Uploaded image for project: 'Kuali Rice Development'
  1. Kuali Rice Development
  2. KULRICE-14220

Implement authorization checks on api endpoints for groups, action list, and document search

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: rest-1.0
    • Component/s: Development
    • Security Level: Public (Public: Anyone can view)
    • Labels:
      None
    • Sprint:
      Rice Sprint 2015-04-01, Rice Sprint 2015-04-1
    • KAI Review Status:
      Not Required
    • KTI Review Status:
      Not Required
    • Code Review Status:
      Not Required
    • Include in Release Notes?:
      Yes
    • Story Points:
      13

      Description

      Given the principal name of the current authenticated principal to the API, these should leverage the PermissionService.isAuthorizedByTemplate method to use the same permissions that are used today by the equivalent functions within the UI.

      So for example, in order to execute a document search, you would check whatever permission is checked today to grant access to the document search UI screen. For example, to grant permission to create or update groups, check the same permissions that is used today to grant access to this capability within the user interface.

      For document search, the version of the API that passes the principal name and checks for security should be used.

      For action list, users should be able to only see their own action list.

        Attachments

          Activity

          ewestfal Eric Westfall created issue -
          ewestfal Eric Westfall made changes -
          Field Original Value New Value
          Rank Ranked higher
          ewestfal Eric Westfall made changes -
          Sprint Rice Sprint 2015-04-01 [ 472 ]
          ewestfal Eric Westfall made changes -
          Description Given the principal name of the current authenticated principal to the API, these should leverage the PermissionService.isAuthorizedByTemplate method to use the same permissions that are used today by the equivalent functions within the UI.

          So for example, in order to execute a document search, you would check whatever permission is checked today to grant access to the document search UI screen. For example, to grant permission to create or update groups, check the same permissions that is used today to grant access to this capability within the user interface.

          For document search, the version of the API that passes the principal name and checks for security should be used.
          Given the principal name of the current authenticated principal to the API, these should leverage the PermissionService.isAuthorizedByTemplate method to use the same permissions that are used today by the equivalent functions within the UI.

          So for example, in order to execute a document search, you would check whatever permission is checked today to grant access to the document search UI screen. For example, to grant permission to create or update groups, check the same permissions that is used today to grant access to this capability within the user interface.

          For document search, the version of the API that passes the principal name and checks for security should be used.

          For action list, users should be able to only see their own action list.
          ewestfal Eric Westfall made changes -
          Story Points 13
          cniesen Claus Niesen made changes -
          Sprint Rice Sprint 2015-04-01 [ 472 ] Rice Sprint 2015-04-01, Rice Sprint 2015-04-2 [ 472, 474 ]
          cniesen Claus Niesen made changes -
          Rank Ranked higher
          Hide
          bsmith Brian Smith (Inactive) added a comment -

          All rest services have security based on the principal you pass in. Group manipulations have full access depending on the call you make to it since the assumption is system to system authorization right now.

          Show
          bsmith Brian Smith (Inactive) added a comment - All rest services have security based on the principal you pass in. Group manipulations have full access depending on the call you make to it since the assumption is system to system authorization right now.
          bsmith Brian Smith (Inactive) made changes -
          Status Open [ 1 ] Closed [ 6 ]
          Resolution Fixed [ 1 ]
          bsmith Brian Smith (Inactive) made changes -
          Assignee Brian Smith [ bsmith ]
          cniesen Claus Niesen made changes -
          Fix Version/s rest-1.0 [ 17957 ]

            People

            • Assignee:
              bsmith Brian Smith (Inactive)
              Reporter:
              ewestfal Eric Westfall
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: