-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API allows all users to access and change all the data #26
Comments
While looking at this I've noticed none of the fields in the database table |
Using a combination of the JWT accessToken and subject map I can identify a user, map them to a database id and thus filter what they can see. This works with any GET requests, but PUT and POST requests don't seem to have an accessToken - its contents are null. I'm now trying to find out why. |
it is because only the GET method has the |
I thought that might have something to do with it, but when I put |
In ngot. We had to list the authorised calls in a config file for the key
cloak. Memory of what its called alas isn't at my fore front.
Alan
…On Fri, 22 Mar 2024, 09:15 AllanEngland, ***@***.***> wrote:
I thought that might have something to do with it, but when I put
@RolesAllowed("default-roles-orppst") on a PUT or POST method it returns
a 401 unauthorised error.
—
Reply to this email directly, view it on GitHub
<#26 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABZMFSFAVHPF3LZNTT55CTTYZPZEDAVCNFSM6AAAAABE7E3KZSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJUGY3DSMBSG4>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Didn't intend to close this issue, still outstanding;
|
it is not necessarily dependent on the verbs, but rather the content type see fabien0102/openapi-codegen#240
I have already fixed the tests
|
This has been superseded by issue #43 |
Authenticated users should be restricted in what they can see and do.
Roles may be needed for a full implementation, but in the first instance an investigator should not be able to see and edit proposals they are not associated with.
The text was updated successfully, but these errors were encountered: