$settings and ACL

Andrew_Badera · April 15, 2020, 3:55pm

I’ve POSTed to create a settings stream with the following event body:

{
    "$userStreamAcl" : {
        "$r"  : "$admins", "EventReader",
        "$w"  : "$admins,""EventWriter",
        "$d"  : "$admins",
        "$mr" : "$admins",
        "$mw" : "$admins"
    },
    "$systemStreamAcl" : {
        "$r"  : "$admins",
        "$w"  : "$admins",
        "$d"  : "$admins",
        "$mr" : "$admins",
        "$mw" : "$admins"
    }
}

However, I am still able to make unauthorized calls to read events. These are pre-existing streams with no explicit ACLs applied.

Greg_Young1 · April 15, 2020, 4:07pm

maybe you can put where you posted to?

Greg_Young1 · April 15, 2020, 4:07pm

remember that $ is a special character and uri encoding may have made
it %24 instead of $

Andrew_Badera · April 15, 2020, 4:07pm

POST /streams/$settings HTTP/1.1

Host: atl0wevtd001.cead.prd

Authorization: Basic YWRtaW46Y2hhbmdlaXQ=

Content-Type: application/json

ES-EventType: settings

ES-EventId: 4175075f-5026-4d8a-bef7-fe1eb5f7a4e4

Cache-Control: no-cache

Postman-Token: 4108c7f2-04b0-f3a7-3edb-0399db47aa73

{

“$userStreamAcl” : {

“$r” : “$admins”, “EventReader”,

“$w” : “$admins,”“EventWriter”,

“$d” : “$admins”,

“$mr” : “$admins”,

“$mw” : “$admins”

},

“$systemStreamAcl” : {

“$r” : “$admins”,

“$w” : “$admins”,

“$d” : “$admins”,

“$mr” : “$admins”,

“$mw” : “$admins”

}

Greg_Young1 · April 15, 2020, 4:07pm

you json is malformed look at $w of userstreamacl

Andrew_Badera · April 15, 2020, 4:07pm

Thanks for that catch. Fixed, but still able to make unauth’d calls.

GET /streams/Letter_4482858/0 HTTP/1.1

Host: atl0wevtd001.cead.prd

Cache-Control: no-cache

Postman-Token: ddfa7614-dbd8-fcd2-28ea-4ed8797ec7ba

<?xml version="1.0" encoding="utf-8"?>

<atom:entry xmlns:atom=“http://www.w3.org/2005/Atom”>

atom:title0@Letter_4482858</atom:title>

atom:id http://atl0wevtd001.cead.prd/streams/Letter_4482858/0</atom:id>

atom:updated2017-04-24T18:36:43.516128Z</atom:updated>

atom:author

atom:nameEventStore</atom:name>

</atom:author>

atom:summaryEncore.Ssp.Letters.Domain.Events.LetterRequestedEvent</atom:summary>

<atom:link href=“http://atl0wevtd001.cead.prd/streams/Letter_4482858/0” rel=“edit” />

<atom:link href=“http://atl0wevtd001.cead.prd/streams/Letter_4482858/0” rel=“alternate” />

<atom:content type=“application/xml”>

Letter_4482858

0

Encore.Ssp.Letters.Domain.Events.LetterRequestedEvent

4bede5b5-84b1-42c2-a210-a338cad249bd

Mon 04/24/2017

6:36 PM

BlackKnight

352

1

U121

A

2

U121

X

AS046

4482858

…

Andrew_Badera · April 15, 2020, 4:07pm

Restarted the service, now ACLs seem to apply.