Skip to main content

User has restricted menus and functions to READ only. Example Request or Product

Using API calls with the same user the same data can be modified. Expectation is: since the user has READ only this should not be possible

How to you handle the roles /rights in order to avoid this issue?

Can you reproduce also in your systems?

We use FSM 6.5

Thank you already for any useful feedback!

Hi @KYOMANGYALO,

Would you be able to advise what specific update went through via the API that should not have and what related functions you have set to read only?

This will help to determine if this is a setup issue or something more appropriately investigated as a support case.

Kind regards,

Lee Pinchbeck


Hi Lee

Yes. Simple scenario - in the role set function and menu Task to READ only. Over client you can’t do any changes.

Then post API call as 

<update_task>

<task>

<task_id>xxxx</task_id>

<description> test - API call</description>

</task>

</update_task>

The change is done even if the rights in the role are saying READ only.

Best Regards

Monica


Reply