Currently, the /api/authz/authorizations/search/object endpoint returns a list of matching authorizations only for the individual specified as the "eperson" parameter (or anonymous users if the "eperson" parameter is missing).
This would mean that for the client (e.g. Angular UI) to check the permissions of the currently logged in user, it would need to ensure the current eperson's UUID is passed as a param to this method. While that is not complex, it's duplicative as the current user information already exists in the Authorization header passed on every request (after logged in).
Ideally, this endpoint should default to reading current user information from the Authorization and/or X-on-behalf-of (for "log in as" functionality) headers, so that the client only needs to use the "eperson" parameter if a different user's permissions need to be retrieved.
It should be noted that this would change current behavior, as currently a missing "eperson" param means that the backend should return anonymous access permissions. Because of this, we may want to pass a eperson=anonymous parameter for this scenario.
The overall suggested logic is as follows:
- Use eperson param if it exists (highest priority). A value of eperson=anonymous can be used to check anonymous permissions while logged in.
- Use X-on-behalf-of header if exists & no eperson param
- Use Authorization header if exists, and none of the above
- If nothing above exists, then no one is logged in, so it'd be an anonymous user asking about anonymous permissions. (Or we could choose to throw an error here and only support anonymous queries by using eperson=anonymous)
This effort is not yet estimated & may need further investigation before implementation