Hi Fazlan,
On Mon, May 8, 2017 at 3:42 PM, Fazlan Nazeem <fazl...@wso2.com> wrote:
> Hi all,
>
> This is about how we should handle access permission for subresources in
> api store.
>
> *Parent Resource Access *
>
> Consider the following REST calls.
>
> GET /apis/{apiId}/comments/{commentId}
> GET apis/{apiId}/documents/{documentId}
>
> At the moment we are not checking whether a particular user has read
> access to the specific api before we retrieve the requested comment or
> document. Is it fine to ignore this check for these apis assuming that a
> user might be already having read access to the api because he already
> knows the uuid of the api?
>
> Or should we be doing an explicit permission validation? Do we have any
> drawbacks in doing this check?
>
If we keep the parent-child relationship, we don't need to explicitly check
the permission, as the system will do this for each child resource access.
>
> *Subresource Update/Delete*
>
> Consider the following REST api calls done by a user in store.
>
> DELETE /apis/{apiId}/comments/{commentId}
> UPDATE /apis/{apiId}/comments/{commentId}
>
> DELETE /apis/{apiId}/documents/{documentId}
> UPDATE /apis/{apiId}/documents/{documentId}
>
> In order to restrict who can update and delete these subresources, we can
> pass the username to DAO layer and check who created it, and allow only
> that person to do these modifications. But there could be a use-case where
> another user(admin) will need to delete or update a resource created by
> someone else. If we restrict only the creator to do these actions, then we
> cannot support such a use-case.
>
We can allow to delete/update these resource by the person who created
this, or a person who has particular roles. In this case, an admin or any
other user who has these roles can delete/update.
Some suggestions
1. Able to integrate workflow for adding/updating comments to APIs
2. Only allowing API subscribers to add comments.
>
>
> Appreciate your thoughts on this.
>
> --
> Thanks & Regards,
>
> Fazlan Nazeem
>
> *Senior Software Engineer*
>
> *WSO2 Inc*
> Mobile : +94772338839
> <%2B94%20%280%29%20773%20451194>
> fazl...@wso2.com
>
--
Thanks
Abimaran Kugathasan
Senior Software Engineer - API Technologies
Email : abima...@wso2.com
Mobile : +94 773922820
<http://stackoverflow.com/users/515034>
<http://lk.linkedin.com/in/abimaran> <http://www.lkabimaran.blogspot.com/>
<https://github.com/abimarank> <https://twitter.com/abimaran>
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
