Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New permission plone.restapi.UseRESTAPI should exclude @login #166

Closed
sneridagh opened this issue Dec 1, 2016 · 2 comments
Closed

New permission plone.restapi.UseRESTAPI should exclude @login #166

sneridagh opened this issue Dec 1, 2016 · 2 comments
Assignees
@buchi

Comments

@sneridagh
Copy link
Member

The permission is now enforced internally as:

https://github.com/plone/plone.restapi/blob/master/src/plone/restapi/services/__init__.py#L24

But the thing is that the @login endpoint should be able to access by anonymous always. The tests should have been assuming some user logged in the first place, as they are not failing...

Maybe other endpoints should bypass this permission. I would personally only use the zcml permission instead of hardcoding it but... it's my 5 cents.
@sneridagh
Copy link
Member Author

@buchi @lukasgraf @tisto Any thoughts?

@buchi buchi mentioned this issue Dec 4, 2016
Merged
@buchi
Copy link
Member

buchi commented Dec 4, 2016

@sneridagh Absolutely! The login endpoint must be accessible without the UseRESTAPI permission.
I've prepared PR #167 to fix this.

If other endpoints need to bypass the permission, they can override the check_permission() method. It's not possible to have another permission in ZCML.

@tisto tisto closed this as completed in #167 Dec 5, 2016
@tisto tisto removed the in progress label Dec 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@buchi buchi

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@buchi @sneridagh @tisto