vidakovic commented on code in PR #5903:
URL: https://github.com/apache/fineract/pull/5903#discussion_r3389061647
##########
fineract-provider/src/main/java/org/apache/fineract/infrastructure/jobs/api/SchedulerJobApiResource.java:
##########
@@ -87,6 +91,7 @@ public class SchedulerJobApiResource {
private final PlatformSecurityContext context;
private final FineractProperties fineractProperties;
private final SqlValidator sqlValidator;
+ private final CommandDispatcher dispatcher;
@GET
@Operation(summary = "Retrieve Scheduler Jobs", operationId =
"retrieveAllSchedulerJobs", description = "Returns the list of jobs.\n"
Review Comment:
Looks like authorization enforcement is missing. In the legacy code these
checks are usually done by using `PlatformSecurityContext`; we really
shouldn't, because it obscures the security configuration unnecessarily and
makes it really hard if we need to investigate or audit things. So, good that
it's removed here... but we have to provide the - correct - equivalent. Please
see here
https://github.com/apache/fineract/blob/5a81c992f4ae9bd8714e60cee5d5dd816545ac88/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/SecurityConfig.java#L403
how to do this. And of course this needs to be done for every endpoint that
is exposed by this resource.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
