Description
From the Organization Management Create API[1], we can set values for creator.id, creator.username and creator.email as attributes.
And those values will be resolved to following fields[2] in the internal Organization Object.
When resolving there are validations to check whether the given user id is correct or not[3].
With the Patch API, above attributes can be patched, where those can be removed, added or replaced.
But when patching the creator.id it is not getting validated, where the correct value can be replaced with a invalid value.
Respective validation should be there for the creator.id as in the organization creation flow.
[1] - https://is.docs.wso2.com/en/next/apis/organization-mgt-rest-api/#tag/Organization/operation/organizationPost
[2] - https://github.com/wso2/identity-organization-management-core/blob/e7871e6863f6f7866912c647cfa0cf61c5c29ba6/components/org.wso2.carbon.identity.organization.management.service/src/main/java/org/wso2/carbon/identity/organization/management/service/model/Organization.java#L35C5-L37C33
[3] - https://github.com/wso2/identity-organization-management-core/blob/f0267ff2e3d62eea01d240c425df9ee62314d4e4/components/org.wso2.carbon.identity.organization.management.service/src/main/java/org/wso2/carbon/identity/organization/management/service/OrganizationManagerImpl.java#L1160
Steps to Reproduce
- Create an Oragnization
curl --location 'https://localhost:9443/api/server/v1/organizations' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer <token>' \
--data-raw '{
"name": "ORG NAME",
"description": "Building constructions",
"attributes": [
{
"key": "Country",
"value": "USA"
},
{
"key": "creator.id",
"value": "e90d87d8-b4d7-4428-a227-b62e727d4c6e"
},
{
"key": "creator.username",
"value": "Jehan"
},
{
"key": "creator.email",
"value": "jehan@wso2.com"
}
]
}'
- Patch the created organization with invalid creator id
curl --location --request PATCH 'https://localhost:9443/api/server/v1/organizations/6d2005e4-678b-4ecc-abeb-423933cc92c1' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--data '[
{
"operation": "REPLACE",
"path": "/attributes/creator.id",
"value": "invalid_vlaue"
}
]'
Version
7.1.0
Environment Details (with versions)
No response
Description
From the Organization Management Create API[1], we can set values for
creator.id,creator.usernameandcreator.emailas attributes.And those values will be resolved to following fields[2] in the internal Organization Object.
When resolving there are validations to check whether the given user id is correct or not[3].
With the Patch API, above attributes can be patched, where those can be removed, added or replaced.
But when patching the
creator.idit is not getting validated, where the correct value can be replaced with a invalid value.Respective validation should be there for the
creator.idas in the organization creation flow.[1] - https://is.docs.wso2.com/en/next/apis/organization-mgt-rest-api/#tag/Organization/operation/organizationPost
[2] - https://github.com/wso2/identity-organization-management-core/blob/e7871e6863f6f7866912c647cfa0cf61c5c29ba6/components/org.wso2.carbon.identity.organization.management.service/src/main/java/org/wso2/carbon/identity/organization/management/service/model/Organization.java#L35C5-L37C33
[3] - https://github.com/wso2/identity-organization-management-core/blob/f0267ff2e3d62eea01d240c425df9ee62314d4e4/components/org.wso2.carbon.identity.organization.management.service/src/main/java/org/wso2/carbon/identity/organization/management/service/OrganizationManagerImpl.java#L1160
Steps to Reproduce
Version
7.1.0
Environment Details (with versions)
No response