-
Feature Request
-
Resolution: Fixed
-
L3 - Default
-
None
-
None
AT:
- Extend https://docs.camunda.org/manual/7.10/reference/rest/authorization/get-check/ such that the user for which to check authorization can be defined as a query parameter
- If the user to be checked has the requested permission, but the requesting user is not allowed to read that permission, then the result should be "not authorized"
Context:
- Cawemo and Optimize use the platform's user and permission management
- so far, the way to achieve that is to make user and authorization queries and evaluate the access check logic on their side, which is inefficient, complicated and error-prone for a security-critical task
This is the controller panel for Smart Panels app
[CAM-9532] REST endpoint that checks if a userId is authorised to access a resourceId and resourceType
| Description |
Original:
h5. *Problem*
We currently have: *GET /authorization* that accepts also a list of users: _userIdIn_ https://docs.camunda.org/manual/7.9/reference/rest/authorization/get-query/ The problem with this one is that it only returns all the authorizations, but it doesn't actually find an authorization for a user id unless there is a specific authorization defined for that _userId_ (not for a _groupId_ of which that user is a member of) Example: h5. *Given* - a group: _cool people_ - _Lisa_ is a member of group _cool people_ - an _Application_ (type=0) authorization for group _cool people_ to _cockpit_ h5. *When* I request: http://localhost:8050/engine-rest/authorization?resourceId=cockpit&resourceType=0 then I get: {noformat} [ { id: "b12ac05e-ec14-11e8-9fcc-0242ac160005", type: 1, permissions: [ "ALL" ], userId: null, *groupId: "cool people",* resourceType: 0, resourceId: "cockpit" } ] {noformat} which is ok h5. *But When* I request: http://localhost:8050/engine-rest/authorization?resourceId=cockpit&resourceType=0&*userIdIn=lisa* then I get {noformat} [ ] {noformat} h5. *Request* I would really appreciate if we would have an endpoint exposed where I can just check if an `userId` has access to some resourceId and resourceType and would respond to me with true or false. Optimize is already making the workaround and getting the groups and then searching which users are in those groups and so on. And for Cawemo we are doing the same for our Enterprise MVP. Would be nice if we would have such endpoint exposed so we won't need to make workarounds and have both duplicate code that does that. Thank you guys!! :D |
New:
h5. *Problem*
We currently have: *GET /authorization* that accepts also a list of users: _userIdIn_ https://docs.camunda.org/manual/7.9/reference/rest/authorization/get-query/ The problem with this one is that it only returns all the authorizations, but it doesn't actually find that user id is authorized unless there is a specific authorization defined for that _userId_ (not for a _groupId_ of which that user is a member of) Example: h5. *Given* - a group: _cool people_ - _Lisa_ is a member of group _cool people_ - an _Application_ (type=0) authorization for group _cool people_ to _cockpit_ h5. *When* I request: http://localhost:8050/engine-rest/authorization?resourceId=cockpit&resourceType=0 then I get: {noformat} [ { id: "b12ac05e-ec14-11e8-9fcc-0242ac160005", type: 1, permissions: [ "ALL" ], userId: null, *groupId: "cool people",* resourceType: 0, resourceId: "cockpit" } ] {noformat} which is ok h5. *But When* I request: http://localhost:8050/engine-rest/authorization?resourceId=cockpit&resourceType=0&*userIdIn=lisa* then I get {noformat} [ ] {noformat} h5. *Request* I would really appreciate if we would have an endpoint exposed where I can just check if an `userId` has access to some resourceId and resourceType and would respond to me with true or false. Optimize is already making the workaround and getting the groups and then searching which users are in those groups and so on. And for Cawemo we are doing the same for our Enterprise MVP. Would be nice if we would have such endpoint exposed so we won't need to make workarounds and have both duplicate code that does that. Thank you guys!! :D |
| Assignee | New: Thorben Lindhauer [ thorben.lindhauer ] |
| Fix Version/s | New: 7.11.0 [ 15343 ] |
| Description |
Original:
h5. *Problem*
We currently have: *GET /authorization* that accepts also a list of users: _userIdIn_ https://docs.camunda.org/manual/7.9/reference/rest/authorization/get-query/ The problem with this one is that it only returns all the authorizations, but it doesn't actually find that user id is authorized unless there is a specific authorization defined for that _userId_ (not for a _groupId_ of which that user is a member of) Example: h5. *Given* - a group: _cool people_ - _Lisa_ is a member of group _cool people_ - an _Application_ (type=0) authorization for group _cool people_ to _cockpit_ h5. *When* I request: http://localhost:8050/engine-rest/authorization?resourceId=cockpit&resourceType=0 then I get: {noformat} [ { id: "b12ac05e-ec14-11e8-9fcc-0242ac160005", type: 1, permissions: [ "ALL" ], userId: null, *groupId: "cool people",* resourceType: 0, resourceId: "cockpit" } ] {noformat} which is ok h5. *But When* I request: http://localhost:8050/engine-rest/authorization?resourceId=cockpit&resourceType=0&*userIdIn=lisa* then I get {noformat} [ ] {noformat} h5. *Request* I would really appreciate if we would have an endpoint exposed where I can just check if an `userId` has access to some resourceId and resourceType and would respond to me with true or false. Optimize is already making the workaround and getting the groups and then searching which users are in those groups and so on. And for Cawemo we are doing the same for our Enterprise MVP. Would be nice if we would have such endpoint exposed so we won't need to make workarounds and have both duplicate code that does that. Thank you guys!! :D |
New:
AT:
* Extend https://docs.camunda.org/manual/7.10/reference/rest/authorization/get-check/ such that the user for which to check authorization can be defined as a query parameter * If the user to be checked has the requested permission, but the requesting user is not allowed to read that permission, then the result should be "not authorized" Context: * Cawemo and Optimize use the platform's user and permission management * so far, the way to achieve that is to make user and authorization queries and evaluate the access check logic on their side, which is inefficient, complicated and error-prone for a security-critical task h5. *Problem* We currently have: *GET /authorization* that accepts also a list of users: _userIdIn_ https://docs.camunda.org/manual/7.9/reference/rest/authorization/get-query/ The problem with this one is that it only returns all the authorizations, but it doesn't actually find that user id is authorized unless there is a specific authorization defined for that _userId_ (not for a _groupId_ of which that user is a member of) Example: h5. *Given* - a group: _cool people_ - _Lisa_ is a member of group _cool people_ - an _Application_ (type=0) authorization for group _cool people_ to _cockpit_ h5. *When* I request: http://localhost:8050/engine-rest/authorization?resourceId=cockpit&resourceType=0 then I get: {noformat} [ { id: "b12ac05e-ec14-11e8-9fcc-0242ac160005", type: 1, permissions: [ "ALL" ], userId: null, *groupId: "cool people",* resourceType: 0, resourceId: "cockpit" } ] {noformat} which is ok h5. *But When* I request: http://localhost:8050/engine-rest/authorization?resourceId=cockpit&resourceType=0&*userIdIn=lisa* then I get {noformat} [ ] {noformat} h5. *Request* I would really appreciate if we would have an endpoint exposed where I can just check if an `userId` has access to some resourceId and resourceType and would respond to me with true or false. Optimize is already making the workaround and getting the groups and then searching which users are in those groups and so on. And for Cawemo we are doing the same for our Enterprise MVP. Would be nice if we would have such endpoint exposed so we won't need to make workarounds and have both duplicate code that does that. Thank you guys!! :D |
| Description |
Original:
AT:
* Extend https://docs.camunda.org/manual/7.10/reference/rest/authorization/get-check/ such that the user for which to check authorization can be defined as a query parameter * If the user to be checked has the requested permission, but the requesting user is not allowed to read that permission, then the result should be "not authorized" Context: * Cawemo and Optimize use the platform's user and permission management * so far, the way to achieve that is to make user and authorization queries and evaluate the access check logic on their side, which is inefficient, complicated and error-prone for a security-critical task h5. *Problem* We currently have: *GET /authorization* that accepts also a list of users: _userIdIn_ https://docs.camunda.org/manual/7.9/reference/rest/authorization/get-query/ The problem with this one is that it only returns all the authorizations, but it doesn't actually find that user id is authorized unless there is a specific authorization defined for that _userId_ (not for a _groupId_ of which that user is a member of) Example: h5. *Given* - a group: _cool people_ - _Lisa_ is a member of group _cool people_ - an _Application_ (type=0) authorization for group _cool people_ to _cockpit_ h5. *When* I request: http://localhost:8050/engine-rest/authorization?resourceId=cockpit&resourceType=0 then I get: {noformat} [ { id: "b12ac05e-ec14-11e8-9fcc-0242ac160005", type: 1, permissions: [ "ALL" ], userId: null, *groupId: "cool people",* resourceType: 0, resourceId: "cockpit" } ] {noformat} which is ok h5. *But When* I request: http://localhost:8050/engine-rest/authorization?resourceId=cockpit&resourceType=0&*userIdIn=lisa* then I get {noformat} [ ] {noformat} h5. *Request* I would really appreciate if we would have an endpoint exposed where I can just check if an `userId` has access to some resourceId and resourceType and would respond to me with true or false. Optimize is already making the workaround and getting the groups and then searching which users are in those groups and so on. And for Cawemo we are doing the same for our Enterprise MVP. Would be nice if we would have such endpoint exposed so we won't need to make workarounds and have both duplicate code that does that. Thank you guys!! :D |
New:
AT:
* Extend https://docs.camunda.org/manual/7.10/reference/rest/authorization/get-check/ such that the user for which to check authorization can be defined as a query parameter * If the user to be checked has the requested permission, but the requesting user is not allowed to read that permission, then the result should be "not authorized" Context: * Cawemo and Optimize use the platform's user and permission management * so far, the way to achieve that is to make user and authorization queries and evaluate the access check logic on their side, which is inefficient, complicated and error-prone for a security-critical task |
| Summary | Original: New REST endpoint that checks if a userId is authorised to access a resourceId and resourceType | New: REST endpoint that checks if a userId is authorised to access a resourceId and resourceType |
| Assignee | Original: Thorben Lindhauer [ thorben.lindhauer ] | New: Yana Vasileva [ yana.vasileva ] |
| Labels | Original: backend rest-api |
| Component/s | New: engine [ 11656 ] | |
| Component/s | Original: admin [ 12059 ] |