feature request #7972
openexplicitly allow disallow access to HTTP Invoker endpoints (/remoting/**)
100%
Description
Users can always see any data in the Taxeditor, this can be problematic for projects in which private data must not be un-disclosed to arbitrary users.
The must straight forward approach is to use Spring Security to configure the MultiWebSecurityConfiguration#RemotingWebSecurityConfigurationAdapter
accordingly.
This involves implementing one of the following rules:
All users can always accessrejected/remoting/**
unless they have the role `ROLE_REMOTING_DENIED- Users need to be assigned with the
ROLE_REMOTING
to access/remoting/**
agreed
If the role is missing in the db it will be created and added to the Groups Editor
and EditorExtendedCreate
by the FirstDataInserter
.
The role will however not be added to the editor groups in case the role exist but is missing from one of these groups. This allows removal of the role from the editor groups to withdraw the remote editing permission from editors in general for a project.
Related issues