This page was created because of
Jira Legacy | ||||||||
---|---|---|---|---|---|---|---|---|
|
...
Right name \ Endpoint | Initiate | Update* | Submit | Approve | Authorize | Delete | View |
---|---|---|---|---|---|---|---|
REQUISITION_CREATE | + | + | + | ||||
REQUISITION_APPROVE | + | + | |||||
REQUISITION_AUTHORIZE | + | + | |||||
REQUISITION_DELETE | + | ||||||
REQUISITION_VIEW | + | + | + | + | + | + | + |
* - user needs only one of this rights.The REQUISITION_VIEW right is required for all endpoints. In other words If a user want to initiate/update/approve/authorize/delete a requisition, the right must be assign to the user- a requisition can have different status when it is updated that why a user needs a different rights. The REQUISITION_CREATE right is needed when the requisition has INITIATED status, the REQUISITION_APPROVE right is needed when the requisition has AUTHORIZED status and the REQUISITION_AUTHORIZE right is needed when the requisition has SUBMITTED status.
If a user has the right REQUISITION_CREATE, he/she will automatically have the REQUISITION_VIEW right in the system.
HTTP response
If a user has a required right(s), an endpoint should return appropriate data related with this endpoint and given parameters. Otherwise the endpoint should return HTTP 403 error code (Forbidden) with appropriate error message.
...
The most easy way to check if the given user has the given permission is to use /users/{id}/hasRight endpoint. This endpoint returns a small object that contain only one bool property with the result. Also, because we need right ID we should use /rights/search endpoint to retrieve a correct right based on the provided name. In the first approach we could create/extend a service that will use those two endpoints and use it where it is needed (probably in Requisition Controller).
AUTHORIZED