Hi all,
This is about how we should handle access permission for subresources in
api store.
*Parent Resource Access *
Consider the following REST calls.
GET /apis/{apiId}/comments/{commentId}
GET apis/{apiId}/documents/{documentId}
At the moment we are not checking whether a particular user has read access
to the specific api before we retrieve the requested comment or document.
Is it fine to ignore this check for these apis assuming that a user
might be already having read access to the api because he already knows the
uuid of the api?
Or should we be doing an explicit permission validation? Do we have any
drawbacks in doing this check?
*Subresource Update/Delete*
Consider the following REST api calls done by a user in store.
DELETE /apis/{apiId}/comments/{commentId}
UPDATE /apis/{apiId}/comments/{commentId}
DELETE /apis/{apiId}/documents/{documentId}
UPDATE /apis/{apiId}/documents/{documentId}
In order to restrict who can update and delete these subresources, we can
pass the username to DAO layer and check who created it, and allow only
that person to do these modifications. But there could be a use-case where
another user(admin) will need to delete or update a resource created by
someone else. If we restrict only the creator to do these actions, then we
cannot support such a use-case.
Appreciate your thoughts on this.
--
Thanks & Regards,
Fazlan Nazeem
*Senior Software Engineer*
*WSO2 Inc*
Mobile : +94772338839
<%2B94%20%280%29%20773%20451194>
[email protected]
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
