Some functions of the web app depends on the API and stop working when API is disabled

ihsn / nada

National Data Archive (NADA) is an open source data cataloging system that serves as a portal for researchers to browse, search, compare, apply for access, and download relevant census or survey information. It was originally developed to support the establishment of national survey data archives.

http://nada.ihsn.org

MIT License

39 stars 10 forks source link

Some functions of the web app depends on the API and stop working when API is disabled #101

Open Obyka opened 9 months ago

Obyka commented 9 months ago

Hello, Since it's now possible to disable the API in the settings, it arises some issues. For example, it is not possible to upload or delete a study thumbnail in the administration section because the routes are in the API scope.

POST /api/datasets/thumbnail/[filename]
POST /api/datasets/thumbnail_delete/[filename]

Is there a way to keep the API disabled while the thumbnail edition/removal works ?

P.S. there may be more instances of /api/* in webapp, we would be glad to report them if we spot them.

mah0001 commented 9 months ago

We have a few more places such as the "Metadata" edit page that use the API. It would help figure out a better solution if you could describe your use case for disabling the API.

Obyka commented 9 months ago

Our goal is to reduce attack surface on our NADA instance. Since we don't have the resources to pentest the API, we prefer to disable it solely since we're not using it yet. Only the web interface will be used.

Is there a way to replace API route with web route or should we temporarily keep thoses routes enabled ?