You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
openjdk 11.0.17 2022-10-18
OpenJDK Runtime Environment Temurin-11.0.17+8 (build 11.0.17+8)
OpenJDK 64-Bit Server VM Temurin-11.0.17+8 (build 11.0.17+8, mixed mode, sharing)
Operating System
Ubuntu 22.04.1 LTS
Are you running Apiman in a container, or on an orchestration platform?
Kubernetes
Describe the bug
With the introduction of the visibility feature in the API Management, we made the permission apiView in an organization obsolete.
Since the default visibility is 'ORG_MEMBERS', every member of the organization sees every API even if the user does not have the explicit permission to view the APIs.
Expected behaviour
Possible solution:
The default visibility should respect the explicit permission system.
A organization member should only see the APIs if he has explicit permission to do so (apiView) or the visibility is set less restrictive than ORG_MEMBERS
Actual behaviour
A member of an organization sees every API even if the user does not have the explicit permission to view the APIs.
How to Reproduce
Create Org
create API (visibility ORG_MEMBER)
Invite a new member without apiView permission
Relevant log output
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered:
Apiman Version
3.0
Apiman Manager Distro
Tomcat
Apiman Gateway Distro
Vert.x
Java Version
openjdk 11.0.17 2022-10-18
OpenJDK Runtime Environment Temurin-11.0.17+8 (build 11.0.17+8)
OpenJDK 64-Bit Server VM Temurin-11.0.17+8 (build 11.0.17+8, mixed mode, sharing)
Operating System
Ubuntu 22.04.1 LTS
Are you running Apiman in a container, or on an orchestration platform?
Kubernetes
Describe the bug
With the introduction of the visibility feature in the API Management, we made the permission apiView in an organization obsolete.
Since the default visibility is 'ORG_MEMBERS', every member of the organization sees every API even if the user does not have the explicit permission to view the APIs.
Expected behaviour
Possible solution:
The default visibility should respect the explicit permission system.
A organization member should only see the APIs if he has explicit permission to do so (apiView) or the visibility is set less restrictive than ORG_MEMBERS
Actual behaviour
A member of an organization sees every API even if the user does not have the explicit permission to view the APIs.
How to Reproduce
Relevant log output
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: