You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Gus Heck (JIRA)" <ji...@apache.org> on 2019/04/03 14:06:00 UTC

[jira] [Commented] (SOLR-13364) Make Admin UI aware of logged-in users permissions

    [ https://issues.apache.org/jira/browse/SOLR-13364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16808752#comment-16808752 ] 

Gus Heck commented on SOLR-13364:
---------------------------------

I'd hope that this would populate a JS object that acts as a service and that caches the information to avoid chatty requests for perms from N elements on each portion of the ui. 

In other (non angularjs) systems I've had this sort of info get populated by a scriptlet or tag in the base file that sets a global JS value to avoid providing a "have I elevated my perms" service (granted if they dig through the HTML/JS on the page they can find it, but that's a little more work than noticing a rest call-out that spells it out nice and clear. If one wants, one can make the thing interpreted by the encoded so it's not instantly recognizable via find command in a browser page source window). 

It's just for rendering so caching it should be fine. If the perms change on the back end the user might need to reload the page, but that doesn't seem like a problem to me since the perm changes will start failing requests no longer authorized. (one hopes).

> Make Admin UI aware of logged-in users permissions
> --------------------------------------------------
>
>                 Key: SOLR-13364
>                 URL: https://issues.apache.org/jira/browse/SOLR-13364
>             Project: Solr
>          Issue Type: New Feature
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Admin UI, Authentication, Authorization, security
>            Reporter: Jan Høydahl
>            Priority: Major
>
> We should aim to add fine-grained permission checks to the UI. One way to do this is to add a new REST-endpoint {{/admin/login/whoami}} that is always open for all, and that responds with a JSON with current user's permissions. If no user is logged in it will respond with empty list and "No user logged in". Else it will respond with e.g.
> {code:java}
> { "user": "john", "roles": ["superuser", "searcher"], "permissions": ["security-edit", "collectionadmin"...] }{code}
> The Admin UI can then request this endpoint and cache the info, so that it may make decisions to hide/grey out certain menu options throughout the UI.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org