You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Each API request needs to be authorized using the capabilities of the user as defined by the user's role. If authorization fails, a 403 Forbidden should be returned probably with a message like "Forbidden. The ds-write capability is required."
Also, need to think about how priv_level will be deprecated or overridden. Maybe a parameter called use_capabilities is introduced. If turned on, priv level is ignored. If turned off, priv level is respected.
However, for 3.0, I think there should be no concept of a priv_level. It should be scrubbed from the code base entirely.
Each API request needs to be authorized using the capabilities of the user as defined by the user's role. If authorization fails, a 403 Forbidden should be returned probably with a message like "Forbidden. The ds-write capability is required."
Also, need to think about how priv_level will be deprecated or overridden. Maybe a parameter called use_capabilities is introduced. If turned on, priv level is ignored. If turned off, priv level is respected.
However, for 3.0, I think there should be no concept of a priv_level. It should be scrubbed from the code base entirely.
More info here: https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=68715910
The text was updated successfully, but these errors were encountered: