Uploaded image for project: 'Metadata Mapping Module'
  1. Metadata Mapping Module
  2. MAP-7

Add authorization rules to new service methods

    XMLWordPrintable

Details

    • New Feature
    • Status: Closed
    • TBD
    • Resolution: Fixed
    • None
    • 1.2.0
    • None
    • Undetermined

    Description

      From Talk:

      To be specific we should require authentication for get methods (annotate them with @Authorized without specifying privileges) and the "Manage Metadata Mapping" privilege for write access.

      One more thing to consider is that we have a helper method to fetch any metadata object i.e. getMetadataItem at https://github.com/openmrs/openmrs-module-metadatamapping/blob/master/api/src/main/java/org/openmrs/module/metadatamapping/api/MetadataMappingService.java#L341
      Normally the VIEW_LOCATIONS privilege is required for getting a location, the VIEW_VISIT_TYPES privilege for a visit type, etc.
      For the purpose of getMetadataItem(s) I would suggest we have the "View Metadata" privilege.

      There is an existing privilege "Metadata Mapping" that does not seem to be used but is created (via config.xml). I suggest we drop this privilege (via liquibase) and use the new and more specific "Manage Metadata Mappings" instead.

      The pre 1.1.0 methods in MetadataMappingService, like isAddLocalMappingToConceptOnExport(), do not have any authorization rules. I suggest we apply the same privileges on these methods.

      Gliffy Diagrams

        Attachments

          Issue Links

            Activity

              People

                kosmik Mikko Suniala
                kosmik Mikko Suniala
                Rafal Korytkowski Rafal Korytkowski
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: