Sebastian’s proposal makes sense to me. I support this.
Note: The limitation on home facility is only there because currently the Stock Management UI only supports users acting at their home facility. In Stock Management, a user can only do a Physical Inventory or make an Adjustment/Issue/Receive at their home facility and nowhere else. That limitation has been there since Stock Management was introduced in v3.1. That limitation will need to be changed at some point (it is a known requirement for users to be able to record adjustments or conduct a physical inventory at more than just their one home facility).
From: email@example.com on behalf of Sebastian Brudziński firstname.lastname@example.org
Date: Monday, March 12, 2018 at 10:37 AM
To: “email@example.com” firstname.lastname@example.org
Subject: [openlmis-dev] Unrestricting access to valid reasons, sources and destinations
I wanted to get your opinion about right checks for the following endpoints:
On the fulfillment UI, we are currently using the /validReasons endpoint to fetch all the reasons the user can use to reject the received stock on the proof of delivery page. Unfortunately, only users that have administration rights for reasons, sources and destinations can view all of them. Other users can only query for resources at the facility type that matches their home facility type and for programs that is supported at their home facility. This means that we currently cannot display users the rejection reasons unless they have got the admin right assigned OR both the facility type happens to match their home facility type AND the given program is supported at user’s home facility (neither of which needs to be the case).
I wanted to propose removing this restriction to view reasons, sources and destinations and allow all logged users to query for them at any facility type and program. This would only affect VIEWING the resource (aka GET). Managing them (POST, DELETE) would still be restricted to the administration rights as it currently is.
Note 1: We only use /validReasons on the Fulfillment UI - but since the permission check logic is the same for all of them, I think it makes sense to have it consistent for all of them
Note 2: If we don’t want to unrestrict those GETs, how else do we want to handle this? I don’t think we should assume users will only manage PODs at their home facility.
Senior Software Developer / Team Leader
SolDevelo** Sp. z o.o. [LLC] / www.soldevelo.com
Al. Zwycięstwa 96/98, 81-451, Gdynia, Poland
Phone: +48 58 782 45 40 / Fax: +48 58 782 45 41
You received this message because you are subscribed to the Google Groups “OpenLMIS Dev” group.
To unsubscribe from this group and stop receiving emails from it, send an email to email@example.com.
To post to this group, send email to firstname.lastname@example.org.
To view this discussion on the web visit https://groups.google.com/d/msgid/openlmis-dev/107e48c4-032b-f60b-5fbd-52bca2a98ee4%40soldevelo.com.
For more options, visit https://groups.google.com/d/optout.