Closed Alfiva closed 6 years ago
amedranogil
commented
7 years ago Maybe I do not understand the REST API, but does this affect the native uSpace? I'm thinking about the case where the REST API is used to connect REST API apps to native uAAL Apps.
Alfiva
commented
7 years ago it's sort of related but not the same. You could argue that members of one uSpace should be restricted to that space, but the REST API introduces an HTTP "layer" before that, which should be secured as well.
Alfiva
commented
6 years ago Implemented in b5a213b9e77faf0159618490005ea1acab0467bf . All elements that hanging from the space in the path can only be accessed by the credentials that created the space. Others will get 401. You also cannot cheat by POSTing an existing space with your credentials. You will get a 200, but the space is not changed and still belongs to its creator.
Right now any authentcated client of the REST API (anyone) can access any space or any other resource regardless of who created it. Restrict it so that they can only access their own.