Unrestricting access to valid reasons, sources and destinations

Hey everyone,

  I wanted to get your opinion about right checks for the following endpoints:

  GET /validReasons

  GET /validSources

  GET /validDestinations

On the fulfillment UI, we are currently using the /validReasons endpoint to fetch all the reasons the user can use to reject the received stock on the proof of delivery page. Unfortunately, only users that have administration rights for reasons, sources and destinations can view all of them. Other users can only query for resources at the facility type that matches their home facility type and for programs that is supported at their home facility. This means that we currently cannot display users the rejection reasons unless they have got the admin right assigned OR both the facility type happens to match their home facility type AND the given program is supported at user's home facility (neither of which needs to be the case).

I wanted to propose removing this restriction to view reasons, sources and destinations and allow all logged users to query for them at any facility type and program. This would only affect VIEWING the resource (aka GET). Managing them (POST, DELETE) would still be restricted to the administration rights as it currently is.

Note 1: We only use /validReasons on the Fulfillment UI - but since the permission check logic is the same for all of them, I think it makes sense to have it consistent for all of them

Note 2: If we don't want to unrestrict those GETs, how else do we want to handle this? I don't think we should assume users will only manage PODs at their home facility.

Thoughts?

Best regards,

Sebastian.
···


Sebastian Brudziński

              Senior Software Developer / Team Leader

sbrudzinski@soldevelo.com

SolDevelo
Sp. z o.o. [LLC] / www.soldevelo.com
Al. Zwycięstwa 96/98, 81-451, Gdynia, Poland
Phone: +48 58 782 45 40 / Fax: +48 58 782 45 41

Sebastian’s proposal makes sense to me. I support this.

Note: The limitation on home facility is only there because currently the Stock Management UI only supports users acting at their home facility. In Stock Management, a user can only do a Physical Inventory or make an Adjustment/Issue/Receive at their home facility and nowhere else. That limitation has been there since Stock Management was introduced in v3.1. That limitation will need to be changed at some point (it is a known requirement for users to be able to record adjustments or conduct a physical inventory at more than just their one home facility).

-Brandon

···

From: openlmis-dev@googlegroups.com on behalf of Sebastian Brudziński sbrudzinski@soldevelo.com

Date: Monday, March 12, 2018 at 10:37 AM

To:openlmis-dev@googlegroups.comopenlmis-dev@googlegroups.com

Subject: [openlmis-dev] Unrestricting access to valid reasons, sources and destinations

Hey everyone,

I wanted to get your opinion about right checks for the following endpoints:

GET /validReasons

GET /validSources

GET /validDestinations

On the fulfillment UI, we are currently using the /validReasons endpoint to fetch all the reasons the user can use to reject the received stock on the proof of delivery page. Unfortunately, only users that have administration rights for reasons, sources and destinations can view all of them. Other users can only query for resources at the facility type that matches their home facility type and for programs that is supported at their home facility. This means that we currently cannot display users the rejection reasons unless they have got the admin right assigned OR both the facility type happens to match their home facility type AND the given program is supported at user’s home facility (neither of which needs to be the case).

I wanted to propose removing this restriction to view reasons, sources and destinations and allow all logged users to query for them at any facility type and program. This would only affect VIEWING the resource (aka GET). Managing them (POST, DELETE) would still be restricted to the administration rights as it currently is.

Note 1: We only use /validReasons on the Fulfillment UI - but since the permission check logic is the same for all of them, I think it makes sense to have it consistent for all of them

Note 2: If we don’t want to unrestrict those GETs, how else do we want to handle this? I don’t think we should assume users will only manage PODs at their home facility.

Thoughts?

Best regards,

Sebastian.

Sebastian Brudziński

Senior Software Developer / Team Leader

sbrudzinski@soldevelo.com

**http://www.soldevelo.com/sites/default/files/Soldevelo_logo_EPS_CMYK.png

SolDevelo** Sp. z o.o. [LLC] / www.soldevelo.com

Al. Zwycięstwa 96/98, 81-451, Gdynia, Poland

Phone: +48 58 782 45 40 / Fax: +48 58 782 45 41

You received this message because you are subscribed to the Google Groups “OpenLMIS Dev” group.

To unsubscribe from this group and stop receiving emails from it, send an email to openlmis-dev+unsubscribe@googlegroups.com.

To post to this group, send email to openlmis-dev@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/openlmis-dev/107e48c4-032b-f60b-5fbd-52bca2a98ee4%40soldevelo.com.

For more options, visit https://groups.google.com/d/optout.

Agreed. The list of acceptable sources and destinations should maybe be limited to a narrower subset of users that only have direct stock-access to a facility, however I doubt it. So long as you’re logged in, clearing the security check to see the full list of adjustment reasons and source and destination facilities in OpenLMIS seems acceptable.

-Josh

···

On Monday, March 12, 2018 at 11:02:24 AM UTC-7, brandon.bowersox-johnson wrote:

Sebastian’s proposal makes sense to me. I support this.

Note: The limitation on home facility is only there because currently the Stock Management UI only supports users acting at their home facility. In Stock Management, a user can only do a Physical Inventory or make an Adjustment/Issue/Receive at their home facility and nowhere else. That limitation has been there since Stock Management was introduced in v3.1. That limitation will need to be changed at some point (it is a known requirement for users to be able to record adjustments or conduct a physical inventory at more than just their one home facility).

-Brandon

From: openlm...@googlegroups.com on behalf of Sebastian Brudziński sbrud...@soldevelo.com

Date: Monday, March 12, 2018 at 10:37 AM

To:openlm...@googlegroups.comopenlm...@googlegroups.com

Subject: [openlmis-dev] Unrestricting access to valid reasons, sources and destinations

Hey everyone,

I wanted to get your opinion about right checks for the following endpoints:

GET /validReasons

GET /validSources

GET /validDestinations

On the fulfillment UI, we are currently using the /validReasons endpoint to fetch all the reasons the user can use to reject the received stock on the proof of delivery page. Unfortunately, only users that have administration rights for reasons, sources and destinations can view all of them. Other users can only query for resources at the facility type that matches their home facility type and for programs that is supported at their home facility. This means that we currently cannot display users the rejection reasons unless they have got the admin right assigned OR both the facility type happens to match their home facility type AND the given program is supported at user’s home facility (neither of which needs to be the case).

I wanted to propose removing this restriction to view reasons, sources and destinations and allow all logged users to query for them at any facility type and program. This would only affect VIEWING the resource (aka GET). Managing them (POST, DELETE) would still be restricted to the administration rights as it currently is.

Note 1: We only use /validReasons on the Fulfillment UI - but since the permission check logic is the same for all of them, I think it makes sense to have it consistent for all of them

Note 2: If we don’t want to unrestrict those GETs, how else do we want to handle this? I don’t think we should assume users will only manage PODs at their home facility.

Thoughts?

Best regards,

Sebastian.

Sebastian Brudziński

Senior Software Developer / Team Leader

sbrudzinski@soldevelo.com

**http://www.soldevelo.com/sites/default/files/Soldevelo_logo_EPS_CMYK.png

SolDevelo** Sp. z o.o. [LLC] / www.soldevelo.com

Al. Zwycięstwa 96/98, 81-451, Gdynia, Poland

Phone: +48 58 782 45 40 / Fax: +48 58 782 45 41

You received this message because you are subscribed to the Google Groups “OpenLMIS Dev” group.

To unsubscribe from this group and stop receiving emails from it, send an email to openlmis-dev+unsubscribe@googlegroups.com.

To post to this group, send email to openlmis-dev@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/openlmis-dev/107e48c4-032b-f60b-5fbd-52bca2a98ee4%40soldevelo.com.

For more options, visit https://groups.google.com/d/optout.