dhis2-devs-core team mailing list archive

[Bob Jolliffe <bobjolliffe@xxxxxxxxx>]

You could also facade it at the reverse web proxy ie. have a publicly
accessable location which is a proxy for an upstream request to
/api/organisationUnits etc which provides the required basic
authentication hidden in the proxy configuration.

On 23 April 2015 at 09:58, Bob Jolliffe <bobjolliffe@xxxxxxxxx> wrote:
> On 23 April 2015 at 09:35, Rangarirai Matavire <matavirer@xxxxxxxxx> wrote:
>> Thanks,
>> Is it possible to create a user with no privileges?
>
> Well as little as possible ...
>
> Please check demo.dhis2.org.
>
> I just created a role called "metadata client" and assigned no
> authorities to it.
>
> Then created a user called facility (password Facility1) with role
> "metadata client".
>
> You can see that with these credentials you can't do much with the
> application, but you *can* browse the api at
> https://apps.dhis2.org/demo/api/ including the orgunits at
> https://apps.dhis2.org/demo/api/organisationUnits.
>
> AFAIK that is the minimum level of access you can give an account, and
> is sufficient to be able to export orgunits which is what you need.
>
> Unfortunately the user also has access to all sorts of other metadata
> like charts, reports, user details which is really not ideal if all we
> want to expose is an interface for an orgunit synchronisation..  Would
> be preferable to be able to tie it down to just orgunits,
> orgunitgroups (and sets) and levels.
>
> There are also other "standard" api like CSD and FRED, but for dhis2
> synching you are best working with the native api.
>
> Cheers
> Bob
>
>>
>> On Thu, Apr 2, 2015 at 6:58 PM, Lars Helge Øverland <larshelge@xxxxxxxxx>
>> wrote:
>>>
>>> Hi Bob,
>>>
>>> yes that is correct.
>>>
>>> You can read but of course not create org units without explicit
>>> authority.
>>>
>>> For most objects we now have "sharing" applied, which means you could make
>>> that meta-data private (hidden). We do not have sharing for org units due to
>>> the nature of the hierarchy (would be problematic if some higher-level org
>>> units were private/hidden).
>>>
>>> regards,
>>>
>>> Lars
>>>
>>>
>>> On Thu, Apr 2, 2015 at 6:36 PM, Bob Jolliffe <bobjolliffe@xxxxxxxxx>
>>> wrote:
>>>>
>>>> Hi
>>>>
>>>> I am struggling to find an required authority to create a user which
>>>> has readonly access to the orgunits.
>>>>
>>>> Specifically I want to create an account for a facility registry type
>>>> client who can read orgunits (+groups, levels, attributes) from the
>>>> api - and no acces to anything else.  Am I missing something silly?
>>>> The default seems to be If I create a user with no privileges
>>>> whatsoever that user has access to the api metadata and resource
>>>> endpoints.  Is that the way it is?
>>>>
>>>> Cheers
>>>> Bob
>>>>
>>>> --
>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>>
>>