feat: Add read ACL check when no namespace protection [DHS2-16134] #15754
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ring [DHIS2-16134]
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #15754 +/- ##
=========================================
Coverage 66.31% 66.31%
- Complexity 31374 31380 +6
=========================================
Files 3481 3481
Lines 129925 129930 +5
Branches 15197 15199 +2
=========================================
+ Hits 86162 86166 +4
- Misses 36672 36673 +1
Partials 7091 7091
Flags with carried forward coverage won't be shown. Click here to find out more.
... and 1 file with indirect coverage changes Continue to review full report in Codecov by Sentry.
|
david-mackessy
changed the title
david-mackessy
changed the title
|
Kudos, SonarCloud Quality Gate passed! |
david-mackessy
changed the title
david-mackessy
changed the title
vietnguyen
approved these changes
Nov 25, 2023
jbee
reviewed
Nov 27, 2023
...ervices/dhis-service-core/src/main/java/org/hisp/dhis/datastore/DefaultDatastoreService.java
Show resolved
Hide resolved
jbee
approved these changes
Nov 27, 2023
This was referenced Jan 24, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This feature adds an ACL check to
DatastoreService#readProtectedInwhen there is no namespace protection. The following endpoints can be used to test the feature:GET/api/dataStore/{namespace}/{key}GET/api/dataStore/{namespace}/{key}/metaDataBackground
There was already an existing read
Sharingcheck performed for namespace entries that had namespace protection.The read check has been updated to incorporate scenarios where there is no namespace protection in place (namespace protection is only setup programmatically currently. All namespaces setup through the API will not have any namespace protection).
DatastoreEntry Read criteria when no namespace protection
Testing
Automated
Manual
To manually test this feature, the following endpoints can be used:
GET/api/dataStore/{namespace}/{key}GET/api/dataStore/{namespace}/{key}/metaDataTo add an entry to a new namespace:
POST/api/dataStore/{myNamespace}/{myKey}with sample body{ "name": "test", "project": "dhis2" }To get the ID of a DataEntry use:
GET/api/dataStore/{namespace}/{key}/metaDataTo remove public access of a DataEntry:
POST/api/sharing?type=dataStore&id={dataStoreEntryId}with body{ "object": { "publicAccess": "--------", "externalAccess": false, "user": {}, "userAccesses": [], "userGroupAccesses": [] } }To share access of a DataEntry with another User & remove public access:
POST/api/sharing?type=dataStore&id={dataStoreEntryId}with body{ "object": { "publicAccess": "--------", "externalAccess": false, "user": {}, "userAccesses": [ { "id": "{userId}", "access": "r-------" } ], "userGroupAccesses": [] } }To share access with a UserGroup & remove public access use:
{ "object": { "publicAccess": "--------", "externalAccess": false, "user": {}, "userAccesses": [], "userGroupAccesses": [ { "id": "{userGroupId}", "access": "r-------" } ] } }