cozy-stack
cozy-stack copied to clipboard
cozy
Having two permissions with same ID in `manifest.webapp` should trigger a warning or an error
In cozy-pass-wab manifest I had two different rules using the same ID :
"permissions": {
...
"contacts": {
"description": "Required to share passwords with other people",
"type": "com.bitwarden.contacts",
"verbs": ["ALL"]
},
...
"contacts": {
"description": "Required to share passwords with other people",
"type": "io.cozy.contacts",
"verbs": ["GET", "POST"]
},
...
}
With this configuration, the stack starts without any warning but if I query a DELETE on bitwarden/contacts/:id then I get an invalid token error.
This stack seems to use authorizations from io.cozy.contacts.
However if I fix the manifest everything is working fine and I can DELETE my bitwarden's contact :
"permissions": {
...
"contacts_bitwarden": {
"description": "Required to share passwords with other people",
"type": "com.bitwarden.contacts",
"verbs": ["ALL"]
},
...
"contacts": {
"description": "Required to share passwords with other people",
"type": "io.cozy.contacts",
"verbs": ["GET", "POST"]
},
...
}
My understanding is that the stack is indexing permissions by unique ID and if multiple rules have the same ID, then the last rule replace all rules with the same ID that were previously declared.
Maybe we should detect this scenario and trigger a warning or an error when the app is installed.
The explanation is simple: the manifest is expected to be JSON, and in JSON, it is not possible to put twice the same key for an object.
