[jira] [Commented] (SOLR-13364) Make Admin UI aware of logged-in users permissions

Wed, 03 Apr 2019 07:06:24 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-13364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16808752#comment-16808752
 ] 

Gus Heck commented on SOLR-13364:
---------------------------------

I'd hope that this would populate a JS object that acts as a service and that 
caches the information to avoid chatty requests for perms from N elements on 
each portion of the ui. 

In other (non angularjs) systems I've had this sort of info get populated by a 
scriptlet or tag in the base file that sets a global JS value to avoid 
providing a "have I elevated my perms" service (granted if they dig through the 
HTML/JS on the page they can find it, but that's a little more work than 
noticing a rest call-out that spells it out nice and clear. If one wants, one 
can make the thing interpreted by the encoded so it's not instantly 
recognizable via find command in a browser page source window). 

It's just for rendering so caching it should be fine. If the perms change on 
the back end the user might need to reload the page, but that doesn't seem like 
a problem to me since the perm changes will start failing requests no longer 
authorized. (one hopes).

> Make Admin UI aware of logged-in users permissions
> --------------------------------------------------
>
>                 Key: SOLR-13364
>                 URL: https://issues.apache.org/jira/browse/SOLR-13364
>             Project: Solr
>          Issue Type: New Feature
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Admin UI, Authentication, Authorization, security
>            Reporter: Jan Høydahl
>            Priority: Major
>
> We should aim to add fine-grained permission checks to the UI. One way to do 
> this is to add a new REST-endpoint {{/admin/login/whoami}} that is always 
> open for all, and that responds with a JSON with current user's permissions. 
> If no user is logged in it will respond with empty list and "No user logged 
> in". Else it will respond with e.g.
> {code:java}
> { "user": "john", "roles": ["superuser", "searcher"], "permissions": 
> ["security-edit", "collectionadmin"...] }{code}
> The Admin UI can then request this endpoint and cache the info, so that it 
> may make decisions to hide/grey out certain menu options throughout the UI.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to