Hi Fazlan, On Mon, May 8, 2017 at 3:42 PM, Fazlan Nazeem <fazl...@wso2.com> wrote:
> Hi all, > > This is about how we should handle access permission for subresources in > api store. > > *Parent Resource Access * > > Consider the following REST calls. > > GET /apis/{apiId}/comments/{commentId} > GET apis/{apiId}/documents/{documentId} > > At the moment we are not checking whether a particular user has read > access to the specific api before we retrieve the requested comment or > document. Is it fine to ignore this check for these apis assuming that a > user might be already having read access to the api because he already > knows the uuid of the api? > > Or should we be doing an explicit permission validation? Do we have any > drawbacks in doing this check? > If we keep the parent-child relationship, we don't need to explicitly check the permission, as the system will do this for each child resource access. > > *Subresource Update/Delete* > > Consider the following REST api calls done by a user in store. > > DELETE /apis/{apiId}/comments/{commentId} > UPDATE /apis/{apiId}/comments/{commentId} > > DELETE /apis/{apiId}/documents/{documentId} > UPDATE /apis/{apiId}/documents/{documentId} > > In order to restrict who can update and delete these subresources, we can > pass the username to DAO layer and check who created it, and allow only > that person to do these modifications. But there could be a use-case where > another user(admin) will need to delete or update a resource created by > someone else. If we restrict only the creator to do these actions, then we > cannot support such a use-case. > We can allow to delete/update these resource by the person who created this, or a person who has particular roles. In this case, an admin or any other user who has these roles can delete/update. Some suggestions 1. Able to integrate workflow for adding/updating comments to APIs 2. Only allowing API subscribers to add comments. > > > Appreciate your thoughts on this. > > -- > Thanks & Regards, > > Fazlan Nazeem > > *Senior Software Engineer* > > *WSO2 Inc* > Mobile : +94772338839 > <%2B94%20%280%29%20773%20451194> > fazl...@wso2.com > -- Thanks Abimaran Kugathasan Senior Software Engineer - API Technologies Email : abima...@wso2.com Mobile : +94 773922820 <http://stackoverflow.com/users/515034> <http://lk.linkedin.com/in/abimaran> <http://www.lkabimaran.blogspot.com/> <https://github.com/abimarank> <https://twitter.com/abimaran>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture