Gocd: [Granular Auth] Environments Index API should show environments based on user permissions
Issue Type
- Bug Report
Summary
Environments Index API returns forbidden (403) when a user has access to some environments (not all).
Additional Environment Details
with the following role:
<role name="xyz">
<users>
<user>view</user>
</users>
<policy>
<allow action="administer" type="environment">foo*</allow>
</policy>
</role>
Steps to Reproduce
- Start the Go Server with above role
- Access Environments Index API using user
view.
Expected Results
Environment Index API should return all the environments with matching name foo*
Actual Results
Environment Index API returns 403
GaneshSPatil
All 3 comments
@gocd/committers @arvindsv @adityasood -- What should be the expected behavior?
IMO, the answer depends on what we consider as an operational entity. Whether an API endpoint is an entity or a single environment?
- If we consider API endpoint to be an operational entity, the API should return 403 as a user does not have access to access to all the resources of the endpoint.
- If we consider a single environment to be an operational entity, the API should return 200 with environments matching name
foo*
GaneshSPatil
on 14 Nov 2019
I vote for 200. As a user, they don't see the API endpoint as an entity. The entities are the individual environments they have access to. It shouldn't matter to them that there are other environments they don't know about.
arvindsv
on 14 Nov 2019
👍3
Verified on 19.11.0 (10687-c532a61bb240ffbe59fe356445bea6433005563f)
rajiesh
on 4 Dec 2019
Was this page helpful?
0 / 5 - 0 ratings
Related issues
GaneshSPatil
路
3Comments
yqian1991
路
4Comments
kdhamo
路
7Comments
arvindsv
路
3Comments
chriswhelix
路
5Comments
Most helpful comment
I vote for
200. As a user, they don't see the API endpoint as an entity. The entities are the individual environments they have access to. It shouldn't matter to them that there are other environments they don't know about.