dhis2-devs-core team mailing list archive

[Bob Jolliffe <bobjolliffe@xxxxxxxxx>]

Right.  So in combination with that minimal privilege user account,
you would have something like the following:

location ~  api/(organisationUnits
|organisationUnitGroups|organisationUnitGroupSets|organisationUnitLevels)
{ ....



On 23 April 2015 at 11:01, Jason Pickering <jason.p.pickering@xxxxxxxxx> wrote:
> https://www.dhis2.org/doc/snapshot/en/implementer/html/ch08s03.html#d5e623
>
> will show you how to make resources available.
>
> Use with caution.
>
> Regards,
> Jason
>
>
> On Thu, Apr 23, 2015 at 11:03 AM, Bob Jolliffe <bobjolliffe@xxxxxxxxx>
> wrote:
>>
>> You could also facade it at the reverse web proxy ie. have a publicly
>> accessable location which is a proxy for an upstream request to
>> /api/organisationUnits etc which provides the required basic
>> authentication hidden in the proxy configuration.
>>
>> On 23 April 2015 at 09:58, Bob Jolliffe <bobjolliffe@xxxxxxxxx> wrote:
>> > On 23 April 2015 at 09:35, Rangarirai Matavire <matavirer@xxxxxxxxx>
>> > wrote:
>> >> Thanks,
>> >> Is it possible to create a user with no privileges?
>> >
>> > Well as little as possible ...
>> >
>> > Please check demo.dhis2.org.
>> >
>> > I just created a role called "metadata client" and assigned no
>> > authorities to it.
>> >
>> > Then created a user called facility (password Facility1) with role
>> > "metadata client".
>> >
>> > You can see that with these credentials you can't do much with the
>> > application, but you *can* browse the api at
>> > https://apps.dhis2.org/demo/api/ including the orgunits at
>> > https://apps.dhis2.org/demo/api/organisationUnits.
>> >
>> > AFAIK that is the minimum level of access you can give an account, and
>> > is sufficient to be able to export orgunits which is what you need.
>> >
>> > Unfortunately the user also has access to all sorts of other metadata
>> > like charts, reports, user details which is really not ideal if all we
>> > want to expose is an interface for an orgunit synchronisation..  Would
>> > be preferable to be able to tie it down to just orgunits,
>> > orgunitgroups (and sets) and levels.
>> >
>> > There are also other "standard" api like CSD and FRED, but for dhis2
>> > synching you are best working with the native api.
>> >
>> > Cheers
>> > Bob
>> >
>> >>
>> >> On Thu, Apr 2, 2015 at 6:58 PM, Lars Helge Øverland
>> >> <larshelge@xxxxxxxxx>
>> >> wrote:
>> >>>
>> >>> Hi Bob,
>> >>>
>> >>> yes that is correct.
>> >>>
>> >>> You can read but of course not create org units without explicit
>> >>> authority.
>> >>>
>> >>> For most objects we now have "sharing" applied, which means you could
>> >>> make
>> >>> that meta-data private (hidden). We do not have sharing for org units
>> >>> due to
>> >>> the nature of the hierarchy (would be problematic if some higher-level
>> >>> org
>> >>> units were private/hidden).
>> >>>
>> >>> regards,
>> >>>
>> >>> Lars
>> >>>
>> >>>
>> >>> On Thu, Apr 2, 2015 at 6:36 PM, Bob Jolliffe <bobjolliffe@xxxxxxxxx>
>> >>> wrote:
>> >>>>
>> >>>> Hi
>> >>>>
>> >>>> I am struggling to find an required authority to create a user which
>> >>>> has readonly access to the orgunits.
>> >>>>
>> >>>> Specifically I want to create an account for a facility registry type
>> >>>> client who can read orgunits (+groups, levels, attributes) from the
>> >>>> api - and no acces to anything else.  Am I missing something silly?
>> >>>> The default seems to be If I create a user with no privileges
>> >>>> whatsoever that user has access to the api metadata and resource
>> >>>> endpoints.  Is that the way it is?
>> >>>>
>> >>>> Cheers
>> >>>> Bob
>> >>>>
>> >>>> --
>> >>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>> >>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>> >>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>> >>>> More help   : https://help.launchpad.net/ListHelp
>> >>>
>> >>>
>> >>
>>
>> --
>> Mailing list: https://launchpad.net/~dhis2-devs-core
>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>> More help   : https://help.launchpad.net/ListHelp
>
>
>
>
> --
> Jason P. Pickering
> email: jason.p.pickering@xxxxxxxxx
> tel:+46764147049