"Visibility by Access" - Visibility attribute for API product not enforced correctly #392
Assignees
Milestone
Comments
arlina-espinoza
pushed a commit
that referenced
this issue
Mar 31, 2020
…orrectly
The Apigee M10n module’s hook_ENTITY_TYPE_access uses the Apigee Monetization API to determine an API Product ‘assign’ access by calling `/developers/{developer}/eligible-products`, which returns AccessResult::allowed for all API products.
This API returns all API Products
1. That are able to be assigned to an App because the developer purchased a Rate plan that contains the API product
2. All API products that are not monetized.
Due to #2, the Apigee Edge module hook_ENTITY_TYPE_access needs to return AccessResult::forbidden when the operation is ‘assign’ and the user does not have the correct role to assign an API product to an app.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm using the "visibility by access" capability in
Edge > API productsto control API product visibility through the internal/private/public attribute in Edge. This applies to an API which isn't part of a Product Bundle/Rate Plan (as using w/ monetization modules enabled), yet it's still showing up even though set to internal. Any ideas what could be missing / is it a bug?Steps to reproduce: Create an API product with visibility set to Internal or Private, and leave those unchecked in the Apigee Edge > API products section. Then log in as an authenticated user, and create new app, and check if API product is visible from the list.
The text was updated successfully, but these errors were encountered: