dhis2-devs-core team mailing list archive

[Rangarirai Matavire <matavirer@xxxxxxxxx>]

Thanks for the feedback. Will try the solution in our case.
On 23 Apr 2015 1:00 PM, "Bob Jolliffe" <bobjolliffe@xxxxxxxxx> wrote:

> Agree.  As in the documentation link you referred earlier.
>
> On 23 April 2015 at 11:24, Jason Pickering <jason.p.pickering@xxxxxxxxx>
> wrote:
> > And I would probably limit the request type to GET.
> >
> >
> >
> > On Thu, Apr 23, 2015 at 12:22 PM, Bob Jolliffe <bobjolliffe@xxxxxxxxx>
> > wrote:
> >>
> >> Right.  So in combination with that minimal privilege user account,
> >> you would have something like the following:
> >>
> >> location ~  api/(organisationUnits
> >>
> |organisationUnitGroups|organisationUnitGroupSets|organisationUnitLevels)
> >> { ....
> >>
> >>
> >>
> >> On 23 April 2015 at 11:01, Jason Pickering <jason.p.pickering@xxxxxxxxx
> >
> >> wrote:
> >> >
> >> >
> https://www.dhis2.org/doc/snapshot/en/implementer/html/ch08s03.html#d5e623
> >> >
> >> > will show you how to make resources available.
> >> >
> >> > Use with caution.
> >> >
> >> > Regards,
> >> > Jason
> >> >
> >> >
> >> > On Thu, Apr 23, 2015 at 11:03 AM, Bob Jolliffe <bobjolliffe@xxxxxxxxx
> >
> >> > wrote:
> >> >>
> >> >> You could also facade it at the reverse web proxy ie. have a publicly
> >> >> accessable location which is a proxy for an upstream request to
> >> >> /api/organisationUnits etc which provides the required basic
> >> >> authentication hidden in the proxy configuration.
> >> >>
> >> >> On 23 April 2015 at 09:58, Bob Jolliffe <bobjolliffe@xxxxxxxxx>
> wrote:
> >> >> > On 23 April 2015 at 09:35, Rangarirai Matavire <
> matavirer@xxxxxxxxx>
> >> >> > wrote:
> >> >> >> Thanks,
> >> >> >> Is it possible to create a user with no privileges?
> >> >> >
> >> >> > Well as little as possible ...
> >> >> >
> >> >> > Please check demo.dhis2.org.
> >> >> >
> >> >> > I just created a role called "metadata client" and assigned no
> >> >> > authorities to it.
> >> >> >
> >> >> > Then created a user called facility (password Facility1) with role
> >> >> > "metadata client".
> >> >> >
> >> >> > You can see that with these credentials you can't do much with the
> >> >> > application, but you *can* browse the api at
> >> >> > https://apps.dhis2.org/demo/api/ including the orgunits at
> >> >> > https://apps.dhis2.org/demo/api/organisationUnits.
> >> >> >
> >> >> > AFAIK that is the minimum level of access you can give an account,
> >> >> > and
> >> >> > is sufficient to be able to export orgunits which is what you need.
> >> >> >
> >> >> > Unfortunately the user also has access to all sorts of other
> metadata
> >> >> > like charts, reports, user details which is really not ideal if all
> >> >> > we
> >> >> > want to expose is an interface for an orgunit synchronisation..
> >> >> > Would
> >> >> > be preferable to be able to tie it down to just orgunits,
> >> >> > orgunitgroups (and sets) and levels.
> >> >> >
> >> >> > There are also other "standard" api like CSD and FRED, but for
> dhis2
> >> >> > synching you are best working with the native api.
> >> >> >
> >> >> > Cheers
> >> >> > Bob
> >> >> >
> >> >> >>
> >> >> >> On Thu, Apr 2, 2015 at 6:58 PM, Lars Helge Øverland
> >> >> >> <larshelge@xxxxxxxxx>
> >> >> >> wrote:
> >> >> >>>
> >> >> >>> Hi Bob,
> >> >> >>>
> >> >> >>> yes that is correct.
> >> >> >>>
> >> >> >>> You can read but of course not create org units without explicit
> >> >> >>> authority.
> >> >> >>>
> >> >> >>> For most objects we now have "sharing" applied, which means you
> >> >> >>> could
> >> >> >>> make
> >> >> >>> that meta-data private (hidden). We do not have sharing for org
> >> >> >>> units
> >> >> >>> due to
> >> >> >>> the nature of the hierarchy (would be problematic if some
> >> >> >>> higher-level
> >> >> >>> org
> >> >> >>> units were private/hidden).
> >> >> >>>
> >> >> >>> regards,
> >> >> >>>
> >> >> >>> Lars
> >> >> >>>
> >> >> >>>
> >> >> >>> On Thu, Apr 2, 2015 at 6:36 PM, Bob Jolliffe
> >> >> >>> <bobjolliffe@xxxxxxxxx>
> >> >> >>> wrote:
> >> >> >>>>
> >> >> >>>> Hi
> >> >> >>>>
> >> >> >>>> I am struggling to find an required authority to create a user
> >> >> >>>> which
> >> >> >>>> has readonly access to the orgunits.
> >> >> >>>>
> >> >> >>>> Specifically I want to create an account for a facility registry
> >> >> >>>> type
> >> >> >>>> client who can read orgunits (+groups, levels, attributes) from
> >> >> >>>> the
> >> >> >>>> api - and no acces to anything else.  Am I missing something
> >> >> >>>> silly?
> >> >> >>>> The default seems to be If I create a user with no privileges
> >> >> >>>> whatsoever that user has access to the api metadata and resource
> >> >> >>>> endpoints.  Is that the way it is?
> >> >> >>>>
> >> >> >>>> Cheers
> >> >> >>>> Bob
> >> >> >>>>
> >> >> >>>> --
> >> >> >>>> Mailing list: https://launchpad.net/~dhis2-devs-core
> >> >> >>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
> >> >> >>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
> >> >> >>>> More help   : https://help.launchpad.net/ListHelp
> >> >> >>>
> >> >> >>>
> >> >> >>
> >> >>
> >> >> --
> >> >> Mailing list: https://launchpad.net/~dhis2-devs-core
> >> >> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
> >> >> Unsubscribe : https://launchpad.net/~dhis2-devs-core
> >> >> More help   : https://help.launchpad.net/ListHelp
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > Jason P. Pickering
> >> > email: jason.p.pickering@xxxxxxxxx
> >> > tel:+46764147049
> >
> >
> >
> >
> > --
> > Jason P. Pickering
> > email: jason.p.pickering@xxxxxxxxx
> > tel:+46764147049
>