O3-3002: Queue Module - REST endpoints can be accessed without authentication. #65
Conversation
| * AddOnStartup annotation. | ||
| * | ||
| * @see org.openmrs.annotation.AddOnStartup | ||
| * @since 1.8 |
There was a problem hiding this comment.
There was a problem hiding this comment.
I have never seen version 1.8 of this module 😊
There was a problem hiding this comment.
Oh my bad, let me fix that, just to be clear, is 2.4.0 the current version?!
|
@IamMujuziMoses can you always include a link to the ticket as advised at? https://wiki.openmrs.org/display/docs/Pull+Request+Tips Is there a reason why you added privileges to only some of the service methods instead of all? |
|
@dkayiwa the reason I had was that those methods that didn't get privileges called the methods that had privileges e.g. the |
|
The method's internal implementation details should not affect its public contract. By looking at |
|
right, okay got it |
Can you do it also for other services in the module? |
| @HasAddOnStartupPrivileges | ||
| public class PrivilegeConstants { | ||
|
|
||
| // Add Privilege Constants |
There was a problem hiding this comment.
Do these comments add any value?
|
|
||
| public interface QueueEntryService { | ||
| public interface QueueEntryService extends OpenmrsService { |
There was a problem hiding this comment.
@IamMujuziMoses is extending OpenmrsService related to this ticket?
| @@ -45,6 +49,7 @@ public interface QueueService { | |||
| * @param queue the queue to be saved | |||
| * @return saved {@link org.openmrs.module.queue.model.Queue} | |||
| */ | |||
| @Authorized({ PrivilegeConstants.ADD_QUEUES, PrivilegeConstants.EDIT_QUEUES }) | |||
There was a problem hiding this comment.
yes, I think since it delegates saveQueue(), it should also requires the same privileges.
| @@ -53,16 +58,19 @@ public interface QueueService { | |||
| * @param queue the queue to be saved | |||
| * @return saved {@link org.openmrs.module.queue.model.Queue} | |||
| */ | |||
| @Authorized({ PrivilegeConstants.ADD_QUEUES, PrivilegeConstants.EDIT_QUEUES }) | |||
There was a problem hiding this comment.
Could there be a reason why for this service you are doing Add and Edit and yet for others you are doing Manage?
There was a problem hiding this comment.
saveQueue() is used to both update and add new queues, so different privileges must be required, ergo the Add and Edit.
There was a problem hiding this comment.
but I have realized that Manage also provides both the Add and Edit privileges at once which is better, let me change that, thanks🙂
| @@ -135,5 +146,6 @@ String generateVisitQueueNumber(@NotNull Location location, @NotNull Queue queue | |||
| * @return the previous queue entry, null otherwise. | |||
| * @throws IllegalStateException if multiple previous queue entries are identified | |||
| */ | |||
| @Authorized({ PrivilegeConstants.GET_QUEUE_ENTRIES }) | |||
There was a problem hiding this comment.
How about the rest of the methods in this interface?
There was a problem hiding this comment.
do the methods like generateVisitQueueNumber(), getSortWeightGenerator() and setSortWeightGenerator() require privileges as well?!
There was a problem hiding this comment.
Do you want them to be accessed without login?
There was a problem hiding this comment.
Absolutely not. okay let me work on them.
| @@ -9,6 +9,8 @@ | |||
| */ | |||
| package org.openmrs.module.queue.api; | |||
|
|
|||
| import static org.openmrs.util.PrivilegeConstants.*; | |||
There was a problem hiding this comment.
| void closeActiveQueueEntries(); | ||
|
|
||
| /** | ||
| * @return the instance of SortWeightGenerator that is configured via global property, or null if | ||
| * none configured | ||
| */ | ||
| @Authorized({ GET_GLOBAL_PROPERTIES }) |
There was a problem hiding this comment.
This permission is too generic. Should anyone who can access global properties also have access to this?
| @@ -124,6 +143,7 @@ String generateVisitQueueNumber(@NotNull Location location, @NotNull Queue queue | |||
| * | |||
| * @param sortWeightGenerator the SortWeightGenerator to set | |||
| */ | |||
| @Authorized({ MANAGE_GLOBAL_PROPERTIES }) | |||
| @@ -9,6 +9,9 @@ | |||
| */ | |||
| package org.openmrs.module.queue.api; | |||
|
|
|||
| import static org.openmrs.util.PrivilegeConstants.ADD_VISITS; | |||
There was a problem hiding this comment.
Thought it was better than using canonical name in the @Authorized tag.
| Long getCountOfQueueEntries(@NotNull QueueEntrySearchCriteria searchCriteria); | ||
|
|
||
| /** | ||
| * @param location | ||
| * @param queue | ||
| * @return VisitQueueNumber - used to identify patients in the queue instead of using patient name | ||
| */ | ||
| @Authorized({ ADD_VISITS, EDIT_VISITS }) |
There was a problem hiding this comment.
Why not use the manage privilege for the items where the visit queue number is used?
There was a problem hiding this comment.
After looking at the implementation details of this method, i think your privileges are correct. 😊
There was a problem hiding this comment.
Instead of import static, how about directly using org.openmrs.util.PrivilegeConstants.ADD_VISITS and org.openmrs.util.PrivilegeConstants.EDIT_VISITS
| Optional<QueueRoom> getQueueRoomById(@NotNull int id); | ||
|
|
||
| /** | ||
| * @return {@link List} of all queue rooms |
There was a problem hiding this comment.
Though this ticket was not about documenting these methods, you decided to do so and hence should also include the method description. 😊
|
|
||
| public interface QueueRoomService { | ||
|
|
||
| /** | ||
| * Gets a queue room given uuid. |
| QueueRoom saveQueueRoom(@NotNull QueueRoom queueRoom); | ||
|
|
||
| /** |
There was a problem hiding this comment.
Same as above for the method description.
| List<QueueRoom> getQueueRooms(QueueRoomSearchCriteria searchCriteria); | ||
|
|
||
| /** | ||
| * Voids a queue room |
There was a problem hiding this comment.
Void and Retire are not the same.
| * Voids a queue room | ||
| * | ||
| * @param queueRoom the queue room to retire | ||
| * @param voidReason the reason for voiding the queue room |
There was a problem hiding this comment.
It would be a retireReason instead of voidReason.
|
|
||
| public interface RoomProviderMapService { | ||
|
|
||
| /** | ||
| * Gets a room provider map given uuid. |
| /** | ||
| * Gets a room provider map by id. | ||
| * | ||
| * @param id roomProviderMapId - the id of the room provider map to retrieve. |
There was a problem hiding this comment.
Is the param id or roomProviderMapId?
| RoomProviderMap saveRoomProviderMap(@NotNull RoomProviderMap roomProviderMap); | ||
|
|
||
| /** |
| List<RoomProviderMap> getAllRoomProviderMaps(); | ||
|
|
||
| /** |
| /** | ||
| * Voids a room provider map | ||
| * | ||
| * @param roomProviderMap the room provider map to retire |
There was a problem hiding this comment.
retire and void are not the same.
Issue I worked on
see https://issues.openmrs.org/browse/O3-3002
Checklist: I completed these to help reviewers :)
Authorizedannotations to the service classes:QueueService,QueueEntryService,QueueRoomServiceandRoomProviderMapService.PrivilegeConstantsclass to contain all privilege names and their descriptions.