Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API allows all users to access and change all the data #26

Closed
AllanEngland opened this issue Mar 20, 2024 · 8 comments · Fixed by #30
Closed

API allows all users to access and change all the data #26

AllanEngland opened this issue Mar 20, 2024 · 8 comments · Fixed by #30
Assignees

Comments

@AllanEngland
Copy link
Contributor

Authenticated users should be restricted in what they can see and do.

Roles may be needed for a full implementation, but in the first instance an investigator should not be able to see and edit proposals they are not associated with.

@AllanEngland
Copy link
Contributor Author

While looking at this I've noticed none of the fields in the database table Person other than the primary key (ID) are unique, so more than one entry can have the same email address or orchid id.

@AllanEngland
Copy link
Contributor Author

Using a combination of the JWT accessToken and subject map I can identify a user, map them to a database id and thus filter what they can see.

This works with any GET requests, but PUT and POST requests don't seem to have an accessToken - its contents are null. I'm now trying to find out why.

@AllanEngland AllanEngland self-assigned this Mar 21, 2024
@pahjbo
Copy link
Member

pahjbo commented Mar 22, 2024

Using a combination of the JWT accessToken and subject map I can identify a user, map them to a database id and thus filter what they can see.

This works with any GET requests, but PUT and POST requests don't seem to have an accessToken - its contents are null. I'm now trying to find out why.

it is because only the GET method has the @RolesAllowed annotation, so it is the only one that requires authentication ATM

@AllanEngland
Copy link
Contributor Author

I thought that might have something to do with it, but when I put @RolesAllowed("default-roles-orppst") on a PUT or POST method it returns a 401 unauthorised error.

@alan-stokes
Copy link
Contributor

alan-stokes commented Mar 22, 2024 via email

@AllanEngland
Copy link
Contributor Author

Didn't intend to close this issue, still outstanding;

  • Authorisation around PUTs, POSTs and DELETEs
  • Fix the unit tests, currently fail due to lack of user data (UUID) in the web token.
  • Standardise responses so endpoints throw appropriate WebApplicationException for auth errors.

@AllanEngland AllanEngland reopened this Apr 4, 2024
@pahjbo
Copy link
Member

pahjbo commented Apr 4, 2024

Didn't intend to close this issue, still outstanding;

  • Authorisation around PUTs, POSTs and DELETEs

it is not necessarily dependent on the verbs, but rather the content type see fabien0102/openapi-codegen#240

  • Fix the unit tests, currently fail due to lack of user data (UUID) in the web token.

I have already fixed the tests

  • Standardise responses so endpoints throw appropriate WebApplicationException for auth errors.

@AllanEngland
Copy link
Contributor Author

This has been superseded by issue #43

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants