Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-4527

Authorizations endpoint should also recognize Authorization and X-On-Behalf-Of headers

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed (View Workflow)
    • Priority: Medium
    • Resolution: Duplicate
    • Fix Version/s: None
    • Component/s: REST API v7
    • Labels:
      None
    • Attachments:
      0
    • Comments:
      1
    • Documentation Status:
      Needed

      Description

      Per discussion in Slack on June 15, 2020 between Art Lowel (Atmire), Andrea Bollini (4Science) and myself.

      Currently, the /api/authz/authorizations/search/object endpoint returns a list of matching authorizations only for the individual specified as the "eperson" parameter (or anonymous users if the "eperson" parameter is missing).

      This would mean that for the client (e.g. Angular UI) to check the permissions of the currently logged in user, it would need to ensure the current eperson's UUID is passed as a param to this method. While that is not complex, it's duplicative as the current user information already exists in the Authorization header passed on every request (after logged in).

      Ideally, this endpoint should default to reading current user information from the Authorization and/or X-on-behalf-of (for "log in as" functionality) headers, so that the client only needs to use the "eperson" parameter if a different user's permissions need to be retrieved.

      It should be noted that this would change current behavior, as currently a missing "eperson" param means that the backend should return anonymous access permissions. Because of this, we may want to pass a eperson=anonymous parameter for this scenario.

      The overall suggested logic is as follows:

      1. Use eperson param if it exists (highest priority). A value of eperson=anonymous can be used to check anonymous permissions while logged in.
      2. Use X-on-behalf-of header if exists & no eperson param
      3. Use Authorization header if exists, and none of the above
      4. If nothing above exists, then no one is logged in, so it'd be an anonymous user asking about anonymous permissions. (Or we could choose to throw an error here and only support anonymous queries by using eperson=anonymous)

      This effort is not yet estimated & may need further investigation before implementation

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            tdonohue Tim Donohue
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: