Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

views: integrate API authentication/access control #14

Open
2 tasks
lnielsen opened this issue Nov 20, 2015 · 9 comments
Open
2 tasks

views: integrate API authentication/access control #14

lnielsen opened this issue Nov 20, 2015 · 9 comments
Labels
Type: enhancement
Milestone
someday

Comments

@lnielsen
Copy link
Member

  • OAuth2 (with scopes)
  • Access control
@lnielsen lnielsen added this to the v1.0.0 milestone Nov 20, 2015
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Dec 3, 2015
global: views: access control
463c9d1 
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <nicolas.harraudeau@cern.ch>
@nharraud nharraud mentioned this issue Dec 3, 2015
Merged
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Dec 3, 2015
views: access control
71d9611 
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <nicolas.harraudeau@cern.ch>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Dec 4, 2015
views: access control
fadf8d7 
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <nicolas.harraudeau@cern.ch>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Dec 7, 2015
views: access control
e6d045e 
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <nicolas.harraudeau@cern.ch>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Dec 7, 2015
views: access control
ac55939 
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <nicolas.harraudeau@cern.ch>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Dec 8, 2015
views: access control
93d39c6 
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <nicolas.harraudeau@cern.ch>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Dec 9, 2015
views: access control
b60b025 
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <nicolas.harraudeau@cern.ch>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Dec 14, 2015
views: access control
2a924a0 
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <nicolas.harraudeau@cern.ch>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Jan 11, 2016
views: access control
a3005a5 
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <nicolas.harraudeau@cern.ch>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Jan 11, 2016
views: access control
e6c6b9c 
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <nicolas.harraudeau@cern.ch>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Jan 12, 2016
views: access control
fdfedbf 
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <nicolas.harraudeau@cern.ch>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Jan 12, 2016
views: access control
b86848f 
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <nicolas.harraudeau@cern.ch>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Jan 14, 2016
views: access control
49babf6 
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <nicolas.harraudeau@cern.ch>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Jan 15, 2016
views: access control
addc9f7 
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (addresses inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <nicolas.harraudeau@cern.ch>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Jan 15, 2016
views: access control
24e3ef9 
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (addresses inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <nicolas.harraudeau@cern.ch>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Jan 18, 2016
views: access control
d8b3c33 
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (addresses inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <nicolas.harraudeau@cern.ch>
@hachreak
Copy link
Member

hachreak commented Aug 8, 2016

@lnielsen do you think we reached the result?

@lnielsen
Copy link
Member Author

lnielsen commented Aug 8, 2016
edited

  • OAuth2 (with scopes)

?

@hachreak
Copy link
Member

hachreak commented Aug 8, 2016

Should it be done by the permission factories? (see https://github.com/zenodo/zenodo/blob/master/zenodo/config.py#L392)

@nharraud
Copy link
Member

nharraud commented Aug 8, 2016

@lnielsen I am not sure how we can have oauth2 scopes in invenio-records-rest given that it is used in different modules. Shouldn't we have different scopes for the published records and the deposits?

I planned to check the scopes directly in the permission factories as recommended by @jirikuncar (at least that's what I understood).

@lnielsen
Copy link
Member Author

lnielsen commented Aug 8, 2016

Yes, it should be done by permission factories, but perhaps we should provide some default scopes to rely on and which are easy to integrate?

Just thinking that right now, you can get an access token for deposit, and use that you read records, files, etc. which a user might not want a third-party to do.

For scopes I'm thinking something simple as either just records or alternatively two scopes records:read + records:write/admin/update.

@nharraud
Copy link
Member

nharraud commented Aug 8, 2016
edited

@lnielsen So you mean implementing optional scopes like here without creating any permission factory? If so, I like the idea. Having a records:read and records:update should be enough for most use cases and would enable to have scopes which can be reused in other modules if need be. They should just remain optional.

Note: records:update should not give access to the delete operation (which the admins can do). There should be another scope for delete, if it is needed.

@jirikuncar WDYT?

@lnielsen
Copy link
Member Author

lnielsen commented Aug 8, 2016

@nharraud possible the records:update/write scope could still be used to protect the delete operation, since in addition to the scope check, there's also a permission check which would fail unless you're admin…… the scopes is just to restrict what a third-party application can do with the delegated access.

@nharraud
Copy link
Member

nharraud commented Aug 8, 2016

@lnielsen I am not sure that as an admin I would give access to the "force" delete operation to any script. Most of the scripts would just get the right to fix/migrate records.

@lnielsen
Copy link
Member Author

lnielsen commented Aug 8, 2016

@nharraud Yes, hence you shouldn't delegate record:update scope to the third-party app :-) However, IMHO you shouldn't even allow force delete to an admin user.

@tiborsimko tiborsimko mentioned this issue Aug 10, 2016
Closed
10 tasks
@hjhsalo hjhsalo assigned hjhsalo and unassigned hjhsalo Nov 24, 2017
@lnielsen lnielsen modified the milestones: v1.0.0, someday Mar 11, 2018
switowski pushed a commit to dinosk/invenio-records-rest that referenced this issue May 25, 2018
@ChiaraBi @slint
global: add MIT license to all generated files
8ee367f 
* close inveniosoftware#14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: enhancement
Projects
None yet
Milestone
someday
Development

No branches or pull requests
4 participants
@hachreak @lnielsen @nharraud @hjhsalo