Hi Francesco, good to know about the segregation of realms and the code seems pretty clear.
But with version 2.1.3-SNAPSHOT I've created a "simple" user without any Entitlements and, via Swagger, called the realms endpoint, passing his credential. The method returned a list with all the realms when I expected a 403. On Fri, Jan 4, 2019 at 9:42 AM Francesco Chicchiriccò <[email protected]> wrote: > On 04/01/19 09:27, Ciusso Hb wrote: > > Hi all, I've noticed that the "/realms" REST endpoint need > > authentication, but is callable without "REALM_LIST" entitlements, is > > this by design? > > Hi, > it is not exactly like this: since one admin can own REALM_LIST on a > folded realm but not on its parent realms, the behavior will return > restricted realms when non-admin, and full-fledged realms when admin. > > Such behavior is implemented by [1] and [2]. > > > Furthermore, the list of realm returned start from the root (not only > > from the realm of the user calling the method). > > > > The "/domains" REST endpoint seems to have a similiar behavior: return > > 200 OK with an empty list, but in this case, I think is intentional > > because the domain could be used to log in. > > Yep, correct. > > Regards. > > [1] > > https://github.com/apache/syncope/blob/master/core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/RealmLogic.java#L73-L86 > [2] > > https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/RealmDataBinderImpl.java#L219-L246 > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > http://home.apache.org/~ilgrosso/ > >
