admin/raven
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Browse Source
This commit is contained in:
John Cardinal
2019-04-30 19:54:28 +00:00
parent ae791ec366
commit 16c3fd34de
1 changed files with 0 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
devdocs/todo.txt
View File

@@ -14,25 +14,6 @@ Do the stuff in the Client todo first then back to the server as required.
DO CLIENT STUFF NOW COME BACK TO THIS STUFF LATER
### SERVER WORK NEEDED FIRST....
- NOT done correctly at the server NEED TO CHANGE THIS SHIT FIRST:
- is returning a 401 (not authenticated) for rights issues that should return 403 (not authorized)
- Before can do below rights stuff need to go back to server and change that
- https://stackoverflow.com/questions/3297048/403-forbidden-vs-401-unauthorized-http-responses#6937030
- I know it works when the user SubContractorLimited logs in and force to fetch widget gets a 403 instead of a 401 and instead of logging off redirects to home or back or something instead
- in GZAPI handleError has this: ErrorUserNotAuthenticated error string, I also need to check server and docs for the corresponding ErrorUserNotAuthorized which may need to be added and documented
- Also need a localized text for it in all languages apparently and also document it properly and add it as a type of error returned in those circumstances
- May be faster to just try to fetch the object and have rights checked that way and react accordingly in the client rather than try to pre-check before hand
- This is because need the actual object to check if self owned and can still edit, let the server handle that shit and just act accordingly
- If server returns a read only copy of an object due to read full record but not due to allow edit then perhaps the server can also tag it with a READONLY flag so client can adjust accordingly and not need to do the checking with a double request
- SO...SERVER Should return on request of an object one of these:
- Not authenticated at all 401
- Not authorized for this object 403 (could be due to not own or whatever, we don't care, server handles that shit, client just knows not to show it)
- Object...BUT with READONLY flag of some kind present (in outer wrapper??), so client knows to show read only and not allow editing
- Object without readonly flag present so fully editable!!! WOOT!
- FINDINGS / TODO
- So early on the server is returning 401 not authenticated before the route is hit, so really, in any route my own rights check would always be 403, not 401, that's handled already by authentication middleware
### TODO FILTER ISSUE: SEE integration tests search for BUGBUG there are two tests failing in DataFilterFilteringLists tests that might be DST related