Skip to content
This repository has been archived by the owner on Jul 25, 2018. It is now read-only.

Check create operations in lib-datahandler #106

Closed
mcjaeger opened this issue Mar 3, 2016 · 5 comments · Fixed by #345
Closed

Check create operations in lib-datahandler #106

mcjaeger opened this issue Mar 3, 2016 · 5 comments · Fixed by #345
Assignees
@mcjaeger
Labels
bug Size S
Milestone
Work Package 000

Comments

@mcjaeger
Copy link
Contributor

mcjaeger commented Mar 3, 2016
edited by alexbrdn
Loading

Create can be done by anyone, like any user can create components, projects. But a user cannot create licenses. This is done in the portlet level, however, could be also moved to the backend and in the lib-datahandler.
@mcjaeger mcjaeger added this to the 1.5 milestone May 3, 2016
@mcjaeger mcjaeger added the bug label May 3, 2016
@mcjaeger mcjaeger changed the title Check create operations in lib-dtahandler Check create operations in lib-datahandler Aug 30, 2016
@mcjaeger mcjaeger self-assigned this Aug 30, 2016
@mcjaeger
Copy link
Contributor Author

mcjaeger commented Aug 30, 2016
edited
Loading

issue could be solved, as done with other calls, by passing the user as argument at the license creation call
However, the big picture about "how to secure API calls" would be important input here.

@maxhbr
Copy link
Member

maxhbr commented Aug 31, 2016

However, the big picture about "how to secure API calls" would be important input here.

see #218

@mcjaeger mcjaeger modified the milestones: 1.6, 1.5 Dec 1, 2016
@mcjaeger
Copy link
Contributor Author

for licenses it shall be also clearing admin who can create licenses.

@alexbrdn
Copy link
Contributor

clearing admins can create licenses already

@alexbrdn
Copy link
Contributor

alexbrdn commented Feb 20, 2017
edited
Loading

Actually, LicenseDatabaseHandler also already gets the user argument and checks for permissions before creating/updating licenses. I guess this issue is too old and does not reflect the current state.

What's left insecure are the methods used for bulk import of licenses from files. This is done in ComponentUploadPortlet and in the executable class LicenseImporter - do we need it at all? I'm tempted to delete it

alexbrdn added a commit that referenced this issue Feb 21, 2017
@alexbrdn
fix(licenses): added permissions checks for creating licenses and rel…
1d92bce 
…ated objects where missing

closes #106
@alexbrdn alexbrdn mentioned this issue Feb 21, 2017
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mcjaeger mcjaeger

Labels
bug Size S
Projects
None yet
Milestone
Work Package 000
Development

Successfully merging a pull request may close this issue.

Permission Checks In License Service sw360/sw360portal
3 participants
@maxhbr @mcjaeger @alexbrdn