When defining a resource role with only UI context, then I would expect that it would not be able to use the API, but it does.
Is there something else then to do to prevent login by UI only roles?
Hi,
- Which Jmix version do you use?
- Could you please provide an example of the role definition that doesn’t work?
- What exact API endpoints do you use that you think should not be available?
Answers:
1.) version 1.5.4
2.) Not sure how to provide it, but essentially API context has been turned off completely on the role definition, but it still logs in and uses the API from external frontend code.
3.) Not so much a need for another endpoint, but rather to understand why the removal of API on a role does not prevent login and API calls by such a user.
I’ve just tried and saw that User can obtain an access token, but if the role doesn’t have the API scope, this user can’t access REST API endpoints.
For example I have a role that allows reading User entity from UI:
@ResourceRole(name = "UserRead", code = UserReadRole.CODE, scope = "UI")
public interface UserReadRole {
String CODE = "user-read";
@MenuPolicy(menuIds = "User.browse")
@ScreenPolicy(screenIds = {"User.browse", "User.edit"})
void screens();
@EntityAttributePolicy(entityClass = User.class, attributes = "*", action = EntityAttributePolicyAction.VIEW)
@EntityPolicy(entityClass = User.class, actions = EntityPolicyAction.READ)
void user();
}
If the user with a given role obtains an access token and tries to access the endpoint http://localhost:8080/rest/entities/User then the 403 error is returned.
What exact API endpoints your user can access?
On our end the external web frontend is able to access all endpoints with the same access rights granted on the UI-only context
Please provide a sample project that contains a role definition and exact HTTP request (method and URL) that I could call (using cURL or Postman) to reproduce the error.