Closed SandGrainOne closed 2 months ago
From #83 :
I'm concluding that we've already added restrictions. We just need to implement the check on push of events to new subscriptions as well. See https://github.com/Altinn/altinn-events/issues/239 for further work.
Description
Application owners can currently create subscriptions where they subscribe to any event from any source. There are no authorization logic verifying that the application owner actually have access to the events.
Note that the application owner will not be sent any events unless they have been given access to the events from the given source. This issue is about "dead" subscriptions that will never get any events. Events should stop/prevent an application owner from creating invalid subscriptions.
We should consider letting an application owner subscribe to events from all of their own events implicitly without the need for a policy.
Additional Information
No response
Tasks
Acceptance Criterias