Skip to content

Access Rules

Jump to bottom
AnotherKamila edited this page Sep 9, 2012 · 2 revisions

Data in the MPcharge web service can be public or private. In the case it is private, access to it is determined based on the user's access privileges. What follows is the overview of these.

User Privileges

Each user has an associated set of privileges.
Every privilege is a triple (realm, location, methods), where:

  • realm: the resource on which the privilege acts (e.g. '/MPQ12/teams')
  • location: which country/region this privilege applies to (e.g. 'Slovakia/Bratislava')
  • methods: what the user is allowed to do: a subset of {GET_ALL, POST, PUT, DELETE}. With the exception of GET_ALL (as described below), these methods directly correspond to the HTTP methods.

GET is implicitly allowed on any resource. However, not everything is visible/accessible, see below. When PUT or DELETE is allowed, GET_ALL should also be present.

Further Notes on Realm and Location

Both realm and location act as paths in trees (imagine a Unix/Linux filesystem, or a URL). I will refer to both as paths from now on.

A privilege on a resource also holds for its subordinate resources (unless it is specifically overridden). A subordinate resource is anything with both the realm and location being below in the tree.

Paths may contain a wildcard ('*') in place of a path component, in which case anything matches. Note that e.g. the '/MPQ12/*' realm matches only subordinate resources (like '/MPQ12/teams' or '/MPQ12/results', while '/MPQ12' matches also the parent resource itself.

More specific privileges override the more general ones, i.e. a privilege on '/MPQ12/teams' will override privileges on '/MPQ12' and also privileges on '/*/teams'. (If there is two privileges, one of them with a more specific location and the other one with a more specific realm, location wins.)

A set of paths will be implemented as a trie with the path components as edges.

Visibility of Data

Every resource and property has a visibility flag, which is one of:

  • PUBLIC: everyone can see this, no authorization is required
  • PRIVATE: users without the GET_ALL privilege will not see the property, and will receive a 401 Unauthorized response when accessing such a resource
  • HIDDEN: users without the GET_ALL privilege will not see the property, and will receive a 404 Not Found response when accessing such a resource (in order to hide its existence)

Clone this wiki locally