[KULRICE-14220] Implement authorization checks on api endpoints for groups, action list, and document search Created: 18/Mar/15 Updated: 21/May/15 Resolved: 15/Apr/15
|Project:||Kuali Rice Development|
|Security Level:||Public (Public: Anyone can view)|
|Reporter:||Eric Westfall||Assignee:||Brian Smith (Inactive)|
|Σ Remaining Estimate:||Not Specified||Remaining Estimate:||Not Specified|
|Σ Time Spent:||Not Specified||Time Spent:||Not Specified|
|Σ Original Estimate:||Not Specified||Original Estimate:||Not Specified|
|Sprint:||Rice Sprint 2015-04-01, Rice Sprint 2015-04-1|
|KAI Review Status:||Not Required|
|KTI Review Status:||Not Required|
|Code Review Status:||Not Required|
|Include in Release Notes?:||
Given the principal name of the current authenticated principal to the API, these should leverage the PermissionService.isAuthorizedByTemplate method to use the same permissions that are used today by the equivalent functions within the UI.
So for example, in order to execute a document search, you would check whatever permission is checked today to grant access to the document search UI screen. For example, to grant permission to create or update groups, check the same permissions that is used today to grant access to this capability within the user interface.
For document search, the version of the API that passes the principal name and checks for security should be used.
For action list, users should be able to only see their own action list.
|Comment by Brian Smith (Inactive) [ 15/Apr/15 ]|
All rest services have security based on the principal you pass in. Group manipulations have full access depending on the call you make to it since the assumption is system to system authorization right now.