fix(DeliveryRequestApiService): filter deliveries requested by partner role and incoterms#435
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Check failure
Code scanning / CodeQL
Log Injection
Check failure
Code scanning / CodeQL
Log Injection
Check failure
Code scanning / CodeQL
Log Injection
…r based on role and incoterm
tom-rm-meyer-ISST
force-pushed
the
fix/432-delivery
branch
from
1908929 to
9ddc2d8
Compare
ReneSchroederLJ
left a comment
ReneSchroederLJ
left a comment
There was a problem hiding this comment.
Thank you for your contribution.
Overall solid work, but besides a comment I left on a bug there seems to be an issue with how the material is retrieved in handleDeliverySubmodelRequest. There is a disconnect between the comment and what is actually happening.
At first we attempt to find the material by assuming that we are supplier and the Cx number is our own. If this fails we should check if we are customer and the Cx number matches the partnerCxNumber in any mpr for that partner. only if that fails we should triggerPartTypeRetrieval and afterwards check the mpr again.
Currently we do not check the mpr at all so we can not handle requests where we are the customer.
Well seen! While implementing the change and a test to get this scenario tested, I recognized that this might even be unwanted behavior: If we don't have the CX ID when being customer, this means we did not create a Shell Descriptor with a href. Someone tries to access data directly via the asset / interface without the DTR to see how to access the data. I added a warning message as I think this could be a security issue, if a partner tries to do that. |
…d mpr resolving update
| // Sidenote: This still means that the ShellDescriptor has not been created and someone tries to access our | ||
| // api without using the href from DTR | ||
| if (mpr == null) { | ||
| log.warn("Could not find " + materialNumberCx + " from partner " + partner.getBpnl()); |
Check failure
Code scanning / CodeQL
Log Injection
| log.error("No material partner relation for BPNL '{}' and material global asset id '{}'." + | ||
| "Abort answering delivery request.", | ||
| partner.getBpnl(), | ||
| materialNumberCx |
Check failure
Code scanning / CodeQL
Log Injection
ReneSchroederLJ
left a comment
ReneSchroederLJ
left a comment
There was a problem hiding this comment.
Looks good to me. Thank you for your efforts.
|
Bumped version to create a patch release |
tom-rm-meyer-ISST
force-pushed
the
fix/432-delivery
branch
from
599da40 to
77623f8
Compare
tom-rm-meyer-ISST
force-pushed
the
fix/432-delivery
branch
from
77623f8 to
7b448f3
Compare
tom-rm-meyer-ISST
requested review from
mhellmeier
and removed request for
mhellmeier
4 participants
Description
resolves #432
Maybe we need also to do similar enhancements to the following fields
DeliveryService/OwnDeliveryServicePlease let me know what you think. Based on the changes I would release a patch version
Pre-review checks
Please ensure to do as many of the following checks as possible, before asking for committer review: