Rod Simpson created USERGRID-16:
-----------------------------------
Summary: Asset data does not correctly obey contextual ownership
like the entity
Key: USERGRID-16
URL: https://issues.apache.org/jira/browse/USERGRID-16
Project: Usergrid
Issue Type: Bug
Components: Stack
Reporter: Rod Simpson
"The asset data endpoint
/assets/UUID/data does not correctly obey contextual ownership.
For instance, if the default role permission are set to this after removing all
existing.
GET,PUT,POST,DELETE:/users/me/**
A user should only be able to perform the operations on their entity /users/me,
and all sub collections. For instance the following scenario should work as
described.
# App default role permissions are edited to match the path above
# User ""bob"" registers for app
# User ""bob"" creates the following asset and uploads data.
/users/me/assets/myasset and /users/me/assets/myasset/data
# User ""fred"" registers for app
# User ""fred"" should get a 404 on both /users/bob/assets/myasset, and
/users/bob/assets/myasset/data
# Anonymous user should get a 404 on both /users/bob/assets/myasset, and
/users/bob/assets/myasset/data
See org.usergrid.rest.applications.users.OwnershipResourceIT for some examples.
"
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
