Dear Meruja, when would we return a 412?
Best regards, Frank Am Fr., 22. Mai 2020 um 15:42 Uhr schrieb Meruja Selvamanikkam < [email protected]>: > Hi all, > > We are in the process of implementing an API to get the scope list of a > particular user. > Following will be the notations of the new API: > *GET api/am/admin/v1/settings/scopes?userId=<value>* > > Please find the swagger definition below: > > /settings/scopes: > #----------------------------------------------------- > # Retrieve scope settings > #----------------------------------------------------- > get: > security: > - OAuth2Security: > - apim:admin_settings > x-wso2-curl: "curl -k -H \"Authorization: Bearer > ae4eae22-3f65-387b-a171-d37eaa366fa8\" -X POST \" > https://localhost:9443/api/am/admin/v1/settings/scopes?userId=890a4f4d-09eb-48 > <https://localhost:9443/api/am/admin/v1/settings/scopes?userId=890a4f4d-09eb-4877-a323-57f6ce2ed79b%5C> > "" > x-wso2-request: | > GET > https://localhost:9443/api/am/admin/v1/settings/scopes?userId=890a4f4d-09eb-48 > <https://localhost:9443/api/am/admin/v1/settings/scopes?userId=890a4f4d-09eb-4877-a323-57f6ce2ed79b> > Authorization: Bearer ae4eae22-3f65-387b-a171-d37eaa366fa8 > x-wso2-response: "HTTP/1.1 200 OK" > summary: Retrieve scopes for a particular user > description: | > This operation will return the scope list of particular user > In order to get it, we need to pass the userId as a query parameter > parameters: > - name: userId > in: query > type: string > required: true > tags: > - Settings > responses: > 200: > description: | > OK. > Scopes for a particular user retrieved successfully. > 400: > description: | > Bad Request. > Invalid request or validation error > schema: > $ref: '#/definitions/Error' > 404: > description: | > Not Found. > Requested user does not exist. > schema: > $ref: '#/definitions/Error' > 412: > description: | > Precondition Failed. > The request has not been performed because one of the > preconditions is not met. > schema: > $ref: '#/definitions/Error' > > Highly appreciate your thoughts and suggestions. > > Thanks & Regards, > *S.Meruja* |Software Engineer | WSO2 Inc. > (m) +94779650506 | Email: [email protected] > Linkedin: https://www.linkedin.com/in/meruja > <https://www.google.com/url?q=https://www.linkedin.com/in/meruja> > Medium: https://medium.com/@meruja > <http://wso2.com/signature> > > > On Mon, May 11, 2020 at 9:37 PM Meruja Selvamanikkam <[email protected]> > wrote: > >> Hi all, >> >> Thank you for your suggestions >> >> I have a few concerns regarding validating the subscriber permissions of >>> the input application owner using the default subscriber role(Internal >>> subscriber). Since the REST API and portal access are based on the >>> scope-role mapping which is maintained in tenant-conf.json, a subscriber >>> user does not necessarily have the *Internal/subscriber* role. If a new >>> role mapping to app management, subscriptions related scopes has been >>> introduced with custom roles, then the validation should be done against >>> those roles as well. >>> >> >> I agree with you. For previous versions, we have a default subscriber >> role in the configuration file and checked role-based permission for a >> particular feature. From 3.1.0 onwards, we have a scope-role mapping. >> In this case, we cannot validate the user role. >> >> Hence, we should be validating whether any of the roles assigned to that >>> particular user has bare scope based minimum access to API subscriptions, >>> app management resources. So the validation should be based on the >>> role-scope mapping. >>> >>> ie: If the user's role 'roleA' has role-scope mappings for 'apim:subscribe' >>> and 'apim:app_manage' scopes, then that particular user is eligible as >>> a new owner of a given application. >>> WDYT? >>> >> Yes, we need to validate against the scope. >> >> >> Thanks & Regards, >> *S.Meruja* |Software Engineer | WSO2 Inc. >> (m) +94779650506 | Email: [email protected] >> Linkedin: https://www.linkedin.com/in/meruja >> <https://www.google.com/url?q=https://www.linkedin.com/in/meruja> >> Medium: https://medium.com/@meruja >> <http://wso2.com/signature> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
