Problem/Motivation

We want to harden security and protect ourselves against other module's vulnerabilities.

Proposed resolution

Allow specifying each resource as read-only.

Remaining tasks

TBD

User interface changes

The core config screen should get an additional state to have granular opt-in to read-only (add a radio button that says something like: Read-only with whitelisted writes). Then we add some markup that lists all the enabled resources as read-only or read and write.

On each resource configuration form we'll add a checkbox that makes a resource read-only IF Read-only with whitelisted is checked AND the resource is not disabled.

Comments

e0ipso created an issue. See original summary.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Title: Allow per resource read-only » Allow per resource type read-only
Issue tags: +API-First Initiative
divined’s picture

divined commented

What do you want to see in the "whitelisted writes"?

Will it be better to create the permission table instead of read-only status?

GET   {json_api_resource_name}
POST  {json_api_resource_name}
PATCH {json_api_resource_name}

Do you plan that read-only status will close POST/PATCH requests?
If yes, why you don't enough element permissions?

e0ipso’s picture

e0ipso
Primary language Catalan
Location Can Picafort
commented

Will it be better to create the permission table instead of read-only status?

I think we should stick to what JSON:API in core decided to do. I think this will be more understandable to less technical users.

bbrala’s picture

bbrala
Location Netherlands
commented
Status: Active » Closed (won't fix)

This should not live in extra's imo, this is just using permissions in core. Don't hessitate to reopen should i be wrong.