Bug #604
closedsecurity constraints for rest controller are insufficient
Description
Please revise rest controllers security restrictions. E.g. it is possible to retrieve all patients by REST API if institution is absent in REST API call. Currently fixed by workaround at PatientRecordController:
@PreAuthorize("hasRole('" + SecurityConstants.ROLE_ADMIN + "') OR (institutionKey != null )")
public List<PatientRecordDto> getRecords(@RequestParam(value = "institution", required = false) String institutionKey) {
...
}
- java tests of rest-controllers security should be added to confirm that it works correctly
Updated by Miroslav Blaško about 6 years ago
- the security constraints is of course still not sufficient if we guess institutionKey
Updated by Tomáš Klíma about 6 years ago
- % Done changed from 0 to 50
- Status changed from New to In Progress
TODO tests
Updated by Tomáš Klíma about 6 years ago
I have problems with configuration needed for controllers testing.
Could you configure it and make example test please?
Updated by Miroslav Blaško almost 6 years ago
- going over the code, I realized that in our setting it makes more sense to put security constraints on services instead of controllers (we can discuss on next meeting)
- I updated branch java-tests2 with correct setting for controllers
=> I suggest testing controllers with this setting + don't test security related issues within controllers
- Before that, I have also created branch java-controllers-test-alternative, which was meant to be used for security testing. I suggest to leave it until next meeting, so I can demonstrate how to make tests for the service layer. After the meeting, I suppose it will be deleted...
Updated by Tomáš Klíma almost 6 years ago
- Status changed from In Progress to Resolved
Updated by Miroslav Blaško almost 4 years ago
- Status changed from Resolved to Closed
Updated by Anonymous 3 months ago
Our Delhi Escort all have stable day jobs or are studying in high-end colleges. Hence, Delhi escort girls are truly top-class. They have the most beautiful physiques and faces as well. We have beautiful figures with ample breasts that are enough for your attention.
Updated by Anonymous 3 months ago
Our girls are famous for their charming personalities, excellent sex service, and admirable looks. There is no room for any dissatisfaction when you hire our Escort in Goa, as they stand at the highest level of perfection.