You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An organization with AUTH_ROLE_ENUM.BULK_DOWNLOAD needs to access the GET /cve endpoint, which is otherwise only available to the Secretariat. It does not need to be able to perform any write operations on the CVE Services database. However,
enables certain write access by an organization with any role.
Possibly the simplest solution would be to rename onlyOrgWithRole to onlyOrgWithPartnerRole, and return the 403 error when the only role is in the dataRetrieval role category instead of the Partner role category. For example, if org.authority.active_roles.length equals 1, and the organization has the BULK_DOWNLOAD role, then the outcome is a 403 error.
There might be a future requirement for a SECRETARIAT_READ_ONLY role, in which any GET request is completed in the same way as for the SECRETARIAT role, but POST and PUT are denied. (I don't know whether this will happen, or what the time scale of the requirement might be.)
The text was updated successfully, but these errors were encountered:
An organization with AUTH_ROLE_ENUM.BULK_DOWNLOAD needs to access the GET /cve endpoint, which is otherwise only available to the Secretariat. It does not need to be able to perform any write operations on the CVE Services database. However,
cve-services/src/middleware/middleware.js
Lines 233 to 247 in 301322d
enables certain write access by an organization with any role.
Possibly the simplest solution would be to rename onlyOrgWithRole to onlyOrgWithPartnerRole, and return the 403 error when the only role is in the dataRetrieval role category instead of the Partner role category. For example, if org.authority.active_roles.length equals 1, and the organization has the BULK_DOWNLOAD role, then the outcome is a 403 error.
There might be a future requirement for a SECRETARIAT_READ_ONLY role, in which any GET request is completed in the same way as for the SECRETARIAT role, but POST and PUT are denied. (I don't know whether this will happen, or what the time scale of the requirement might be.)
The text was updated successfully, but these errors were encountered: