Skip to content

Review permission checks on actions #279

New issue
New issue
Open
Open
Review permission checks on actions#279
Assignees
qifeng-bai
Milestone
6.1.1
@qifeng-bai

Description

@qifeng-bai
qifeng-bai
opened on Jun 26, 2025

Done: The value of username is not consistent. Some are identity, some are email and full name
ManagementController.list line 227 uses email

Added a new method to get user Email for managementController, and the other use the full name

ROLE_ADMIN always has full permissions
Only /dataResource/xx requires ala/internal scope

2, In EditRoleInterceptor,

EditRoleInterceptor(){
       match(controller: 'collection')
       match(controller: 'institution')
       match(controller: 'contact')
       match(controller: 'licence', action: 'list')
       match(controller: 'licence', action: 'create')
       match(controller: 'licence', action: 'edit')
       match(controller: 'licence', action: 'show')
       match(controller: 'licence', action: 'save')
       match('controller':'providerGroup')
       match('controller':'providerMap')
       match('controller':'providerCode')
       match('controller':'dataResource')
       match('controller':'dataProvider')
       match('controller':'dataHub')
       match('controller':'reports')
   }

Added Role_Adamin to LicenceControlled.delete**

  1. In AdminRoleInterceptor,
    ROLE_ADMIN is required in ManagerController except list and index
 AdminRoleInterceptor(){
        match(controller: 'admin')
        match(controller: 'manage')
        [done] match(controller: 'gbif', actionName:'healthCheck') //grailsApplication.config.gbifRegistrationRole
        [done] match(controller: 'gbif', actionName:'healthCheckLinked')
        [done] match(controller: 'gbif', actionName:'downloadCSV')
    }

Updated:
GBIF supports grailsApplication.config.gbifRegistrationRole
Those 5 actions DO NOT ALLOW websevice access

Webservice enabled

3, in CollectoryWebServiceInterceptor,

Ipt asks ROLE_ADMIN,
syncGBIF asks GBIF ROLE,
the other requires ROLE_EDITOR

*All methods allow valid WS tokens with 'ala/internal' scope

CollectoryWebServicesInterceptor(){
        [Done] match(controller: 'data', action: "saveEntity")
        [Done] match(controller:'data', action:"syncGBIF") //GBIF ROLE
        [Done]match('controller':'data', action: 'updateContact')
        [Done] match('controller':'data', action: 'updateContactFor')
        [Done] match('controller':'data', action: 'contacts')
        [Done]  match(controller:'gbif', action:"scan")
        [Done] match(controller:'ipt', action:"scan") //Role_Admin

    }

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions