Securing APIs by default
Priority
P3Labels
Environment
None
Template
None
Description
Development Team
Core: Platform
Release
None
Story Points
0.5
Sprint
None
Checklist
hideTestRail: Results
Activity
Show:
Natalia Zaitseva May 13, 2020 at 9:57 AM
thank you
Hongwei Ji May 12, 2020 at 6:44 PM
, discussed with core platform team, it is OK to use "permissionsRequired": [ ] for those two RMB provided APIs: //jsonSchemas and //ramls.
Hongwei Ji May 12, 2020 at 1:05 PM
, I will check with other core platform team members and get back to you.
Natalia Zaitseva May 12, 2020 at 10:38 AM
Hi . I do have a question related to permissionsRequired section in ModuleDescriptor file. As "//jsonSchemas", "//ramls" endpoints that are actually provided by RMB module, won't it be useful to handle it inside RMB instead of introducing new permission inside each module? or, at least, have a common approach for those modules:
either use same permission name for all modules that use RMB's endpoints
or use empty permissionsRequired section for them.
What are your thoughts about it?
TestRail: Cases
TestRail: Runs
Per OKAPI-767, all public APIs should be protected by default. That means field permissionsRequired is required when defining non-system APIs in the handlers section of module descriptor. If there is a strong technical reason that an API cannot be protected, for example, /authn/login, use *"permissionsRequired" : [ ]* to make it explicit. Note it is OK to use *"permissionsRequired": [ ]* for two APIs //ramls and //jsonSchemas provided by RMB.
Please fix following APIs in this module