Few endpoints in AdministrativeService are made public

rohit.yawalkar · November 4, 2022, 12:37pm

Why few of the methods in administrationService not having any authorisation eg: getGlobalProperty()

openmrs/openmrs-core/blob/master/api/src/main/java/org/openmrs/api/AdministrationService.java

/**
 * This Source Code Form is subject to the terms of the Mozilla Public License,
 * v. 2.0. If a copy of the MPL was not distributed with this file, You can
 * obtain one at http://mozilla.org/MPL/2.0/. OpenMRS is also distributed under
 * the terms of the Healthcare Disclaimer located at http://openmrs.org/license.
 *
 * Copyright (C) OpenMRS Inc. OpenMRS is a registered trademark and the OpenMRS
 * graphic logo is a trademark of OpenMRS Inc.
 */
package org.openmrs.api;

import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.SortedMap;

import org.openmrs.GlobalProperty;
import org.openmrs.ImplementationId;
import org.openmrs.OpenmrsObject;

This file has been truncated. show original

Is it done intentionally or a miss ?

cc: @angshuonline @binduak @gsluthra @n0man

dkayiwa · November 4, 2022, 1:19pm

We had a number of places like this one, which needed access to global properties before authentication. As a result, this was intentionally left as not requiring authorisation. But this was designed more than 10 years ago, and hence it could be time to revisit it.

But then methods like updateGlobalProperty look like something we just missed.

gsluthra · November 7, 2022, 2:20pm

@rohit.yawalkar - Can you log JIRA issue for openmrs code (OpenMRS JIRA), and pick up this fix to add authorizations for mutation APIs of global properties?

rohit.yawalkar · November 7, 2022, 4:09pm

sure @gsluthra

gsluthra · December 8, 2022, 5:45am

@rohit.yawalkar - Can you share the JIRA ticket here.

rohit.yawalkar · December 20, 2022, 6:30am

Hi @gsluthra, sharing the card https://issues.openmrs.org/browse/TRUNK-6154