You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
POST /apps/openbuilt/api/applications/hello-world/exports returns 403 {"error":"Forbidden."} for the admin user against the seeded hello-world Application (both in the dev container and CI).
Root cause: ExportsController::isAuthorisedForApplication() — when OCA\OpenBuilt\Service\RbacService is absent (it is — spec #7 shipped no such class) — falls back to ObjectService::find($applicationSlug)without register/schema context. OR's ObjectService::find() uses $this->currentRegister/$this->currentSchema (null here), so a slug-only lookup against the openbuilt/application schema returns null, and the controller denies.
The manifest endpoint resolves the same slug fine because it goes through the built-app-route lookup. The export authz fallback should do the same — resolve {slug} via built-app-route (or pass register: 'openbuilt', schema: 'application' to find() and filter by slug) before deciding access.
Found while fixing the Newman chain collections (#33). The openbuilt-export-to-real-app collection currently accepts 403 as a documented (buggy) outcome with a comment pointing here; once this is fixed it should flip to asserting 202 strictly.
POST /apps/openbuilt/api/applications/hello-world/exportsreturns403 {"error":"Forbidden."}for the admin user against the seededhello-worldApplication (both in the dev container and CI).Root cause:
ExportsController::isAuthorisedForApplication()— whenOCA\OpenBuilt\Service\RbacServiceis absent (it is — spec #7 shipped no such class) — falls back toObjectService::find($applicationSlug)without register/schema context. OR'sObjectService::find()uses$this->currentRegister/$this->currentSchema(null here), so a slug-only lookup against theopenbuilt/applicationschema returnsnull, and the controller denies.The manifest endpoint resolves the same slug fine because it goes through the
built-app-routelookup. The export authz fallback should do the same — resolve{slug}viabuilt-app-route(or passregister: 'openbuilt', schema: 'application'tofind()and filter byslug) before deciding access.Found while fixing the Newman chain collections (#33). The
openbuilt-export-to-real-appcollection currently accepts403as a documented (buggy) outcome with a comment pointing here; once this is fixed it should flip to asserting202strictly.