mitchell852 opened a new issue #2038: Enforce capabilities for API requests URL: https://github.com/apache/incubator-trafficcontrol/issues/2038 Each API request needs to be authorized using the capabilities of the user as defined by the user's role. If authorization fails, a 403 Forbidden should be returned. Also, need to think about how priv_level will be deprecated or overridden. Maybe a parameter called use_capabilities is introduced. If turned on, priv level is ignored. If turned off, priv level is respected. However, for 3.0, I think there should be no concept of a priv_level. It should be scrubbed from the code base entirely. More info here: https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=68715910
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services