This page was created because of - OLMIS-1205Getting issue details... STATUS and provide basic information about new rights that should be added into the requisition module.
New rights
The new rights have to be added into the requisition service to provide additional security for this module. The following rights are only related with a requisition endpoints and other parts of the module (like orders) are not covered in this page. Each endpoint related with CRUD operation on a requisition need unique right. The following table presents relation between endpoint and new rights.
Right name \ Endpoint | Initiate | Update* | Submit | Approve | Authorize | Delete | View |
---|---|---|---|---|---|---|---|
REQUISITION_CREATE | + | + | + | ||||
REQUISITION_APPROVE | + | + | |||||
REQUISITION_AUTHORIZE | + | + | |||||
REQUISITION_DELETE | + | ||||||
REQUISITION_VIEW | + | + | + | + | + | + | + |
* - user needs only one of this rights.
The REQUISITION_VIEW right is required for all endpoints. In other words If a user want to initiate/update/approve/authorize/delete a requisition, the right must be assign to the user.
HTTP response
If a user has a required right(s), an endpoint should return appropriate data related with this endpoint and given parameters. Otherwise the endpoint should return HTTP 403 error code (Forbidden) with appropriate error message.
The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).
The following table presents what message should be returned when the user does not have a right for the given endpoint.
Endpoint | Error code | Error message |
---|---|---|
Initiate | 403 Forbidden | You do not have the following permission to perform this action: REQUISITION_CREATE |
Update | You do not have the following permission to perform this action: REQUISITION_CREATE/REQUISITION_APPROVE/REQUISITION_AUTHORIZE (depends on requisition status) | |
Submit | You do not have the following permission to perform this action: REQUISITION_CREATE | |
Approve | You do not have the following permission to perform this action: REQUISITION_APPROVE | |
Authorize | You do not have the following permission to perform this action: REQUISITION_AUTHORIZE | |
Delete | You do not have the following permission to perform this action: REQUISITION_DELETE | |
View | You do not have the following permission to perform this action: REQUISITION_VIEW |
How to check permission
The most easy way to check if the given user has the given permission is to use /users/{id}/hasRight endpoint. This endpoint returns a small object that contain only one bool property with the result. Also, because we need right ID we should use /rights/search endpoint to retrieve a correct right based on the provided name. In the first approach we could create/extend a service that will use those two endpoints and use it where it is needed (probably in Requisition Controller).