dhis2-devs-core team mailing list archive

[Jason Pickering <jason.p.pickering@xxxxxxxxx>]

And I would probably limit the request type to GET.



On Thu, Apr 23, 2015 at 12:22 PM, Bob Jolliffe <bobjolliffe@xxxxxxxxx>
wrote:

> Right.  So in combination with that minimal privilege user account,
> you would have something like the following:
>
> location ~  api/(organisationUnits
> |organisationUnitGroups|organisationUnitGroupSets|organisationUnitLevels)
> { ....
>
>
>
> On 23 April 2015 at 11:01, Jason Pickering <jason.p.pickering@xxxxxxxxx>
> wrote:
> >
> https://www.dhis2.org/doc/snapshot/en/implementer/html/ch08s03.html#d5e623
> >
> > will show you how to make resources available.
> >
> > Use with caution.
> >
> > Regards,
> > Jason
> >
> >
> > On Thu, Apr 23, 2015 at 11:03 AM, Bob Jolliffe <bobjolliffe@xxxxxxxxx>
> > wrote:
> >>
> >> You could also facade it at the reverse web proxy ie. have a publicly
> >> accessable location which is a proxy for an upstream request to
> >> /api/organisationUnits etc which provides the required basic
> >> authentication hidden in the proxy configuration.
> >>
> >> On 23 April 2015 at 09:58, Bob Jolliffe <bobjolliffe@xxxxxxxxx> wrote:
> >> > On 23 April 2015 at 09:35, Rangarirai Matavire <matavirer@xxxxxxxxx>
> >> > wrote:
> >> >> Thanks,
> >> >> Is it possible to create a user with no privileges?
> >> >
> >> > Well as little as possible ...
> >> >
> >> > Please check demo.dhis2.org.
> >> >
> >> > I just created a role called "metadata client" and assigned no
> >> > authorities to it.
> >> >
> >> > Then created a user called facility (password Facility1) with role
> >> > "metadata client".
> >> >
> >> > You can see that with these credentials you can't do much with the
> >> > application, but you *can* browse the api at
> >> > https://apps.dhis2.org/demo/api/ including the orgunits at
> >> > https://apps.dhis2.org/demo/api/organisationUnits.
> >> >
> >> > AFAIK that is the minimum level of access you can give an account, and
> >> > is sufficient to be able to export orgunits which is what you need.
> >> >
> >> > Unfortunately the user also has access to all sorts of other metadata
> >> > like charts, reports, user details which is really not ideal if all we
> >> > want to expose is an interface for an orgunit synchronisation..  Would
> >> > be preferable to be able to tie it down to just orgunits,
> >> > orgunitgroups (and sets) and levels.
> >> >
> >> > There are also other "standard" api like CSD and FRED, but for dhis2
> >> > synching you are best working with the native api.
> >> >
> >> > Cheers
> >> > Bob
> >> >
> >> >>
> >> >> On Thu, Apr 2, 2015 at 6:58 PM, Lars Helge Øverland
> >> >> <larshelge@xxxxxxxxx>
> >> >> wrote:
> >> >>>
> >> >>> Hi Bob,
> >> >>>
> >> >>> yes that is correct.
> >> >>>
> >> >>> You can read but of course not create org units without explicit
> >> >>> authority.
> >> >>>
> >> >>> For most objects we now have "sharing" applied, which means you
> could
> >> >>> make
> >> >>> that meta-data private (hidden). We do not have sharing for org
> units
> >> >>> due to
> >> >>> the nature of the hierarchy (would be problematic if some
> higher-level
> >> >>> org
> >> >>> units were private/hidden).
> >> >>>
> >> >>> regards,
> >> >>>
> >> >>> Lars
> >> >>>
> >> >>>
> >> >>> On Thu, Apr 2, 2015 at 6:36 PM, Bob Jolliffe <bobjolliffe@xxxxxxxxx
> >
> >> >>> wrote:
> >> >>>>
> >> >>>> Hi
> >> >>>>
> >> >>>> I am struggling to find an required authority to create a user
> which
> >> >>>> has readonly access to the orgunits.
> >> >>>>
> >> >>>> Specifically I want to create an account for a facility registry
> type
> >> >>>> client who can read orgunits (+groups, levels, attributes) from the
> >> >>>> api - and no acces to anything else.  Am I missing something silly?
> >> >>>> The default seems to be If I create a user with no privileges
> >> >>>> whatsoever that user has access to the api metadata and resource
> >> >>>> endpoints.  Is that the way it is?
> >> >>>>
> >> >>>> Cheers
> >> >>>> Bob
> >> >>>>
> >> >>>> --
> >> >>>> Mailing list: https://launchpad.net/~dhis2-devs-core
> >> >>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
> >> >>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
> >> >>>> More help   : https://help.launchpad.net/ListHelp
> >> >>>
> >> >>>
> >> >>
> >>
> >> --
> >> Mailing list: https://launchpad.net/~dhis2-devs-core
> >> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
> >> Unsubscribe : https://launchpad.net/~dhis2-devs-core
> >> More help   : https://help.launchpad.net/ListHelp
> >
> >
> >
> >
> > --
> > Jason P. Pickering
> > email: jason.p.pickering@xxxxxxxxx
> > tel:+46764147049
>



-- 
Jason P. Pickering
email: jason.p.pickering@xxxxxxxxx
tel:+46764147049