Hi Francesco, Just looking at this logic again in UserDataBinder...
Set<Long> roleIds = user.getRoleIds(); > Set<Long> adminRoleIds = > EntitlementUtil.getRoleIds(EntitlementUtil.getOwnedEntitlementNames()); > roleIds.removeAll(adminRoleIds); > In my test-case, a user "alice" has role "read-role" with permission "ROLE_READ". When I log on as "alice" when calling "cxf/users?username=alice", "ROLE_READ" is returned from EntitlementUtil.getOwnedEntitlementNames(), but as it isn't of the format expected by EntitlementUtil.ROLE_ENTITLEMENT_NAME_PATTERN, EntitlementUtil.getRoleIds(...) is empty. Is this a bug - or am I missing something? If the user has a role with a entitlement that does not match the reg exp, then an exception will always be thrown in this class. Colm. On Wed, Feb 27, 2013 at 10:12 AM, Francesco Chicchiriccò < ilgro...@apache.org> wrote: > On 27/02/2013 16:10, Colm O hEigeartaigh wrote: > >> As per the discussions on SYNCOPE-324, I'm reading a user (from the new >> API) via: >> >> users?username=X >> >> I am authenticating using the User's username/password and not the admin >> user/password. I get an exception in the logs: >> >> org.apache.syncope.core.rest.**controller.**UnauthorizedRoleException: >> Missing >> entitlement for role(s) [100] >> at >> org.apache.syncope.core.rest.**data.UserDataBinder.**getUserFromUsername( >> **UserDataBinder.java:132) >> ~[UserDataBinder.class:na] >> >> Syncope is set up with a single Role with no entitlements, and a single >> User with that role, that I am authenticating as. In >> UserDataBinder.**getUserFromUsername we have: >> >> Set<Long> roleIds = user.getRoleIds(); >> Set<Long> adminRoleIds = >> EntitlementUtil.getRoleIds(**EntitlementUtil.** >> getOwnedEntitlementNames()); >> roleIds.removeAll(**adminRoleIds); >> >> if (!roleIds.isEmpty()) { >> throw new UnauthorizedRoleException(**roleIds); >> } >> >> In this case, "adminRoleIds" is empty and so the exception is thrown. Any >> ideas? >> > > Hi Colm, > for reading own roles, the same approach as per RoleController#selfRead > should be implemented. > > Regards. > > -- > Francesco Chicchiriccò > > ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member > http://people.apache.org/~**ilgrosso/<http://people.apache.org/~ilgrosso/> > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com