You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@usergrid.apache.org by "Jeffrey (JIRA)" <ji...@apache.org> on 2015/11/09 18:56:11 UTC
[jira] [Updated] (USERGRID-16) Asset data does not correctly obey
contextual ownership like the entity
[ https://issues.apache.org/jira/browse/USERGRID-16?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jeffrey updated USERGRID-16:
-----------------------------
Sprint: Double Check
> Asset data does not correctly obey contextual ownership like the entity
> -----------------------------------------------------------------------
>
> Key: USERGRID-16
> URL: https://issues.apache.org/jira/browse/USERGRID-16
> Project: Usergrid
> Issue Type: Bug
> Components: Stack
> Reporter: Rod Simpson
> Priority: Minor
>
> "The asset data endpoint
> /assets/UUID/data does not correctly obey contextual ownership.
> For instance, if the default role permission are set to this after removing all existing.
> GET,PUT,POST,DELETE:/users/me/**
> A user should only be able to perform the operations on their entity /users/me, and all sub collections. For instance the following scenario should work as described.
> # App default role permissions are edited to match the path above
> # User ""bob"" registers for app
> # User ""bob"" creates the following asset and uploads data. /users/me/assets/myasset and /users/me/assets/myasset/data
> # User ""fred"" registers for app
> # User ""fred"" should get a 404 on both /users/bob/assets/myasset, and /users/bob/assets/myasset/data
> # Anonymous user should get a 404 on both /users/bob/assets/myasset, and /users/bob/assets/myasset/data
> See org.usergrid.rest.applications.users.OwnershipResourceIT for some examples.
> "
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)