Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
[portal] "Portal" mode : disable management features #181
We expect to have two separate portals :
The dev portal must only be able to read documentation, create application (if he has permission to), but must not be able to edit an API, edit documentation, etc...
As currently, gravitee have only one portal (mixing both use cases), it would be great to manage a flag "dev_portal_enabled" on the management API & UI.
is it a security problem ?
A flag on the UI will always be overridable by a hacker cause it's running on his browser.
With a portal mode, you must have separate instances of the management-api and this introduce a new context to be manage by the API. On each resource we have to think if it may or may not be part of the "portal". In addition to permissions.
A portal mode on the UI is a good idea, not for security reason but because you can simply want to expose a more "simple" UI (and perhaps manage your API with the management-API, not via the UI.
My aim is to make difference between api publisher and api consumer.
As api consumer, i should not have access to the cogwheel.
About Management API, if the bearer used to access to the API is well checked and include the API consumers rights, that's ok. My idea was to ensure that the API consumer will not be able to update the api settings through the api management. With well designed APIs, that's easy to guess we only need to change the http verb from GET to PUT to update a record ;)