mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-21 01:25:55 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added permissions to control access to API and manage API tokens

Browse source
This commit is contained in:
Jan Böhmer 2023-08-26 22:57:50 +02:00
parent be14fe548c
commit 8fe3f4cf5c
7 changed files with 60 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

2
config/packages/security.yaml
View file

@ -69,3 +69,5 @@ security:
# We get into trouble with the U2F authentication, if the calls to the trees trigger an 2FA login
# This settings should not do much harm, because a read only access to show available data structures is not really critical
- { path: "^/\\w{2}/tree", role: PUBLIC_ACCESS }
# Restrict access to API to users, which has the API access permission
- { path: "^/api", allow_if: 'is_granted("@api.access_api") and is_authenticated()' }

10
config/permissions.yaml
View file

@ -254,6 +254,7 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co
show_updates:
label: "perm.system.show_available_updates"
attachments:
label: "perm.part.attachments"
operations:
@ -304,4 +305,11 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co
label: "perm.revert_elements"
alsoSet: ['read_profiles', 'edit_profiles', 'create_profiles', 'delete_profiles']
api:
label: "perm.api"
operations:
access_api:
label: "perm.api.access_api"
manage_tokens:
label: "perm.api.manage_tokens"
alsoSet: ['access_api']