[
https://issues.apache.org/jira/browse/USERGRID-16?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jeffrey updated USERGRID-16:
-----------------------------
Sprint: Double Check
> Asset data does not correctly obey contextual ownership like the entity
> -----------------------------------------------------------------------
>
> Key: USERGRID-16
> URL: https://issues.apache.org/jira/browse/USERGRID-16
> Project: Usergrid
> Issue Type: Bug
> Components: Stack
> Reporter: Rod Simpson
> Priority: Minor
>
> "The asset data endpoint
> /assets/UUID/data does not correctly obey contextual ownership.
> For instance, if the default role permission are set to this after removing
> all existing.
> GET,PUT,POST,DELETE:/users/me/**
> A user should only be able to perform the operations on their entity
> /users/me, and all sub collections. For instance the following scenario
> should work as described.
> # App default role permissions are edited to match the path above
> # User ""bob"" registers for app
> # User ""bob"" creates the following asset and uploads data.
> /users/me/assets/myasset and /users/me/assets/myasset/data
> # User ""fred"" registers for app
> # User ""fred"" should get a 404 on both /users/bob/assets/myasset, and
> /users/bob/assets/myasset/data
> # Anonymous user should get a 404 on both /users/bob/assets/myasset, and
> /users/bob/assets/myasset/data
> See org.usergrid.rest.applications.users.OwnershipResourceIT for some
> examples.
> "
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
