Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dynamically reduce the scope of a requested WoT Thing Description in Ditto to the user's permissions #2144

Open
thjaeckle opened this issue Mar 11, 2025 · 0 comments
Open

Dynamically reduce the scope of a requested WoT Thing Description in Ditto to the user's permissions #2144

thjaeckle opened this issue Mar 11, 2025 · 0 comments
Labels
WoT Web of Things related enhancements

Comments

@thjaeckle
Copy link
Member

Currently, any authenticated (not authorized - this is currently not checked) user may fetch the WoT "Thing Description" of a Thing which links to a WoT Thing Model in its definition field.

This is done providing the accept header: Accept: application/td+json (content negotiation).
However:

  • as said, any authenticated user may fetch the TD of any known thingId
  • and the user gets back the complete functionality of the thing - which may be much more than the user is able to see or use from the thing's API

So the idea of this issue is to scope the generated TD based on the user's permissions:

  • only include the WoT "properties" which the user is able to READ
  • dynamically generate "readOnly" based on the permissions
  • only add "actions" which the user is allowed to invoke (WRITE to)
@thjaeckle thjaeckle added the WoT Web of Things related enhancements label Mar 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
WoT Web of Things related enhancements
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@thjaeckle