Currently the default role of Privilege is used for debug inside RestApiAuthFilter.java. That should be changed to use the actual role. There are 2 options to set the role of request.
Option 1: Set the role in the http header from the client side. But it's not secure, the attackers can set the privileged role for the other roles. To resolve this, the server should validate the consistence of the role and path, method.
Option 2: Calculate the role according to the request path and method.
Both options need to be implemented from the server side. The option 2 seems friendly to the client. The client don't have to know and understand the concept of role.
Yes, there's currently no authorization in the API. There's a FIXME in RestApiAuthFilter.java ;) I agree, this can only be done server-side, without relying on client parameters.
Currently the default role of Privilege is used for debug inside RestApiAuthFilter.java. That should be changed to use the actual role. There are 2 options to set the role of request.
Both options need to be implemented from the server side. The option 2 seems friendly to the client. The client don't have to know and understand the concept of role.