XAPI DataAccess and DataAdmin access levels only match admins

Description

Basic access control for XAPI methods is handled with the restrictTo attribute. This takes a value from the AccessLevel enum, which is defined below:

public enum AccessLevel { Null(null), Authenticated("authenticated", AuthenticatedXapiAuthorization.class), User("user", UserXapiAuthorization.class), Role("role", RoleXapiAuthorization.class), Admin("admin", AdminXapiAuthorization.class), DataAdmin("dataAdmin", AdminXapiAuthorization.class), DataAccess("dataAccess", AdminXapiAuthorization.class), Read("read", DataObjectXapiAuthorization.class), Edit("edit", DataObjectXapiAuthorization.class), Delete("delete", DataObjectXapiAuthorization.class) ... }

The problem is that both DataAccess and DataAdmin map to AdminXapiAuthorization, meaning that only site administrators have access to APIs that should be accessible to data administrators and all-data-access users.

This can be fixed as simply as this:

DataAdmin("dataAdmin", AllDataAdminXapiAuthorization.class), DataAccess("dataAccess", AllDataAccessXapiAuthorization.class),

Environment

None

Steps to Reproduce

None

Summary of Technical Changes

None

Root Cause Analysis

None

QA Notes

None

Activity

Show:

Charlie Moore January 7, 2022 at 9:52 PM

I modified the test-harness plugin to include DataAccess/DataAdmin for testing this. Looks good to me, thanks slightly smiling face

Z-Rick Herrick December 10, 2021 at 8:43 PM

Changes to restrictTo reverted.

Charlie Moore December 6, 2021 at 7:38 PM

Could we go back to making those endpoints admin-only?

Z-Rick Herrick December 3, 2021 at 7:05 PM

Consolidated AllDataAdminXapiAuthorization and AllDataAccessXapiAuthorization into AdminXapiAuthorization. Modified AnonymizeApi and ArchiveProcessorInstanceApi calls to change access restrictions to allow data admins and access users to modify or read certain settings. Data access users can now call the following endpoints:

  • GET /xapi/processors

  • GET /xapi/processors/site/enabled

  • GET /xapi/processors/site/enabled/receiver/{aeAndPort}

  • GET /xapi/processors/site/id/{instanceId}

  • GET /xapi/processors/site/list

Data admin users can now call the following endpoints:

  • PUT /xapi/anonymize/site

  • PUT /xapi/anonymize/site/enabled

  • POST /xapi/processors/site/create

  • PUT /xapi/processors/site/id/{instanceId}

  • DELETE /xapi/processors/site/id/{instanceId}

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Time remaining

0h

Components

Fix versions

Affects versions

Priority

Zendesk Support

Clockify

Created June 1, 2021 at 5:04 PM
Updated January 7, 2022 at 9:52 PM
Resolved December 10, 2021 at 8:43 PM

Flag notifications