In testing the module, I realized that a lot of possibly sensitive information is exposed to anyone making a JSON request. For instance, any user with the "View user profiles" permission who currently makes a GET request at /user/1.json will see user 1's e-mail address and other possibly private data. So you plan to add some module permissions or is there some other way to control which specific data fields are served for a particular request?

Thanks,
Ben

Comments

klausi’s picture

Version: » 7.x-1.x-dev
Category: support » bug

Definitively an issue. I see 3 possible solutions:
1) Create one master permission "access resources as service"
2) Create one permission per resource type "access as service"
3) Create fine grained permissions per property per resource type (but that would be way to much permissions)

voxpelli’s picture

Perhaps it should be possible to disable session based authentication?

BenK’s picture

@klausi:

1) Create one master permission "access resources as service"
2) Create one permission per resource type "access as service"
3) Create fine grained permissions per property per resource type (but that would be way to much permissions)

I think we definitely need both 1) and 2) above... or at least 2). There may be lots of times when you want to allow a third-party to access nodes as a service, but not necessarily users.

As for 3), here's a related suggestion: What if we simplified things by defining a "public" and "private" permission for each resource type? Individual properties for each resource/entity type could then by assigned via a UI screen to either the "public" service, "private" service, or both. Basically, this allows for a "trusted" and "untrusted" version of each service (based on whether the consumer of the service is yourself or a third-party) and we'd just need a URL path / endpoint defined to access each.

Anyway, just an idea. Thoughts?

--Ben

klausi’s picture

Title: Do you plan to add permissions? » Resource permissions

I just committed access permissions per resource type. I don't think we need a master permission, as this just means to give all existing permissions to a user/role.

So in order to access a resource at all this permission must be satisfied at first, then the other entity permissions are examined to determine further access.

klausi’s picture

Now I took also a look at the user property info in #1046270: User property permissions.

I committed an access filter function to remove restricted properties like mail or roles from the user resource if the only the "view user profiles" permission is present. Also added simpletests for that.

moshe weitzman’s picture

Perhaps point people to http://drupal.org/project/chain_menu_access if they want to write use multiple sets of access rules.

klausi’s picture

Status: Active » Fixed

Restricted permissions are now implemented for all formats (JSON, XML, RDF).

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.