Uploaded image for project: 'XNAT'
  1. XNAT
  2. XNAT-6811

XAPI DataAccess and DataAdmin access levels only match admins

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 1.8.2
    • 1.8.4
    • Security, XAPI
    • None
    • XNAT 2021-Q4 Sprint 2
    • Rank:
      0|ii2090:
    • XNAT 2021-Q4 Sprint 2

    Description

      Basic access control for XAPI methods is handled with the restrictTo attribute. This takes a value from the AccessLevel enum, which is defined below:

      public enum AccessLevel {
          Null(null),
          Authenticated("authenticated", AuthenticatedXapiAuthorization.class),
          User("user", UserXapiAuthorization.class),
          Role("role", RoleXapiAuthorization.class),
          Admin("admin", AdminXapiAuthorization.class),
          DataAdmin("dataAdmin", AdminXapiAuthorization.class),
          DataAccess("dataAccess", AdminXapiAuthorization.class),
          Read("read", DataObjectXapiAuthorization.class),
          Edit("edit", DataObjectXapiAuthorization.class),
          Delete("delete", DataObjectXapiAuthorization.class)
          ...
      }
      

      The problem is that both DataAccess and DataAdmin map to AdminXapiAuthorization, meaning that only site administrators have access to APIs that should be accessible to data administrators and all-data-access users.

      This can be fixed as simply as this:

      DataAdmin("dataAdmin", AllDataAdminXapiAuthorization.class),
      DataAccess("dataAccess", AllDataAccessXapiAuthorization.class),
      

      Attachments

        Activity

          People

            jrherrick@wustl.edu Rick Herrick
            jrherrick@wustl.edu Rick Herrick
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 hours, 5 minutes
                4h 5m