Disabled variables are being used anyway

[skydebernardigu]

1. Newman Version (can be found via newman -v): 5.3.1
2. OS details (type, version, and architecture): macos Monterey 12.3
3. Are you using Newman as a library, or via the CLI? as a cli in docker
4. Did you encounter this recently, or has this bug always been there: cannot determine (first newman use)
5. Expected behaviour: Disable secret should not be used.
6. Command / script used to run Newman:
   newman run 01_config_components.postman_collection.json -e 01_config_components_dev.postman_environment.json -n 2 --delay-request 40 -x -g vtp_dev.postman_globals.json
7. Sample collection, and auxiliary files (minus the sensitive details):
8. Screenshots (if applicable):

In 01_config_components_dev.postman_environment.json I have a disable api key secret:
{ "key": "back_office_app_sync_api_key", "value": "REDACTED_WRONG_KEY", "type": "secret", "enabled": false },

in global file (vtp_dev.postman_globals.json) I have the same key with enabled: true
{ "key": "back_office_app_sync_api_key", "value": "REDATED_CORRECT_KEY", "type": "default", "enabled": true },

if i run newman I get "UNAUTHORIZED" in response to every request.
After deleting back_office_app_sync_api_key block in first file, every response is OK.
Seems that, in case of duplicated key, newman uses the wrong one.

Thankyou
Debe

[malvikach]

@skydebernardigu As you correctly observed in the presence of a variable at two different scopes the inner scope will override the outer scope.

Given this, in the above use case, the environment variable would be used; however, the environment variable is disabled at the environment level. Hence, it should use the global variable.

I see that the variable is defined as 'secret' for the environment scope and 'default' at the global scope. Please let us know if you observe this issue if the variable is defined as 'default' at both scopes.

Secondly, do let me know the behavior when you run the same collection using Postman collection runner. Is the response still "UNAUTHORIZED". This will help us understand if this is an issue with Newman specifically.

[skydebernardigu]

I understand variable precedence. But as I tried to report, in my case, inner scope (environment) was disabled and the value of key was wrong (is an auth key), so if newman should use the global, I should have a right authentication to api.

With variable defined as default at both scopes, I observe the same result.
I tried also passing global variable by command line switch --global-var with same result (unauthorized).
If i delete variable at environment level, it works.

Postman runner is running fine.

Let me know if I can help.

Thankyou
Debe

[VaishnaviChallaPostman]

Hey @skydebernardigu
We are able to replicate this behaviour.
Our team is working on this issue and we will make sure to post any updates to this thread.
Hope deleting the disabled variable will keep you unblocked in the meantime.
Thanks for your patience :)