dhis2-devs-core team mailing list archive

[Bob Jolliffe <bobjolliffe@xxxxxxxxx>]

Agree.  As in the documentation link you referred earlier.

On 23 April 2015 at 11:24, Jason Pickering <jason.p.pickering@xxxxxxxxx> wrote:
> And I would probably limit the request type to GET.
>
>
>
> On Thu, Apr 23, 2015 at 12:22 PM, Bob Jolliffe <bobjolliffe@xxxxxxxxx>
> wrote:
>>
>> Right.  So in combination with that minimal privilege user account,
>> you would have something like the following:
>>
>> location ~  api/(organisationUnits
>> |organisationUnitGroups|organisationUnitGroupSets|organisationUnitLevels)
>> { ....
>>
>>
>>
>> On 23 April 2015 at 11:01, Jason Pickering <jason.p.pickering@xxxxxxxxx>
>> wrote:
>> >
>> > https://www.dhis2.org/doc/snapshot/en/implementer/html/ch08s03.html#d5e623
>> >
>> > will show you how to make resources available.
>> >
>> > Use with caution.
>> >
>> > Regards,
>> > Jason
>> >
>> >
>> > On Thu, Apr 23, 2015 at 11:03 AM, Bob Jolliffe <bobjolliffe@xxxxxxxxx>
>> > wrote:
>> >>
>> >> You could also facade it at the reverse web proxy ie. have a publicly
>> >> accessable location which is a proxy for an upstream request to
>> >> /api/organisationUnits etc which provides the required basic
>> >> authentication hidden in the proxy configuration.
>> >>
>> >> On 23 April 2015 at 09:58, Bob Jolliffe <bobjolliffe@xxxxxxxxx> wrote:
>> >> > On 23 April 2015 at 09:35, Rangarirai Matavire <matavirer@xxxxxxxxx>
>> >> > wrote:
>> >> >> Thanks,
>> >> >> Is it possible to create a user with no privileges?
>> >> >
>> >> > Well as little as possible ...
>> >> >
>> >> > Please check demo.dhis2.org.
>> >> >
>> >> > I just created a role called "metadata client" and assigned no
>> >> > authorities to it.
>> >> >
>> >> > Then created a user called facility (password Facility1) with role
>> >> > "metadata client".
>> >> >
>> >> > You can see that with these credentials you can't do much with the
>> >> > application, but you *can* browse the api at
>> >> > https://apps.dhis2.org/demo/api/ including the orgunits at
>> >> > https://apps.dhis2.org/demo/api/organisationUnits.
>> >> >
>> >> > AFAIK that is the minimum level of access you can give an account,
>> >> > and
>> >> > is sufficient to be able to export orgunits which is what you need.
>> >> >
>> >> > Unfortunately the user also has access to all sorts of other metadata
>> >> > like charts, reports, user details which is really not ideal if all
>> >> > we
>> >> > want to expose is an interface for an orgunit synchronisation..
>> >> > Would
>> >> > be preferable to be able to tie it down to just orgunits,
>> >> > orgunitgroups (and sets) and levels.
>> >> >
>> >> > There are also other "standard" api like CSD and FRED, but for dhis2
>> >> > synching you are best working with the native api.
>> >> >
>> >> > Cheers
>> >> > Bob
>> >> >
>> >> >>
>> >> >> On Thu, Apr 2, 2015 at 6:58 PM, Lars Helge Øverland
>> >> >> <larshelge@xxxxxxxxx>
>> >> >> wrote:
>> >> >>>
>> >> >>> Hi Bob,
>> >> >>>
>> >> >>> yes that is correct.
>> >> >>>
>> >> >>> You can read but of course not create org units without explicit
>> >> >>> authority.
>> >> >>>
>> >> >>> For most objects we now have "sharing" applied, which means you
>> >> >>> could
>> >> >>> make
>> >> >>> that meta-data private (hidden). We do not have sharing for org
>> >> >>> units
>> >> >>> due to
>> >> >>> the nature of the hierarchy (would be problematic if some
>> >> >>> higher-level
>> >> >>> org
>> >> >>> units were private/hidden).
>> >> >>>
>> >> >>> regards,
>> >> >>>
>> >> >>> Lars
>> >> >>>
>> >> >>>
>> >> >>> On Thu, Apr 2, 2015 at 6:36 PM, Bob Jolliffe
>> >> >>> <bobjolliffe@xxxxxxxxx>
>> >> >>> wrote:
>> >> >>>>
>> >> >>>> Hi
>> >> >>>>
>> >> >>>> I am struggling to find an required authority to create a user
>> >> >>>> which
>> >> >>>> has readonly access to the orgunits.
>> >> >>>>
>> >> >>>> Specifically I want to create an account for a facility registry
>> >> >>>> type
>> >> >>>> client who can read orgunits (+groups, levels, attributes) from
>> >> >>>> the
>> >> >>>> api - and no acces to anything else.  Am I missing something
>> >> >>>> silly?
>> >> >>>> The default seems to be If I create a user with no privileges
>> >> >>>> whatsoever that user has access to the api metadata and resource
>> >> >>>> endpoints.  Is that the way it is?
>> >> >>>>
>> >> >>>> Cheers
>> >> >>>> Bob
>> >> >>>>
>> >> >>>> --
>> >> >>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>> >> >>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>> >> >>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>> >> >>>> More help   : https://help.launchpad.net/ListHelp
>> >> >>>
>> >> >>>
>> >> >>
>> >>
>> >> --
>> >> Mailing list: https://launchpad.net/~dhis2-devs-core
>> >> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>> >> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>> >> More help   : https://help.launchpad.net/ListHelp
>> >
>> >
>> >
>> >
>> > --
>> > Jason P. Pickering
>> > email: jason.p.pickering@xxxxxxxxx
>> > tel:+46764147049
>
>
>
>
> --
> Jason P. Pickering
> email: jason.p.pickering@xxxxxxxxx
> tel:+46764147049