Details
-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
None
-
None
-
Embedded Crowd in JIRA Standalone Edition 4.3
Description
RestCrowdClient client = ...; client.isUserNestedGroupMember(username, group);
always return true for any group, if the username is the empty string "".
RestCrowdClient client = ...; assertTrue(client.isUserNestedGroupMember("", "jira-users")); assertTrue(client.isUserNestedGroupMember("", "non-existing-group")); assertTrue(client.isUserNestedGroupMember("", "abc")); ...
This is probably because the Crowd REST API exposes the same URL with and without the username:
/group/user/nested?groupname=GROUPNAME GET Retrieves the users that are nested members of the specified group 200 (OK) if the group is found, otherwise 404 (Not Found) List of users /group/user/nested?groupname=GROUPNAME&username=USERNAME GET Retrieves the user that is a nested member of the specified group 200 (OK) if the group and user are found, otherwise 404 (Not Found)
If the first end point is used when the username is empty, the 200 response with the list of users will be perceived as 200 OK: the user exists.