This means that anyone having a valid user account can login and retrieve
subscription information of another user right? If so, isn't it a security
violation?
Thanks,
NuwanD.
On Thu, Oct 17, 2013 at 10:45 AM, Punnadi Gunarathna <punn...@wso2.com>wrote:
> Hi All,
>
> In API-M 1.5.0 there is a api[1] in [2] which takes application name as
> the input parameter and returns api information[3]. Moreover it usees the
> logged in users' username to get the results along with the application
> name.
>
> [1] getSubscriptionByApplication
> [2]
> store/site/blocks/subscription/subscription-list/ajax/subscription-list.jag
> [3] apiName, apiVersion, apiProvider, description, subscribedTier, status
>
> But as per the requirement in App Factory, only app owners can subscribe
> to APIs. Therefore above api can only be invoked when app owner logged in
> to the system ( API-M has SSO). The problem is when other users logged in
> to App Factory, there is no way to get API information by using above api.
>
> Hence i had a offline chat with Dimuthu and we decieded to modify [2] in
> such a way that [1] will require another parameter which is "username". So
> i have modified the api as follows and we will use this as a custom patch.
>
> if (action == "getSubscriptionByApplication") {
> var appname = request.getParameter("app");
> var username = request.getParameter("username");
> if (!user) {
> print({
> error:true,
> message:msg.error.loginRequired(action)
> });
> return;
> }
> if(username == null){
> username = user.username;
> }else{
> var externalUserDomain = username.split("@")[1];
> var loggedInUserDomain = user.username.split("@")[1];
> if(externalUserDomain.trim() != loggedInUserDomain.trim()){
> obj = {
> error:true,
> apis:"Logged in user and requested user are from different
> domains"
> }
> return;
> }
> }
>
> mod = jagg.module("subscription");
> try{
> result = mod.getAPISubscriptionsForApplication(username,appname);
> } catch (e) {
> log.error("Error while creating application \n" + e.message);
> throw "Error while creating application";
> }
> if (result.error) {
> obj = {
> error:result.error,
> message:msg.error.authError(action, username)
> };
> } else {
> obj = {
> error:false,
> apis:result.subscriptions
> }
> }
> print(obj);
> }else {
> print({
> error:true,
> message:msg.error.invalidAction(action)
> });
> }
>
> --
> Thanks and Regards,
>
> Punnadi Gunarathna
> Senior Software Engineer,
> WSO2, Inc.; http://wso2.com <http://wso2>
> Blog: http://hi-my-world.blogspot.com/
> Tel : 94 11 214 5345
> Fax :94 11 2145300
>
>
>
> <http://lalajisureshika.blogspot.com/>
>
> _______________________________________________
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
--
Nuwan Dias
Senior Software Engineer - WSO2, Inc. http://wso2.com
email : nuw...@wso2.com
Phone : +94 777 775 729
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
