demus/openhab-core
1
0
Fork 0
mirror of https://github.com/danieldemus/openhab-core.git synced 2025-01-11 05:41:52 +01:00
Code Issues 1 Packages Projects Releases Wiki Activity

[REST Auth] Remove user access to things (#1807)

Browse Source 
I can't think of a good reason why listing things or querying their status should be allowed for users.
The things layer should only be of concern to admins IMHO.
As noted here: https://community.openhab.org/t/oh3-will-list-all-your-things-even-if-you-are-not-logged-in/108006/3
passwords and other sensible information in configuration could end up being exposed without auth required.

Signed-off-by: Yannick Schaus <github@schaus.net>
This commit is contained in:
Yannick Schaus 2020-11-26 08:31:10 +01:00 committed by GitHub
parent 89767cee9e
commit 6ff65df7d2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
bundles/org.openhab.core.io.rest.core/src/main/java/org/openhab/core/io/rest/core/internal/thing/ThingResource.java
View File

@ -292,7 +292,7 @@ public class ThingResource implements RESTResource {
}
@GET
@RolesAllowed({ Role.USER, Role.ADMIN })
@RolesAllowed({ Role.ADMIN })
@Produces(MediaType.APPLICATION_JSON)
@Operation(summary = "Get all available things.", responses = {
@ApiResponse(responseCode = "200", description = "OK", content = @Content(array = @ArraySchema(schema = @Schema(implementation = EnrichedThingDTO.class), uniqueItems = true))) })
@ -518,7 +518,7 @@ public class ThingResource implements RESTResource {
}
@GET
@RolesAllowed({ Role.USER, Role.ADMIN })
@RolesAllowed({ Role.ADMIN })
@Path("/{thingUID}/status")
@Produces(MediaType.APPLICATION_JSON)
@Operation(summary = "Gets thing status.", security = {