Altinn / altinn-events

Altinn platform microservice for handling events
MIT License
1 stars 2 forks source link

Authorization of application owner when creating subscription #239

Closed SandGrainOne closed 2 months ago

SandGrainOne commented 1 year ago

Description

Application owners can currently create subscriptions where they subscribe to any event from any source. There are no authorization logic verifying that the application owner actually have access to the events.

Note that the application owner will not be sent any events unless they have been given access to the events from the given source. This issue is about "dead" subscriptions that will never get any events. Events should stop/prevent an application owner from creating invalid subscriptions.

We should consider letting an application owner subscribe to events from all of their own events implicitly without the need for a policy.

Additional Information

No response

Tasks

Acceptance Criterias

olebhansen commented 2 months ago

From #83 :

I'm concluding that we've already added restrictions. We just need to implement the check on push of events to new subscriptions as well. See https://github.com/Altinn/altinn-events/issues/239 for further work.