Adding Privilege Check for REST end points.

Hi every one,

I have prepared an endpoint to expose the System Logs via the REST endpoint. But the request should be validated by the user privileges before exposing the logs through the REST services. I have checked the web services module, but couldn’t find anything related to my case. Can somebody help me to add the privilege check for REST services?

CC: @darius

Are you asking how to do this in code? I don’t think that we have any AOP wrappers around the REST resources, so you would not be able to use our typical annotations that are used on service methods. You could do something like this though: https://github.com/openmrs/openmrs-core/blob/3c69e6445220e13aee7d1ec177296095a611356a/api/src/main/java/org/openmrs/api/impl/CohortServiceImpl.java#L56

Also, I would send a PR to openmrs-core adding a privilege check for accessing the server logs (even though you’d still want to add the check in the REST module so that you don’t have to wait for people to upgrade to the latest OpenMRS core just for this).

Thanks @darius.

yah, We haven’t any such related implementation in REST module right now.

Also, I would send a PR to openmrs-core adding a privilege check for accessing the server logs (even though you’d still want to add the check in the REST module so that you don’t have to wait for people to upgrade to the latest OpenMRS core just for this).

I agreed with you. I will add a privilege check at the REST endpoint right now to make this process easy and then I will send a PR to the OpenMRS-Core with the required privilege check. I have required the VIEW_ADMIN_FUNCTIONS privilege to retrieve the server logs. So the following method will help me to implement this privilege check.

Context.requirePrivilege(PrivilegeConstants.VIEW_ADMIN_FUNCTIONS);

This isn’t right. (If you look at the description of that privilege it is “Able to view the ‘Administration’ link in the navigation bar”).

I would create a new privilege like “Get Server Logs”.

I would create a new privilege like “Get Server Logs”.

I thought about this also, but I need to add GET_SERVER_LOGS constant value to the openmrs-core PrivilegeConstants. So then the web services module will need the upgraded version of OpenMRS.

Is it possible to use the “Get Server Logs” string constant inside the REST module to check the privilege? So the user needs to create this privilege manually to the respected access user. (We can skip the core upgrade requirement )

public static final String GET_SERVER_LOGS = "Get Server Logs";
public List<String[]> getServerLogs() {
  Context.requirePrivilege(GET_SERVER_LOGS);
  ....
}

CC : @darius

I would create a new privilege like “Get Server Logs”.

I thought about this also, but I need to add GET_SERVER_LOGS constant value to the openmrs-core PrivilegeConstants. So then the web services module will need the upgraded version of OpenMRS.

Is it possible to use the “Get Server Logs” string constant inside the REST module to check the privilege? So the user needs to create this privilege manually to the respected access user. (We can skip the core upgrade requirement )

public static final String GET_SERVER_LOGS = "Get Server Logs";
public List<String[]> getServerLogs() {
  Context.requirePrivilege(GET_SERVER_LOGS);
  ....
}

@darius Could I get some your help to complete this one :slight_smile: ?

Yes, your solution is a good one.

(It’s better to repeat the hardcoded string in the webservices.rest module, since this saves us from requiring everyone to upgrade openmrs-core.)

Thanks @darius. I have updated the RESTConstants file with the new privilege constant value.

I have completed this implementation and working on the PR reviews.

I can see the serverlogs resource through the swagger docs in the openmrs-2.0.6-SNAPSHOT version. I have included this following method to bring this resource into swagger docs,

@Override
public Model getGETModel(Representation rep) {
		return ((ModelImpl) super.getGETModel(rep))
		        .property("serverLog", new MapProperty());
}

but I have just checked the latest snapshot version of openmrs-core (openmrs-2.2.0-SNAPSHOT) with this implementation. I couldn’t see the server logs resource in the swagger docs :frowning:

What is the issue here? Could someone please help me?

CC : @dkayiwa @darius @gayanw

Nothing springs to mind immediately. (I checked to verify that your resource declares support for 2.2.*, and I see that it does.)

Any error message? (I personally have never looked at how the swagger docs are generated, so I don’t actually know what might break it.)