Restrict entity acl content
Please do the following:
1. Disallow anonymous user from any acl.
2. Disallow anything but read from public group (unsure if system conforms to this rule today, so there may be additional migration work).
Tried to add the anonymous user to an ACL on staging, and received a nice/informative error message:
Cannot assign permissions to anonymous. To share resources with anonymous users, use the PUBLIC group id (273949)
And when I try to assign an access type set other than Can View (READ) to the public group, then I receive a nice error in this case too:
Only READ permissions can be assigned to the public group
Closing, thank you !
PR for disallowing anonymous user ACL and <> READ on public group: .
We will run the following in prod to remove the ACL:
Current ACL for public group with access <> ‘READ’ and anonymous:
's work doesn't affect this. His work allows us to cluster, collect incoming requests by user even when the user is working anonymously and this allows us to throttle users individually (even if they're anonymous). That's different from this issue, which is about preventing nonsensical permissions settings.
The work with session Ids still make use of the Anonymous userId. We are changing api call throttling from being based off the user's ID to being based off a concatenation of each connected device's IP address, userId (including anonymous id) and a sessionId provided by the backend.