Kuali Rice Development
  1. Kuali Rice Development
  2. KULRICE-14220

Implement authorization checks on api endpoints for groups, action list, and document search

    Details

    • Type: Improvement Improvement
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: rest-1.0
    • Component/s: Development
    • Security Level: Public (Public: Anyone can view)
    • Labels:
      None
    • Similar issues:
      KULRICE-14223Implement authorization on Action List REST api
      KULRICE-14222Implement authorization on Document Search REST api
      KULRICE-2036Multiple workgroup initiation authorization checks don't work
      KULRICE-12589Add authorization for document actions in DocumentControllerBase
      KULRICE-14221Implement authorization on KIM Groups REST api
      KULRICE-5153Implement AdHoc Recipients tag for documents
      KULRICE-7642RoleResponsibilityAction APIs are insufficient
      KULRICE-889New workflow API
      KULRICE-12641Add authorization for document actions in MaintenanceDocumentController
      KULRICE-12307Document search API saves searches to user's saved document searches
    • Sprint:
      Rice Sprint 2015-04-01, Rice Sprint 2015-04-1
    • KAI Review Status:
      Not Required
    • KTI Review Status:
      Not Required
    • Code Review Status:
      Not Required
    • Include in Release Notes?:
      Yes
    • Story Points:
      13

      Description

      Given the principal name of the current authenticated principal to the API, these should leverage the PermissionService.isAuthorizedByTemplate method to use the same permissions that are used today by the equivalent functions within the UI.

      So for example, in order to execute a document search, you would check whatever permission is checked today to grant access to the document search UI screen. For example, to grant permission to create or update groups, check the same permissions that is used today to grant access to this capability within the user interface.

      For document search, the version of the API that passes the principal name and checks for security should be used.

      For action list, users should be able to only see their own action list.

        Activity

        Hide
        Brian Smith (Inactive) added a comment -

        All rest services have security based on the principal you pass in. Group manipulations have full access depending on the call you make to it since the assumption is system to system authorization right now.

        Show
        Brian Smith (Inactive) added a comment - All rest services have security based on the principal you pass in. Group manipulations have full access depending on the call you make to it since the assumption is system to system authorization right now.

          People

          • Assignee:
            Brian Smith (Inactive)
            Reporter:
            Eric Westfall
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Agile

                Structure Helper Panel