forked from OHDSI/WebAPI
-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat: working version tying permissions to teamproject role #101
Closed
pieterlukasse
wants to merge
34
commits into
feat/add_arborist_validation
from
feat/add_team_project_access_control
Closed
Feat: working version tying permissions to teamproject role #101
pieterlukasse
wants to merge
34
commits into
feat/add_arborist_validation
from
feat/add_team_project_access_control
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pieterlukasse
commented
Nov 17, 2023
src/main/java/org/ohdsi/webapi/security/model/EntityPermissionSchema.java
Show resolved
Hide resolved
pieterlukasse
changed the title
wip: working version tying permissions to teamproject role
Feat: working version tying permissions to teamproject role
Nov 17, 2023
pieterlukasse
force-pushed
the
feat/add_team_project_access_control
branch
2 times, most recently
from
November 22, 2023 13:50
7a157b6
to
f15c0ce
Compare
pieterlukasse
commented
Dec 15, 2023
pieterlukasse
force-pushed
the
feat/add_arborist_validation
branch
from
January 5, 2024 15:49
22ef1a4
to
9b906c1
Compare
... just for testing at the moment. System roles should really be assigned to the user beforehand as part of the onboarding process...
...and allow reading current teamproject from cache in case of a request to /user/refresh endpoint
pieterlukasse
force-pushed
the
feat/add_team_project_access_control
branch
from
January 5, 2024 15:50
af6a085
to
6a0ae7b
Compare
... these roles turned out to be essential for getting the error resolved (an error stating "you are not authorized to view the concept set expression")
pieterlukasse
commented
Jan 8, 2024
src/main/java/org/ohdsi/webapi/shiro/filters/TeamProjectBasedAuthorizingFilter.java
Outdated
Show resolved
Hide resolved
pieterlukasse
commented
Jan 8, 2024
pieterlukasse
commented
Jan 8, 2024
pieterlukasse
commented
Jan 8, 2024
pieterlukasse
commented
Jan 8, 2024
pieterlukasse
force-pushed
the
feat/add_team_project_access_control
branch
from
January 10, 2024 18:09
cb6c2e7
to
65b3fbd
Compare
pieterlukasse
force-pushed
the
feat/add_team_project_access_control
branch
from
January 10, 2024 18:12
65b3fbd
to
ad236d0
Compare
...to avoid the scenario where the user comes back in another session and still gets the same teamProject role assigned...while in reality he might have been removed from that team for example
pieterlukasse
force-pushed
the
feat/add_team_project_access_control
branch
2 times, most recently
from
February 9, 2024 21:02
f18cc4d
to
59e5e46
Compare
...and therefore from the flow of endpoints like /user/refresh. Not sure why this was added there, as the /user/logout should be the place to remove a session. This solves a org.apache.shiro.subject.support.DisabledSessionException. If the worry is that logout won`t be called, then the expiry time should just be set to a short period. The adjustment in JwtAuthRealm.java was to deal with the side effect that occurred after the removal of the .stop in the UpdateAccessTokenFilter filter: java.lang.ClassCastException: io.buji.pac4j.subject.Pac4jPrincipal cannot be cast to java.lang.String
pieterlukasse
force-pushed
the
feat/add_team_project_access_control
branch
from
February 9, 2024 21:03
59e5e46
to
32e90bc
Compare
...to avoid any race conditions where two threads could end up trying to remove the same role for example.
Co-authored-by: burtonk <117617405+k-burt-uch@users.noreply.github.com>
...and extra failsafe to avoid empty string names in the request parameters
…rvice ...with the access rules only changing if this.authorizationMode.equals("teamproject"). For teamproject mode we want the users to only see items that are granted through a role and not include the ones they have created (as they might have created this while logged/in / working on another teamproject
pieterlukasse
force-pushed
the
feat/add_team_project_access_control
branch
from
February 14, 2024 21:20
7c0f231
to
fb4a072
Compare
PR #107 replaces this one. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
--------Please refer to PR #107 for the latest review--------
Jira Ticket: VADC-809
New Features
cohortdefinition
permissions to a "team project" role when a new cohort is made by a "team project" user in AtlasExample:
Creating a cohort (with id
8
) while logged in as a team member of "team project"def
, results in the following records:Query used for list above:
Motivation
Motivation for this PR is twofold:
This change ensures that when another user logs in with the same "team project" (
def
in this case), this user will get the roledef
assigned and thus inherit access to cohorts accessible to this role (8
in this case).By linking the cohorts to a "team project" role instead of linking them directly to a user, it becomes possible to get the complete list of all cohorts for a given "team project" (which is useful in other scenarios / for some of the other non-atlas tooling integrating with this DB)
Merge order
Should be merged after vinci-ohdsi#5