shi9qiu
commented
4 months ago @KoukiHama
Open shi9qiu opened 4 months ago
shi9qiu
commented
4 months ago @KoukiHama
EttingerK
commented
4 months ago Please ensure, that the restriction of visibility is configurable. We do not want to restrict any visibility of components and releases. Even with projects we are discussing, if that should be used in the future.
shi9qiu
commented
4 months ago @EttingerK Thank you for the comments. Yes, the restriction of the visibility for components and releases will be configurable as before.
shi9qiu
commented
4 months ago @KoukiHama @heliocastro @ag4ums @EttingerK
The following endpoints will be modified to restrict the visibility of Components and Releases. Please note that this feature is configurable and these changes will only take effect if the feature is enabled in sw360.properties (component.visibility.restriction.enabled=true).
Component:
| Endpoint | Http method | How to deal with inaccessible data | Details |
|---|---|---|---|
| /components | GET | Filter the inaccessible data | Only the accessible components will be included in the response body. |
| /components/usedBy | GET | Filter the inaccessible data | Only the accessible components will be included in the response body. But use "sw360:restrictedResources" to show the number of restricted resource (Ref:https://github.com/eclipse-sw360/sw360/pull/2107) . |
| /components/recentComponents | GET | Filter the inaccessible data | Show the list of recent 5 components created bu user. |
| /components/mySubscriptions | GET | Filter the inaccessible data | Only the accessible components will be included in the response body. But use "sw360:restrictedResources" field to show the number of restricted components. |
| /components/searchByExternalIds | GET | Filter the inaccessible data | Only the accessible components will be included in the response body. But use "sw360:restrictedResources" field to show the number of restricted components. |
| /components/{id} | GET | Return 403 Error | If requested component is inaccessible, return 403 Error. |
| /components/{id}/attachments | GET | Return 403 Error | If requested component is inaccessible, return 403 Error. |
| /components/{id}/releases | GET | Return 403 Error | If requested component is inaccessible, return 403 Error. |
| /components/{componentId}/attachments/{attachmentId} | GET | Return 403 Error | If requested component is inaccessible, return 403 Error. |
| /components/{componentId}/attachments/download | GET | Return 403 Error | If requested component is inaccessible, return 403 Error. |
| /components/{id}/vulnerabilities | GET | Return 403 Error | If requested component is inaccessible, return 403 Error. |
Release:
| Endpoint | Http method | How to deal with inaccessible data | Details |
|---|---|---|---|
| /releases | GET | Filter the inaccessible data | Only the accessible releases will be included in the response body. |
| /releases/usedBy/{id} | GET | Filter the inaccessible data | Only the accessible components will be included in the response body. But use "sw360:restrictedResources" to show the number of restricted resource (Ref:https://github.com/eclipse-sw360/sw360/pull/2107) . |
| /releases/recentReleases | GET | Filter the inaccessible data | Show the list of recent 5 releases created bu user. |
| /releases/mySubscriptions | GET | Filter the inaccessible data | Only the accessible releases will be included in the response body. But use "sw360:restrictedResources" field to show the number of restricted releases. |
| /releases/searchByExternalIds | GET | Filter the inaccessible data | Only the accessible releases will be included in the response body. But use "sw360:restrictedResources" field to show the number of restricted releases. |
| /releases/{id} | GET | Return 403 Error | If requested release is inaccessible, return 403 Error. |
| /releases/{id}/vulnerabilities | GET | Return 403 Error | If requested release is inaccessible, return 403 Error. |
| /releases/{id}/attachments | GET | Return 403 Error | If requested release is inaccessible, return 403 Error. |
| /releases/{releaseId}/attachments/download | GET | Return 403 Error | If requested release is inaccessible, return 403 Error. |
| /releases/{releaseId}/attachments/{attachmentId} | GET | Return 403 Error | If requested release is inaccessible, return 403 Error. |
| /releases/{id}/checkFossologyProcessStatus} | GET | Return 403 Error | If requested release is inaccessible, return 403 Error. |
| /releases/{id}/triggerFossologyProcess | GET | Return 403 Error | If requested release is inaccessible, return 403 Error. |
| /releases/{id}/reloadFossologyReport | GET | Return 403 Error | If requested release is inaccessible, return 403 Error. |
| /releases/{id}/spdxLicensesInfo | GET | Return 403 Error | If requested release is inaccessible, return 403 Error. |
| /releases/{id}/assessmentSummaryInfo | GET | Return 403 Error | If requested release is inaccessible, return 403 Error. |
As SW360 gradually moves to the new frontend, we are facing such an issue:
User can set the visibility of projects. While user can also set the visibility of components and releases by enabling the visibility restriction function by setting the configuration file. However, it doesn't work on the new frontend for now. So we need to make this setting function effective in the new frontend as well.
To achieve this, I will modify some APIs. These APIs are mainly related to fetching data for projects, components, and releases from the backend (GET method). When users request inaccessible data, filter or mask operations will be performed to restrict the visibility.
Later, I will share which APIs will be involved and what modifications we will make to each API.