Bug-Feature Request: Entitlements API should respond with user entitlements

[teemukataja]

Issue

When calling /api/entitlements, with a user, e.g. "alice", API responds with unauthorized.

Reproduce issue

Populate postgres with test data lein run test-data.

curl -H "x-rems-api-key: 42" -H "x-rems-user-id: alice" localhost:3000/api/entitlements
unauthorized

Expected result: return entitlements.

Request from x-rems-user-id: developer with query parameter user gives desired results.

curl -H "x-rems-api-key: 42" -H "x-rems-user-id: developer" localhost:3000/api/entitlements?user=alice

[{"resource":"urn:nbn:fi:lb-201403262","application-id":9,"start":"2018-08-23 07:24","mail":"[email protected]"}]

Stack trace from back end.

2018-08-23 07:31:20,509 [qtp823454423-40] INFO  rems.middleware - < :get /api/entitlements 401
2018-08-23 07:34:20,096 [qtp823454423-36] INFO  rems.middleware - > :get /api/entitlements lang: :en user: {eppn alice} roles: #{:applicant}
2018-08-23 07:34:20,097 [qtp823454423-36] DEBUG rems.middleware - session {}
2018-08-23 07:34:20,113 [qtp823454423-36] ERROR compojure.api.exception -
rems.auth.NotAuthorizedException: null
        at rems.auth.util$throw_unauthorized.invokeStatic(util.clj:4)
        at rems.auth.util$throw_unauthorized.invoke(util.clj:4)
        at rems.db.entitlements$get_entitlements_for_api.invokeStatic(entitlements.clj:23)
        at rems.db.entitlements$get_entitlements_for_api.invoke(entitlements.clj:21)
        at rems.api.entitlements$fn__39331.invokeStatic(entitlements.clj:22)
        at rems.api.entitlements$fn__39331.invoke(entitlements.clj:16)
        at compojure.core$wrap_response$fn__30808.invoke(core.clj:158)
        at compojure.core$pre_init$fn__30907.invoke(core.clj:328)
        at compojure.api.coercion$wrap_coerce_response$fn__33817.invoke(coercion.clj:92)
        at compojure.core$pre_init$fn__30909$fn__30912.invoke(core.clj:335)
        at compojure.core$wrap_route_middleware$fn__30792.invoke(core.clj:127)
        at compojure.core$wrap_route_info$fn__30797.invoke(core.clj:137)
        at compojure.core$wrap_route_matches$fn__30801.invoke(core.clj:146)
        at compojure.core$wrap_routes$fn__30919.invoke(core.clj:348)
        at compojure.api.routes.Route.invoke(routes.clj:90)
        at compojure.core$routing$fn__30816.invoke(core.clj:185)
        at clojure.core$some.invokeStatic(core.clj:2693)
        at clojure.core$some.invoke(core.clj:2684)
        at compojure.core$routing.invokeStatic(core.clj:185)
        at compojure.core$routing.doInvoke(core.clj:182)
        at clojure.lang.RestFn.applyTo(RestFn.java:139)
        at clojure.core$apply.invokeStatic(core.clj:659)
        at clojure.core$apply.invoke(core.clj:652)
        at compojure.core$routes$fn__30820.invoke(core.clj:192)
        at compojure.api.compojure_compat$make_context$handler__36986.invoke(compojure_compat.clj:26)
        at compojure.api.compojure_compat$make_context$fn__36988.invoke(compojure_compat.clj:34)
        at compojure.api.routes.Route.invoke(routes.clj:90)
        at compojure.core$routing$fn__30816.invoke(core.clj:185)
        at clojure.core$some.invokeStatic(core.clj:2693)
        at clojure.core$some.invoke(core.clj:2684)
        at compojure.core$routing.invokeStatic(core.clj:185)
        at compojure.core$routing.doInvoke(core.clj:182)
        at clojure.lang.RestFn.applyTo(RestFn.java:139)
        at clojure.core$apply.invokeStatic(core.clj:659)
        at clojure.core$apply.invoke(core.clj:652)
        at compojure.core$routes$fn__30820.invoke(core.clj:192)
        at compojure.core$routing$fn__30816.invoke(core.clj:185)
        at clojure.core$some.invokeStatic(core.clj:2693)
        at clojure.core$some.invoke(core.clj:2684)
        at compojure.core$routing.invokeStatic(core.clj:185)
        at compojure.core$routing.doInvoke(core.clj:182)
        at clojure.lang.RestFn.applyTo(RestFn.java:139)
        at clojure.core$apply.invokeStatic(core.clj:659)
        at clojure.core$apply.invoke(core.clj:652)
        at compojure.core$routes$fn__30820.invoke(core.clj:192)
        at compojure.core$make_context$handler__30888.invoke(core.clj:285)
        at compojure.core$make_context$fn__30890.invoke(core.clj:293)
        at compojure.api.routes.Route.invoke(routes.clj:90)
        at compojure.core$routing$fn__30816.invoke(core.clj:185)
        at clojure.core$some.invokeStatic(core.clj:2693)
        at clojure.core$some.invoke(core.clj:2684)
        at compojure.core$routing.invokeStatic(core.clj:185)
        at compojure.core$routing.doInvoke(core.clj:182)
        at clojure.lang.RestFn.applyTo(RestFn.java:139)
        at clojure.core$apply.invokeStatic(core.clj:659)
        at clojure.core$apply.invoke(core.clj:652)
        at compojure.core$routes$fn__30820.invoke(core.clj:192)
        at compojure.api.routes.Route.invoke(routes.clj:90)
        at ring.swagger.middleware$wrap_swagger_data$fn__37522.invoke(middleware.clj:35)
        at ring.middleware.cors$handle_cors.invokeStatic(cors.clj:171)
        at ring.middleware.cors$handle_cors.invoke(cors.clj:160)
        at ring.middleware.cors$wrap_cors$fn__39635.invoke(cors.clj:185)
        at compojure.api.middleware$wrap_swagger_data$fn__35797.invoke(middleware.clj:180)
        at compojure.api.middleware$wrap_inject_data$fn__35775.invoke(middleware.clj:95)
        at muuntaja.middleware$wrap_params$fn__34772.invoke(middleware.clj:51)
        at compojure.api.middleware$wrap_exceptions$fn__35764.invoke(middleware.clj:61)
        at muuntaja.middleware$wrap_format_request$fn__34784.invoke(middleware.clj:113)
        at compojure.api.middleware$wrap_exceptions$fn__35764.invoke(middleware.clj:61)
        at muuntaja.middleware$wrap_format_response$fn__34788.invoke(middleware.clj:131)
        at muuntaja.middleware$wrap_format_negotiate$fn__34781.invoke(middleware.clj:95)
        at ring.middleware.keyword_params$wrap_keyword_params$fn__33859.invoke(keyword_params.clj:36)
        at ring.middleware.nested_params$wrap_nested_params$fn__33917.invoke(nested_params.clj:89)
        at ring.middleware.params$wrap_params$fn__33991.invoke(params.clj:67)
        at compojure.api.middleware$wrap_inject_data$fn__35775.invoke(middleware.clj:95)
        at compojure.api.routes.Route.invoke(routes.clj:90)
        at clojure.lang.Var.invoke(Var.java:381)
        at compojure.core$routing$fn__30816.invoke(core.clj:185)
        at clojure.core$some.invokeStatic(core.clj:2693)
        at clojure.core$some.invoke(core.clj:2684)
        at compojure.core$routing.invokeStatic(core.clj:185)
        at compojure.core$routing.doInvoke(core.clj:182)
        at clojure.lang.RestFn.applyTo(RestFn.java:139)
        at clojure.core$apply.invokeStatic(core.clj:659)
        at clojure.core$apply.invoke(core.clj:652)
        at compojure.core$routes$fn__30820.invoke(core.clj:192)
        at compojure.core$routing$fn__30816.invoke(core.clj:185)
        at clojure.core$some.invokeStatic(core.clj:2693)
        at clojure.core$some.invoke(core.clj:2684)
        at compojure.core$routing.invokeStatic(core.clj:185)
        at compojure.core$routing.doInvoke(core.clj:182)
        at clojure.lang.RestFn.applyTo(RestFn.java:139)
        at clojure.core$apply.invokeStatic(core.clj:659)
        at clojure.core$apply.invoke(core.clj:652)
        at compojure.core$routes$fn__30820.invoke(core.clj:192)
        at ring.middleware.reload$wrap_reload$fn__21867.invoke(reload.clj:39)
        at rems.middleware.dev$wrap_styles_context$fn__21874.invoke(dev.clj:10)
        at rems.middleware$wrap_unauthorized$fn__44500.invoke(middleware.clj:136)
        at rems.middleware$wrap_logging$fn__44503.invoke(middleware.clj:153)
        at rems.middleware$wrap_i18n$fn__44494.invoke(middleware.clj:123)
        at taoensso.tempura$wrap_ring_request$fn__27864.invoke(tempura.cljc:398)
        at rems.middleware$wrap_tempura_locales_from_session$fn__44490.invoke(middleware.clj:108)
        at rems.middleware$wrap_context$fn__44478.invoke(middleware.clj:75)
        at rems.middleware$wrap_user$fn__44473.invoke(middleware.clj:67)
        at rems.middleware$wrap_api_key_or_csrf_token$fn__44470.invoke(middleware.clj:52)
        at buddy.auth.middleware$wrap_authentication$fn__40031.invoke(middleware.clj:59)
        at buddy.auth.middleware$wrap_authorization$fn__40038.invoke(middleware.clj:110)
        at ring.middleware.webjars$wrap_webjars$fn__44456.invoke(webjars.clj:40)
        at ring.middleware.flash$wrap_flash$fn__42939.invoke(flash.clj:39)
        at ring.middleware.session$wrap_session$fn__43121.invoke(session.clj:108)
        at ring.middleware.keyword_params$wrap_keyword_params$fn__33859.invoke(keyword_params.clj:36)
        at ring.middleware.nested_params$wrap_nested_params$fn__33917.invoke(nested_params.clj:89)
        at ring.middleware.multipart_params$wrap_multipart_params$fn__43205.invoke(multipart_params.clj:173)
        at ring.middleware.params$wrap_params$fn__33991.invoke(params.clj:67)
        at ring.middleware.cookies$wrap_cookies$fn__43072.invoke(cookies.clj:175)
        at ring.middleware.absolute_redirects$wrap_absolute_redirects$fn__43292.invoke(absolute_redirects.clj:47)
        at ring.middleware.resource$wrap_resource$fn__43221.invoke(resource.clj:37)
        at ring.middleware.content_type$wrap_content_type$fn__37587.invoke(content_type.clj:34)
        at ring.middleware.default_charset$wrap_default_charset$fn__43264.invoke(default_charset.clj:31)
        at ring.middleware.not_modified$wrap_not_modified$fn__37617.invoke(not_modified.clj:53)
        at ring.middleware.x_headers$wrap_x_header$fn__42902.invoke(x_headers.clj:22)
        at ring.middleware.x_headers$wrap_x_header$fn__42902.invoke(x_headers.clj:22)
        at ring.middleware.x_headers$wrap_x_header$fn__42902.invoke(x_headers.clj:22)
        at rems.middleware$wrap_internal_error$fn__44481.invoke(middleware.clj:80)
        at ring.middleware.format_params$wrap_format_params$fn__44167.invoke(format_params.clj:119)
        at ring.middleware.format_params$wrap_format_params$fn__44167.invoke(format_params.clj:119)
        at ring.middleware.format_params$wrap_format_params$fn__44167.invoke(format_params.clj:119)
        at ring.middleware.format_response$wrap_format_response$fn__44344.invoke(format_response.clj:194)
        at rems.middleware$wrap_formats$fn__44485.invoke(middleware.clj:94)
        at qbits.jet.server$make_handler$fn__17700.invoke(server.clj:78)
        at qbits.jet.server.proxy$org.eclipse.jetty.server.handler.AbstractHandler$ff19274a.handle(Unknown Source)
        at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
        at org.eclipse.jetty.server.Server.handle(Server.java:564)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:318)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:112)
        at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:672)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:590)
        at java.lang.Thread.run(Thread.java:748)

[opqdonut]

Currently fetching entitlements is only allowed to users that have the approver role. Alice only has the role applicant.

[blankdots]

Tracked here: #649 (they seem like similar features).

[opqdonut]

yeah I forgot to link them, thanks 👍

[teemukataja]

This now works as of #674