Skip to:

Skip to Jira Navigation
Skip to Side Navigation
Skip to Main Content

Securing APIs by default

Description

Per OKAPI-767, all public APIs should be protected by default. That means field permissionsRequired is required when defining non-system APIs in the handlers section of module descriptor. If there is a strong technical reason that an API cannot be protected, for example, /authn/login, use *"permissionsRequired" : [ ]* to make it explicit. Note it is OK to use *"permissionsRequired": [ ]* for two APIs //ramls and //jsonSchemas provided by RMB.

Please fix following APIs in this module

Environment

None

Potential Workaround

None

Linked issues

blocks

Jenkins builds broken when okapi-3 until ModuleDescriptors have permissionsRequired, then verify

relates to

Secure mod-graphql against malicious queries

Create following up module tickets after securing API by default

Checklist

hide

TestRail: Results

Activity

Show:

David Crossley June 11, 2020 at 6:22 AM

Added temporary empty permissionsRequired to enable FOLIO-2633 to proceed.

Details

Assignee

Mike Taylor

Reporter

Hongwei Ji

Priority

TBD

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created June 5, 2020 at 9:52 AM

Updated March 17, 2021 at 2:39 PM

TestRail: Cases

TestRail: Runs