Edit Content API: Whitelisting Content API Fields for Backend Users

fmontes commented 1 month ago

User Story

As a dotCMS administrator, I want to restrict the additional information fields (modUser, modUserName, owner, modDate) in the content API endpoint to be visible only for users with the backend user role, so that sensitive information is not exposed to unauthorized users.

This is the issue where we introduce this change: https://github.com/dotCMS/core/issues/28183

### Acceptance Criteria
- [ ] Only users with the backend user role should be able to view the additional information fields in the content API endpoint.
- [ ] Unauthorized users should not have access to the modUser, modUserName, owner, and modDate fields.
- [ ] Ensure that the whitelist functionality is implemented successfully and restricts the visibility of the specified fields as intended.

Proposed Objective

Core Features

Proposed Priority

Priority 3 - Average

External Links

N/A

Assumptions & Initiation Needs

Backend user roles are already defined and functioning properly in the dotCMS system.
The implementation of the whitelist functionality will not affect the overall performance of the content API endpoint.

Quality Assurance Notes & Workarounds

QA team should verify that only backend users can access the additional information fields in the content API.
Workaround: If the whitelist functionality is not working as expected

erickgonzalez commented 1 month ago

Customer Ticket: https://dotcms.freshdesk.com/a/tickets/27525

wezell commented 1 month ago

I would suggest they stand up an api gateway or use the script-able APIs if they want to achieve something like this in a timely manner

We have never supported field level permissions such as these.

dotCMS / core