olebhansen
commented
1 month ago @SandGrainOne: Is this still relevant (or even possible), ref. discussing and closing https://github.com/Altinn/altinn-events/issues/239?
Open SandGrainOne opened 1 year ago
olebhansen
commented
1 month ago @SandGrainOne: Is this still relevant (or even possible), ref. discussing and closing https://github.com/Altinn/altinn-events/issues/239?
SandGrainOne
commented
1 month ago @olebhansen Still relevant and possible. Unrelated to linked issue. Authorization of the events being hit by the subscription is separate from the subscription itself. Authorization of resource filter in the subscription must still be done based on the event consumer and not the subscription creator.
We currently do not support creating a subscription on behalf of a separate consumer, which is why this change is less important than it would otherwise have been. For me, the current implementation is a logical flaw, but because of the identical creator and consumer the functional outcome is unchanged.
Description
The endpoint producing a list of registered subscriptions for a party/user of the API should use the CreatedBy field to do subscription retrieval. It's currently using the Consumer field.
The current implementation is working because in all scenarios the CreatedBy and Consumer fields have the same value. It's also impossible to set the Consumer field to anything different.
If we at any time make it possible for one party to create subscriptions for someone else it will be important that it is the creator of the subscriptions that can list out the subscriptions they've created.
Additional Information
Scenarios: User_1 creates a subscription with a separate User_2 as consumer:
Filtering on Consumer (current implementation):
Filtering on CreatedBy:
Tasks
No response
Acceptance Criterias
No response