-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SO-4113: authorization improvements #880
Conversation
...multiple resources per permission (all or anyof matching)
...multiple resources per permission (all or anyof matching) Fix remaining compile errors and test failures.
Support security filter when searching for resource documents (CodeSystems, Bundles, etc.) which restricts the result set to the allowed resources. Users require either direct access by ID, or transitive access via permission to a container bundle ID otherwise they will receive HTTP 404 messages that the resource is not found (or empty lists if it was a search request).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
GetResourceRequest
should also implement AccessControl
, the same way as UpdateRequest
does; I think I saw some sub-classes in the other repository where the implements
keyword was removed entirely.
*/ | ||
protected final void addSecurityFilter(ExpressionBuilder queryBuilder, User user) { | ||
if (!user.isAdministrator() && !user.hasPermission(Permission.requireAll(Permission.OPERATION_BROWSE, Permission.ALL))) { | ||
Set<String> permittedResourceIds = user.getPermissions().stream().flatMap(p -> p.getResources().stream()).collect(Collectors.toSet()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does having any sort of permission on a resource imply BROWSE
rights? With the currently used operations (edit, import, export, version, promote task, classify), it feels so.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, if you have at least one permission with other than the browse
scope that includes the browse
scope as well. For example, you would not be able to edit a resource without reading it first if this wasn't true.
|
||
@Override | ||
public final String getPermission() { | ||
if (permission == null) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For thread safety reasons, this should be put into a memoizing Supplier
instead.
@@ -50,7 +54,10 @@ public String getUsername() { | |||
|
|||
@JsonIgnore | |||
public List<Permission> getPermissions() { | |||
return getRoles().stream().flatMap(role -> role.getPermissions().stream()).distinct().collect(Collectors.toList()); | |||
if (permissions == null) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here.
Unfortunately, we cannot apply the same pattern there because certain subclasses (like |
@apeteri fixed (or answered) all requested changes (comments). |
Codecov Report
@@ Coverage Diff @@
## 8.x #880 +/- ##
============================================
+ Coverage 62.46% 62.61% +0.14%
- Complexity 11465 11520 +55
============================================
Files 1709 1712 +3
Lines 55001 55072 +71
Branches 5267 5274 +7
============================================
+ Hits 34359 34485 +126
+ Misses 18467 18401 -66
- Partials 2175 2186 +11
Continue to review full report at Codecov.
|
|
This PR introduces new authorization options to allow/restrict access to server resources.
Access tokens describe the necessary scopes to give access to certain resources, either by:
bundleId
parent for now)*
)