On 04/01/19 09:27, Ciusso Hb wrote:
Hi all, I've noticed that the "/realms" REST endpoint need
authentication, but is callable without "REALM_LIST" entitlements, is
this by design?
Hi,
it is not exactly like this: since one admin can own REALM_LIST on a
folded realm but not on its parent realms, the behavior will return
restricted realms when non-admin, and full-fledged realms when admin.
Such behavior is implemented by [1] and [2].
Furthermore, the list of realm returned start from the root (not only
from the realm of the user calling the method).
The "/domains" REST endpoint seems to have a similiar behavior: return
200 OK with an empty list, but in this case, I think is intentional
because the domain could be used to log in.
Yep, correct.
Regards.
[1]
https://github.com/apache/syncope/blob/master/core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/RealmLogic.java#L73-L86
[2]
https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/RealmDataBinderImpl.java#L219-L246
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
