Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

V13.1.4 - Resource vs. URI level? #586

Closed
securitybits opened this issue Feb 26, 2019 · 2 comments
Closed

V13.1.4 - Resource vs. URI level? #586

securitybits opened this issue Feb 26, 2019 · 2 comments
Assignees
@vanderaj
Milestone
4.0

Comments

@securitybits
Copy link

Verify that authorization decisions are made at both the URI and resource level, not just at the resource level.

I could understand this one if it said "not just at the URI level", but not the other way around. Usually you could have more fine-grained access control at the resource level and more coarse-grained at the URI level. Or do I misunderstand the intention of this one?
@vanderaj vanderaj added this to the 4.0 milestone Feb 26, 2019
@vanderaj vanderaj added the QA label Feb 26, 2019
@vanderaj
Copy link
Member

@jmanico If you get to this before I do, my thoughts are that we delete or re-word this item as I agree it's pretty unclear.

Suggest: Verify that authorization decisions are made at both the URI, enforced by programmatic or declarative security at the controller or router, and at the resource level, enforced by model-based permissions.

@vanderaj
Copy link
Member

Actually, I decided to just fix it.

@vanderaj vanderaj assigned vanderaj and unassigned jmanico Feb 26, 2019
@tghosth tghosth mentioned this issue Jan 24, 2023
Closed
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vanderaj vanderaj

Labels
None yet
Projects
None yet
Milestone
4.0
Development

No branches or pull requests
3 participants
@jmanico @vanderaj @securitybits