Hello,
I am developing a plugin in Stash 2.12.1 for creating projects and repositories. The problem I am facing is related to granting permissions via PermissionAdminService. Executing
transactionTemplate.execute(new TransactionCallback<CreationResponse>() { @Override public CreationResponse doInTransaction() { Project project = projectService.getByKey(request.getProjectKey()); if (project == null) { ProjectCreateRequest.Builder projectCreateRequestBuilder = new ProjectCreateRequest.Builder(); ProjectCreateRequest projectCreateRequest = projectCreateRequestBuilder.key(request.getProjectKey()).name(request.getProjectName()).description(request.getProjectDescription()).build(); project = projectService.create(projectCreateRequest); permissionAdminService.grantAllProjectPermission(Permission.PROJECT_WRITE, project); } } });
inside a transaction ends with an exception and rollback. Exception is
org.springframework.security.access.AccessDeniedException: Access is denied at permissionAdminService.grantAllProjectPermission
Actually, any method call on permissionAdminService for brand new project is denied. Current user has "Project Creator" permission. Also creating a project without calling grantAllProjectPermission creates the project successfully and current user has admin rights.
The problem is related to transaction because when I execute the code outside of it, grantAllProjectPermission works fine. Am I missing something?
Community moderators have prevented the ability to post new answers.
Yes, you are absolutely right. Wrapping it a transaction means that the events Stash relies on to invalidate its permission caches is not fired until the transaction is committed so you are seeing a view of the permissions as they were before the project was created. Because the grant operation is completely valid operation to do I would suggest working around this quirk by wrapping the call to the permissionAdminService in a call to the SecurityService.
securityService.withPermission(Permission.PROJECT_ADMIN, "Grant all project permission within the same transaction") .call(new UncheckedOperation<Void>() { @Override public Void perform() { permissionAdminService.grantAllProjectPermission(Permission.PROJECT_WRITE, project); return null; } });
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.