Peter Santa created FINERACT-2027:
-------------------------------------
Summary: Permission evaluation for jobs
Key: FINERACT-2027
URL: https://issues.apache.org/jira/browse/FINERACT-2027
Project: Apache Fineract
Issue Type: Improvement
Components: Job Scheduler
Affects Versions: 1.8.4
Reporter: Peter Santa
Fix For: 1.9.0
h1. Background
Currently, when a job gets triggered via API, the permission of the
authenticated user is evaluated, whether it has permission to run jobs,
generally. If yes, the initiator user gets replaced by System user in the
context, and the job’s actions get triggered using that context. There are no
further permission checking while running jobs, e.g. for the specific job, or a
step of the job.
Whenever any permission checking gets introduced, during running the job,
performing actions will not be permitted, because by default the used System
user does not have any permission - this could break currently running, live
systems.
h1. Goal
Have the permissions evaluated based on the authenticated user and the action,
when triggering a job via API. Have job-specific permission.
h1. Analysis
* to be evaluated, whether it worked like this earlier, or got broken when
implementing features recently.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
