Type: New Feature
Affects Version/s: None
Fix Version/s: 1.2.0
To be specific we should require authentication for get methods (annotate them with @Authorized without specifying privileges) and the "Manage Metadata Mapping" privilege for write access.
One more thing to consider is that we have a helper method to fetch any metadata object i.e. getMetadataItem at https://github.com/openmrs/openmrs-module-metadatamapping/blob/master/api/src/main/java/org/openmrs/module/metadatamapping/api/MetadataMappingService.java#L341
Normally the VIEW_LOCATIONS privilege is required for getting a location, the VIEW_VISIT_TYPES privilege for a visit type, etc.
For the purpose of getMetadataItem(s) I would suggest we have the "View Metadata" privilege.
There is an existing privilege "Metadata Mapping" that does not seem to be used but is created (via config.xml). I suggest we drop this privilege (via liquibase) and use the new and more specific "Manage Metadata Mappings" instead.
The pre 1.1.0 methods in MetadataMappingService, like isAddLocalMappingToConceptOnExport(), do not have any authorization rules. I suggest we apply the same privileges on these methods.