Only allow GET access to users/me
Project: http://git-wip-us.apache.org/repos/asf/usergrid/repo Commit: http://git-wip-us.apache.org/repos/asf/usergrid/commit/1d0e73b3 Tree: http://git-wip-us.apache.org/repos/asf/usergrid/tree/1d0e73b3 Diff: http://git-wip-us.apache.org/repos/asf/usergrid/diff/1d0e73b3 Branch: refs/heads/usergrid-1268-akka-211 Commit: 1d0e73b3f15d634a484ec3e425f944317aefa1b3 Parents: cd363f4 Author: Dave Johnson <[email protected]> Authored: Tue May 10 17:41:40 2016 -0700 Committer: Dave Johnson <[email protected]> Committed: Tue May 10 17:41:40 2016 -0700 ---------------------------------------------------------------------- .../usergrid/rest/security/SecuredResourceFilterFactory.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/usergrid/blob/1d0e73b3/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java b/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java index 67cf248..bd1ab46 100644 --- a/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java +++ b/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java @@ -450,7 +450,7 @@ public class SecuredResourceFilterFactory implements DynamicFeature { String path = request.getUriInfo().getPath().toLowerCase().replace(applicationName, ""); String perm = getPermissionFromPath( em.getApplicationRef().getUuid(), operation, path ); - if ( "/users/me".equals( path ) ) { + if ( "/users/me".equals( path ) && request.getMethod().equalsIgnoreCase( "get" )) { // shortcut the permissions checking, the "me" end-point is always allowed logger.debug("Allowing {} access to /users/me", getSubject().toString() ); return;
