Securing APIs by default
Description
Environment
None
Potential Workaround
None
blocks
has to be done before
Checklist
hideTestRail: Results
Activity
Show:
Marc Johnson June 5, 2020 at 3:04 PM
@Cate Boerema @Jakub Skoczen @Zak Burke
Do we want to secure the Codex search in any way?
Alternatively, is it acceptable that any user can submit a search to Codex and rely on whether they have inventory-storage permissions to dictate if they get results?
Marc Johnson June 4, 2020 at 2:27 PM
@Adam Dickmeiss
If (as I believe @Hongwei Ji suggested) I do not add an empty array for required permissions and instead, choose to secure these endpoints with permissions, does that mean that mod-codex-mux will need these adding to the module permissions for it's endpoints, otherwise codex searches will fail?
Done
Details
Details
Assignee
Marc Johnson
Marc JohnsonReporter
Hongwei Ji
Hongwei JiPriority
TBDSprint
None
Development Team
Prokopovych
Fix versions
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs
Created April 24, 2020 at 11:25 PM
Updated June 10, 2020 at 1:56 PM
Resolved June 10, 2020 at 1:56 PM
TestRail: Cases
TestRail: Runs
Per https://folio-org.atlassian.net/browse/OKAPI-767#icft=OKAPI-767, all public APIs should be protected by default. That means field permissionsRequired is required when defining non-system APIs in the handlers section of module descriptor. If there is a strong technical reason that an API cannot be protected, for example, /authn/login, use *"permissionsRequired" : [ ]* to make it explicit.
Please fix following APIs in this module
"/codex-instances", "/codex-instances/{id}"