scancode.io icon indicating copy to clipboard operation
scancode.io copied to clipboard
verified publisher icon aboutcode-org

REST API: Design for permissions [was: Authentication: can delete project from different user.]

Open ddmesh opened this issue 4 years ago • 4 comments

Hi,

I have created two user and each added a unique token. Both user belong to same group with following rights

-auth | group | Can view group">auth | group | Can view group
-auth | permission | Can view permission">auth | permission | Can view permission
-auth | user | Can view user">auth | user | Can view user
-authtoken | token | Can view token">authtoken | token | Can view token
-contenttypes | content type | Can view content type">contenttypes | content type | Can view content type
-scan | Can add scan">scan | Can add scan
-scan | Can change scan">scan | Can change scan
-scan | Can delete scan">scan | Can delete scan
-scan | Can view scan">scan | Can view scan
-scanpipe | codebase resource | Can add codebase resource">scanpipe | codebase resource | Can add codebase resource
-scanpipe | codebase resource | Can view codebase resource">scanpipe | codebase resource | Can view codebase resource
-scanpipe | project | Can add project">scanpipe | project | Can add project
-scanpipe | project | Can delete project">scanpipe | project | Can delete project
-scanpipe | project | Can view project">scanpipe | project | Can view project
-scanpipe | project error | Can view project error">scanpipe | project error | Can view project error
-scanpipe | run | Can add run">scanpipe | run | Can add run
-scanpipe | run | Can view run">scanpipe | run | Can view run

Then created protect (curl formular based upload and start pipeline with one call) with token from user1 and uploaded an archive. Same for user2 (his token). Authentication is enabled and when requesting information a valid token is required.

I then tried to delete a project with token from user 2 but a project created with token from user 1. When the scan still run, I got always a html page with error code 500. I waited longer and when scan was finished tried the same command again (delete project create by different user token). Expecte: json with error

Result: project was deleted Expected: error (project should only be deletable with same token as it was created).

Cheers, Stephan

ddmesh avatar Sep 22 '21 12:09 ddmesh

@ddmesh User permission is not implemented at this time.

tdruez avatar Sep 22 '21 15:09 tdruez

hah, that's why it isn't working 😊 Hope it is already on you Todo list. Have you already an idea when it will be implemented?

ddmesh avatar Sep 22 '21 19:09 ddmesh

@ddmesh it's on the list but I cannot give you an ETA as we need to design the feature first. Your input is more than welcome on that part :)

tdruez avatar Sep 23 '21 06:09 tdruez

Status for now: we have implemented authentication, but we have not yet designed permissions. This requires design, and I am updating the title to reflect this

pombredanne avatar Apr 15 '22 08:04 pombredanne