Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move manifest endpoints to their own, independent API group and fix access policies accordingly #15989

Merged
merged 12 commits into from
Apr 9, 2024
Merged

Move manifest endpoints to their own, independent API group and fix access policies accordingly #15989

merged 12 commits into from
Apr 9, 2024

Conversation

kjac
Copy link
Contributor

@kjac kjac commented Apr 4, 2024

Prerequisites

  • I have added steps to test this contribution in the description below

Description

We currently have issues with non-admins not being able to access package manifests from the server. This is because the "all manifests" endpoint is part of the Packages API group. In this group, all API controllers inherit from the PackageControllerBase, which requires access to the packages section to invoke.

Since base class attributes ([Authorize] in this case) cannot be overwritten by specialised classes, we have two choices:

  1. Remove the access policy specification from PackageControllerBase and decorate all other controllers in the Packages API group instead.
  2. Create a new API group for manifests.

Although manifests and packages have a certain cohesion, the manifest endpoints are actually utilised completely independently of the package endpoints. Therefore, option 2 has been chosen.

Testing this PR

First and foremost, verify that the manifest endpoints are now located in their own Manifest group in the Swagger docs:

image

Now test the access policies:

  • /umbraco/management/api/v1/manifest/manifest should be able to invoke with any backoffice user (i.e. an editor user)
  • /umbraco/management/api/v1/manifest/manifest/public should be able to invoke as anonymous.

@iOvergaard iOvergaard mentioned this pull request Apr 5, 2024
Merged
@kjac
Copy link
Contributor Author

kjac commented Apr 8, 2024

Thanks @Nuklon 👍

kjac and others added 4 commits April 9, 2024 09:01
@kjac
Merge branch 'v14/dev' into v14/feature/manifests-as-independent-api-…
dcb55fc 
…group

# Conflicts:
#	src/Umbraco.Cms.Api.Management/Controllers/Manifest/AllManifestController.cs
#	src/Umbraco.Cms.Api.Management/Controllers/Manifest/PublicManifestManifestController.cs
@iOvergaard
update OpenAPI.json
dae2484
@iOvergaard
Merge remote-tracking branch 'origin/v14/dev' into v14/feature/manife…
7a29d07 
…sts-as-independent-api-group

# Conflicts:
#	src/Umbraco.Cms.Api.Management/OpenApi.json
@iOvergaard
update OpenApi.json
1a62b6f
iOvergaard
iOvergaard approved these changes Apr 9, 2024
View reviewed changes
Copy link
Contributor

@iOvergaard iOvergaard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a /private endpoint to get only the private packages. Updated the OpenApi.json file to match after merging v14/dev. It's looking good to me now!

@iOvergaard iOvergaard merged commit 41238d1 into v14/dev Apr 9, 2024
16 checks passed
@iOvergaard iOvergaard deleted the v14/feature/manifests-as-independent-api-group branch April 9, 2024 15:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Nuklon Nuklon Nuklon left review comments

@iOvergaard iOvergaard iOvergaard approved these changes

Assignees
No one assigned
Labels
release/14.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kjac @iOvergaard @Nuklon @bergmania