Hi Isabelle, In current API Manager a creator user can edit an already published API. We need to avoid this situation. The condition that I am going to check when a user is going to edit an already published API is he should have at least publisher permissions to do that.
I could get clarify the issue with Jo and want to get your feedback as well. Should there be any other users who should have the privilege to already published API but do not have publish permissions ? Appreciate your attention. ---------- Forwarded message ---------- From: Joseph Fonseka <[email protected]> Date: Tue, Jul 21, 2015 at 12:30 PM Subject: Re: Can Users who haven't publish permissions edit a published API ? To: Chamalee De Silva <[email protected]> Hi The issue here is we hot deploy the API when it gets edited after publishing. So create user get an unwanted access to indirectly publish an API. Thus we can prevent a create user editing an already published API. The next problem is if create user unable to edit and API who will have access to edit the published API. IMHO We should allow API editing for a user who has publisher role once the API is published. Concern with the above is then publisher user will have access to edit an API but I guess it is not an major issue since usually publisher user will be an authoritative user. Anyway it is better to get feedback from the list specially from Isabelle Regards Jo On Tue, Jul 21, 2015 at 12:01 PM, Chamalee De Silva <[email protected]> wrote: > Hi, > > I need to have a clarification to fix the issue [1]. > > This is what I am going to do. > > When a user has logged into the API Manager publisher, > > 1. If the API is published then if the current user has API publish > permission with create permission - let him edit the API > 3. If the API is published then if user has only create permission and no > publish permission he will not be able to edit the API. > > So as I understood, to edit a published API the current user should have > publish permissions as a sufficient requirement. > Please correct me if I am wrong. > > what I want to know is that should we give the privilege to a user to edit > a published API where he has no publish permissions, but has all other > permissions ? > > I am trying to build up the logic to solve the issue. > > Appreciate your help. > > [1] https://wso2.org/jira/browse/APIMANAGER-3966 > > > -- > Thanks & Regards, > > *Chamalee De Silva* > Software Engineer > *WS**O2* Inc. .:http://wso2.com > > Office :- *+94 11 2145345 <%2B94%2011%202145345>* > mobile :- *+94 7 <%2B94%2077%202782039>1 4315942* > > > -- -- *Joseph Fonseka* WSO2 Inc.; http://wso2.com lean.enterprise.middleware mobile: +94 772 512 430 skype: jpfonseka * <http://lk.linkedin.com/in/rumeshbandara>* -- Thanks & Regards, *Chamalee De Silva* Software Engineer *WS**O2* Inc. .:http://wso2.com Office :- *+94 11 2145345 <%2B94%2011%202145345>* mobile :- *+94 7 <%2B94%2077%202782039>1 4315942*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
