[jira] [Updated] (USERGRID-1020) Permissions, when applied directly to a user, do not appear to work

[Brandon Shelley (JIRA)]

     [ 
https://issues.apache.org/jira/browse/USERGRID-1020?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Brandon Shelley updated USERGRID-1020:
--------------------------------------
    Description: 
Using the UI, assign permissions to a user object with the following:
{code}*Username  Permissions  GET   PUT  POST  DELETE*
username: /collection/**    no      no      no          no{code}

If you then use the user's token to make an API call to /collection, for 
example:
{code}GET /collection{code}

It returns entities.

*Expected results:* No entities should be visible, and a permission denied 
error (401) should be returned in the API response.

Tested this same behavior when applying permissions to a group, and adding the 
user to the group instead, and this works as expected.

  was:
Using the UI, assign permissions to a user object with the following:
{code}*Username  Permissions  GET   PUT  POST  DELETE*
username: /collection/**    no      no      no          no{code}

If you then use the user's token to make an API call to /collection, for 
example:
{code}GET /collection{code}

It returns entities.

Expected results:

No entities should be visible, and a permission denied error (401) should be 
returned in the API response.

Tested this same behavior when applying permissions to a group, and adding the 
user to the group instead, and this works as expected.


> Permissions, when applied directly to a user, do not appear to work
> -------------------------------------------------------------------
>
>                 Key: USERGRID-1020
>                 URL: https://issues.apache.org/jira/browse/USERGRID-1020
>             Project: Usergrid
>          Issue Type: Bug
>          Components: Stack
>    Affects Versions: 2.0.0, 1.0
>            Reporter: Brandon Shelley
>
> Using the UI, assign permissions to a user object with the following:
> {code}*Username  Permissions  GET   PUT  POST  DELETE*
> username: /collection/**    no      no      no          no{code}
> If you then use the user's token to make an API call to /collection, for 
> example:
> {code}GET /collection{code}
> It returns entities.
> *Expected results:* No entities should be visible, and a permission denied 
> error (401) should be returned in the API response.
> Tested this same behavior when applying permissions to a group, and adding 
> the user to the group instead, and this works as expected.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)