it was broken there but it worked relatively recently because we’ve been using this and permissions is a critical thing so we would have noticed if it was “broken” for much longer than that.

We upgraded to .6 and then .7 relatively quickly from 2023.3.5 and I would guess it worked on .5 but I don’t know that definitively.

Hmm… seems like it works fine for me on c7c6df169 one commit after 2023.3.8 (that commit shouldn’t do anything; some meta stuff).

Can you double-check that the permissions are ok for all the roles? Perhaps something is off there. Alternatively if you two ( @jfortun @daniel_charp ) could note down the instructions for me in a bit more detailed fashion; that’d be best.

image1592×957 79.2 KB

Can you test with recordID specifically?

Also, the .7 is the latest release so I haven’t tested with .8.

Yup, works fine on my end. I’d suspect something got misconfigured on your end; can’t really help without more context

It may or may not matter but do you have the ability to test on 2023.3.7 and not .8 since .8 isn’t released.

Not much for us to misconfigure.

The contextual expression resource.recordID == 213 does not result in the user seeing the appropriate record but resource.moduleID == someModuleID does result in the user seeing those records, so the user has permissions to the records themselves.

@daniel_charp

https://hub.docker.com/layers/cortezaproject/corteza/2023.3.8/images/sha256-67a8122d2fe42d83cb297c1f2279f3714c7ec2c58b3e00a0dd0da0bcc0474b70?context=explore

Changelog on github is usually a day or two behind