Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make default behaviour of RoleAuthorizer configurable #350

Closed
mcweba opened this issue Jan 21, 2021 · 2 comments
Closed

Make default behaviour of RoleAuthorizer configurable #350

mcweba opened this issue Jan 21, 2021 · 2 comments
Assignees
@mcweba
Labels
enhancement

Comments

@mcweba
Copy link
Collaborator

mcweba commented Jan 21, 2021

The current implementation of the RoleAuthorizer class grants access to requests without any roles. From a security perspective, this behaviour is a bit strange and can be summarized by the following statement.

When you have roles, you must have the right roles to get access to a specific resource. When you don't have any roles at all, you are free to access whatever you want.

To keep backward compatibility, I would suggest provide a way to configure the default behaviour.
@mcweba mcweba self-assigned this Jan 21, 2021
@lbovet
Copy link
Member

lbovet commented Jan 21, 2021

Yes, that is something like a "dev mode" flag.

mcweba added a commit that referenced this issue Jan 21, 2021
@mcweba
#350 configure requests without roles to be granted or rejected
b344514
mcweba added a commit that referenced this issue Jan 22, 2021
@mcweba
Merge pull request #351 from swisspush/issue350_configurableRoleAutho…
6d5c28c 
…rizer

#350 configure requests without roles to be granted or rejected
@mcweba
Copy link
Collaborator Author

mcweba commented Jan 25, 2021

Released in v1.1.63

@mcweba mcweba closed this as completed Jan 25, 2021
This was referenced Jan 27, 2021
Closed
Closed
@mcweba mcweba mentioned this issue Sep 9, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mcweba mcweba

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lbovet @mcweba