Securing APIs by default
Description
Environment
None
Potential Workaround
None
Checklist
hideTestRail: Results
Activity
Show:
carmentrazza November 9, 2020 at 2:06 PM
I added all permissions in the ModuleDescriptor-template.json
Ann-Marie Breaux June 15, 2020 at 12:33 PM
Hi @David Crossley Thank you for the feedback
@Tiziana Possemato and @carmentrazza I've added to the MARCcat-Bib epic and assigned AtCult as the dev team. Thanks, A-M
David Crossley June 15, 2020 at 4:51 AM
@carmentrazza and @Tiziana Possemato Please note the comment in mod-marccat/pull/426 – the change there was only a temporary workaround to add empty "permissionsRequired" to enable FOLIO-2633 to proceed.
Your team now needs to determine the proper permissionsRequired for the endpoints that are provided by mod-marccat.
carmentrazza June 11, 2020 at 12:52 PM
I will update the README.md file as in the example you suggested. Thanks
Hongwei Ji June 11, 2020 at 12:17 PM
An documentation example in another project https://github.com/folio-org/mod-codex-inventory#decisions
Done
Details
Details
Assignee
Unassigned
UnassignedReporter
Hongwei Ji
Hongwei JiLabels
Priority
P2Development Team
@cult
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs
Created June 5, 2020 at 9:56 AM
Updated November 9, 2020 at 2:34 PM
Resolved November 9, 2020 at 2:34 PM
TestRail: Cases
TestRail: Runs
Per https://folio-org.atlassian.net/browse/OKAPI-767#icft=OKAPI-767, all public APIs should be protected by default. That means field permissionsRequired is required when defining non-system APIs in the handlers section of module descriptor. If there is a strong technical reason that an API cannot be protected, for example, /authn/login, use *"permissionsRequired" : [ ]* to make it explicit. Note it is OK to use *"permissionsRequired": [ ]* for two APIs //ramls and //jsonSchemas provided by RMB.
Please fix APIs in https://github.com/folio-org/mod-marccat/blob/master/descriptors/ModuleDescriptor-template.json