Review current API authorization/permissions

reichlab / forecast-repository

Codebase for Zoltar forecast repository

https://zoltardata.com/

GNU General Public License v3.0

6 stars 3 forks source link

Review current API authorization/permissions #279

Open matthewcornell opened 4 years ago

matthewcornell commented 4 years ago

We are considering (re-)opening up API access to anyone regardless of whether they have a Zoltar account or not. First we need to review and clarify the authorization/permission scheme we want to have for them and other users. This issue is to summarize our current permissions by creating a table that lists resources (projects, models, forecasts, etc.) vs. possible operations (CRUD - create, read, update, delete). Each table cell will indicate yes or no for three user levels: anonymous, non-staff, and staff. (The fourth level - superuser - can do any operation in the system.)

matthewcornell commented 3 years ago

Here's my summary of permissions for all urls/endpoints.

Question:

What's the next step?
Should we review to make sure they still make sense?
Should I go ahead and remove the API restriction that requires user accounts?

url-permissions-2020-11-23.xlsx

matthewcornell commented 3 years ago

MUS: Top-of-the-head points:

Only staff users can create a project. They become the project's owner.
No user can delete any project she does not own.
Non-staff users (i.e., API-only users) cannot create or edit projects, just upload forecasts. (IIRC)
Project owners can edit and delete project, and add/remove model owners.
Model owners can add, edit, and delete models. They can view all models in the owned model's project.
Private projects can only be viewed by project owner or model owners.