Enhanced User Access Control for API Create Access Permission

POST APIs normally require create access to perform actions. This has now been enforced in certain APIs that did not enforce it in the past. Note that ADMINISTRATOR role users automatically get all permissions, so such users will not see any change in behavior. Users in lower roles that are not part of groups with the required permissions will see a change in behavior.

We have added an error message for Employee users for APIs related to pick-pack, repack, replenishment, and manufacturing. Now, when the group permission "lgfapi/lgfapi_create_access" is disabled, Employee users will receive a "PERMISSION_DENIED" error code when attempting to post to these APIs.

This improvement maintains the integrity of access control, ensuring employees can only perform actions they are authorized to do, enhancing data security and system reliability.

Affected APIs:

Pick Pack:

• POST ..lgfapi/v10/pickpack/pickconfirm/
• POST ..lgfapi/v10/pickpack/closelpn/
• POST ..lgfapi/v10/pickpack/packfull_lpn/
• POST ..lgfapi/v10/pickpack/packmultipleiblpnsintooneoblpn/
• POST ..lgfapi/v10/pickpack/wavecomplete

Repack:

• POST…/lgfapi/v10/repack/pack_inventory
• POST…/lgfapi/v10/repack/close_lpn

Replenishment:

• POST …/lgfapi/v10/replenishment/replenishtoactive/

Manufacturing:

• POST…lgfapi/v10/inventory/manufacturing transaction

Unaffected APIs (Permission Denied as Expected):

GET APIs:

• entity/container
• entity/allocation

POST APIs:

• iblpn/composite_create/
• iblpn/receive
• iblpn/bulk_locate/

Steps to Enable

For users with Employee access who need to POST to APIs:

1. Enable the the group permission "lgfapi/lgfapi_create_access."

If the group permission "lgfapi/lgfapi_create_access" is disabled, Employee users will receive a "PERMISSION_DENIED" error code when attempting to post to these APIs.