Details
-
Bug
-
Resolution: Fixed
-
Critical
-
COmanage Registry 3.3.0 (Magic Ring)
Description
The REST API v1 documentation says
Privileged CO API Users: API Users created within any other CO may be designated asĀ Privileged, in which case they will have full access to the API within their CO.
However, ApiComponent::requestedCOID() has the following comment:
// As of Registry v3.3.0, CO level API users are allowed to assert a CO ID
// for REST operations that meet the following requirements:
// (1) The request is a GET
// (2) The request does not include a specific ID (eg view by CO, not view by ID)
// (3) The requested model directly belongsTo the parent link
Privileged CO API users should be able to write new records (POST) and update existing records (PUT), as long as the CO can be calculated using basically the same logic as AppModel::findCoForRecord().