FrontlineSMS doesn't work in private deployments

[tuxpiper]

Overview

There is a permission conflict when executing the CLI tasks for deployments that are marked Private. Most CLI tasks execute without a User and thus have no associate permissions. In the case of Private deployments permission restrictions are tighter and are thus preventing the task from completing.

Requirements

• The outbound SMS cli task should execute as its own user
• Most CLI tasks should use a default user that allows general permissions at the level of admin (this does not apply to CLI tasks that eventually provides data to a user that may or may not be allowed to see the data)

Acceptance criteria

• When a deployment is set to private
• When Frontlinesms or another outbound SMS provider is configured
• There are messages scheduled to be sent
• [ ] I can run the SMS outbound dataprovider CLI task
• [ ] The messages are successfully sent to the SMS providers endpoint

Expected behaviour

FrontlineSMS integration should work even when the deployment is marked as private. FLSMS communications are protected by a shared secret.

Actual behaviour

When a deployment is marked as private, if FLSMS tries to forward a message, it fails with the following:

{
  "payload": {
    "class": "HTTP_Exception_403",
    "code": 403,
    "error": "User 0 is not allowed to receive resource messages #0",
    "file": "/var/www/platform/application/classes/Ushahidi/DataProvider.php",
    "line": 55,
    "success": false
  }
}

Aha! Link: https://ushahiditeam.aha.io/features/PROD-514

[tuxpiper]

@dukedanny @ifender mentioning you so you can keep tabs on this one

[ifender]

following @tuxpiper

[jshorland]

@tuxpiper this seems like a p0 to me, yes?

[tuxpiper]

I would be inclined to agree @jshorland

[jrtricafort]

Discussed w @willdoran @kinstelli @rowasc agreed we should do this eventually - marking as Cycle 6 for now.

[jrtricafort]

We should reprioritize (P?) in Cycle 6

[willdoran]

@rowasc I think we had something like a fake user for export yeah? Can you review this?

[rowasc]

@willdoran no , we use the saved user in the export_job table for exporting.

[rowasc]

@willdoran ohh, I think maybe I fixed that in the hdx/develop branches for lumen but not for kohana? I will check this one

[rowasc]

@jrtricafort what priority is this ticket? (asking because you mentioned we should reprioritize in cycle 6)

[jrtricafort]

@rowasc P2

[jrtricafort]

I'm checking on which DREAMS deployments, if any, are private.

[rowasc]

Moving to cycle 9 as its not in the product roadmap, @jrtricafort feel free to change this

[tuxpiper]

Just adding a note to say that this is also affecting other data providers (i.e. Twitter) , output:

$ ./artisan datasource:incoming

In RegistersExceptionHandlers.php line 31:

  User 0 is not allowed to receive resource messages #0

[tuxpiper]

PR #4154 addresses the background initiated data providers