Saturday, 11 May 2013

Security issue for tables with inheritance

One of my colleague is working on a project where they require to integrate using WCF service. He came across an issue where they were not getting the Product name. The issue was that on a restart of the AOS their WCF call would not return the product name.  However after someone accesses the product from within AX, the WCF would return the name.

They asked for my assistance in getting the issue resolved. The symptoms that they described were hinting that it is a security related issue. The fact that product name was returned once someone accesses the product from within AX clearly showed that the AOS is caching the item name. So after cache was filled in the WCF call will get the name from the cache instead of getting it directly from the table. Usually AX will throw an error if the user did not have access to the table. But in this case there was no error.

They were using InventTable.itemName() method to return the product name. We looked at the security role/duties/privileges developed by them and all looked fine. We then decided to do things one step at a time to find out the exact place where things stopped working. We looked at the call stack of method itemName and started replacing the method with the code inside the method.

Eventually we found the code that was causing the issue. The code is in InventTable.productName.

   return EcoResProduct::find(productRecId).productName(_languageId);  

When we replaced this call with the code inside the EcoResProduct.productName it started working. The developer did gave access of EcoResProduct to the role/duty. So it was really confusing why this was not working. Then I realised that this is a SuperType/SubType table and EcoResProduct is not the only table that requires access. Type hierarchy browser indicated that we need access to two more tables. Once the access was granted product name was accessible even if was not cached.

The question to ask is "Why AX does not throw error in tables involving hierarchy when the user does not have access".

This posting is provided "AS IS" with no warranties. Use code at your own risk.

No comments:

Post a Comment