[KULRICE-14220] Implement authorization checks on api endpoints for groups, action list, and document search Created: 18/Mar/15  Updated: 21/May/15  Resolved: 15/Apr/15

Status: Closed
Project: Kuali Rice Development
Component/s: Development
Affects Version/s: None
Fix Version/s: rest-1.0
Security Level: Public (Public: Anyone can view)

Type: Improvement Priority: Major
Reporter: Eric Westfall Assignee: Brian Smith (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Sub-Tasks:
Key
Summary
Type
Status
Assignee
KULRICE-14221 Implement authorization on KIM Groups... Sub Task Closed Brian Smith  
KULRICE-14222 Implement authorization on Document S... Sub Task Closed Brian Smith  
KULRICE-14223 Implement authorization on Action Lis... Sub Task Closed Jeff Ruch  
Sprint: Rice Sprint 2015-04-01, Rice Sprint 2015-04-1
KAI Review Status: Not Required
KTI Review Status: Not Required
Code Review Status: Not Required
Include in Release Notes?:
Yes
Story Points: 13

 Description   

Given the principal name of the current authenticated principal to the API, these should leverage the PermissionService.isAuthorizedByTemplate method to use the same permissions that are used today by the equivalent functions within the UI.

So for example, in order to execute a document search, you would check whatever permission is checked today to grant access to the document search UI screen. For example, to grant permission to create or update groups, check the same permissions that is used today to grant access to this capability within the user interface.

For document search, the version of the API that passes the principal name and checks for security should be used.

For action list, users should be able to only see their own action list.



 Comments   
Comment by Brian Smith (Inactive) [ 15/Apr/15 ]

All rest services have security based on the principal you pass in. Group manipulations have full access depending on the call you make to it since the assumption is system to system authorization right now.

Generated at Sun Oct 25 23:31:29 CDT 2020 using JIRA 7.0.11#70121-sha1:19d24976997c1d95f06f3e327e087be0b71f28d4.