Skip to content

Added permissions checker into HandleGetFileMetadata handler #177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
BarathaAberathne wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Added permissions checker into HandleGetFileMetadata handler #177

BarathaAberathne wants to merge 2 commits into from

Conversation

@BarathaAberathne
Copy link
Contributor

@BarathaAberathne BarathaAberathne commented Jan 29, 2026
edited
Loading

What

  • Moved GET /files/{path} authorization into the handler so it can use metadata attributes (dataset_edition) for permission checks.
  • Enforced JWT‑only access for file metadata (service tokens rejected) and validated JWTs via middleware parse.
  • Added/updated unit and component tests.

How to review

  • Run dataset-catalogue stack
  • Make sure the dis-auth-stub contains a correct viewer account
  • export AUTHORISATION_ENABLED=true
  • Add the matching permission set to the db
{
    "_id" : "default-viewer",
    "condition" : {
        "attribute" : "dataset_edition",
        "operator" : "StringEquals",
        "Values" : [ 
            "static-test-dataset", // add allowed datasets and editions for the viewer
            "static-test-dataset/time-series"
        ]
    },
    "entities" : [ 
        "groups/role-viewer"
    ],
    "role" : "datasets-previewer"
}

Make sure the acceptance Criteria is met for each endpoint:

  • Given a user accesses the /downloads/files/{file-path} endpoint in the download-service in the publishing environment for a file that is not published, when they are in the correct permissions group, then access to the file download is provided with a 200 response.
  • Given a user accesses the /downloads/files/{file-path} endpoint in the download-service in the publishing environment for a file that is not published, when they are not in the correct permissions group, then a 403 response is returned.
  • Given a user accesses the /downloads/files/{file-path} endpoint in the download-service in the publishing environment for a file that is not published, with no jwt token provided then a 401 response is returned.
  • Given a user accesses the /downloads/files/{file-path} endpoint in the download-service in the publishing environment for a file that is not published, with an invalid jwt token provided then a 401 response is returned.
  • Given a user accesses the /downloads/files/{file-path} endpoint in the download-service in the publishing environment for a file that is not published, with a valid service token then a 401 response is returned.

Who can review

Describe who worked on the changes, so that other people can review.

@BarathaAberathne BarathaAberathne marked this pull request as ready for review January 29, 2026 08:18
@BarathaAberathne BarathaAberathne requested a review from a team as a code owner January 29, 2026 08:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BarathaAberathne