Merge pull request #14 from zazuko/permissions

Be more restrictive with default permissions
zazuko · Oct 16, 2023 · 5b8f86e · 5b8f86e
2 parents 6d769d1 + bd23ac8
commit 5b8f86e
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 0 deletions.
diff --git a/.changeset/perfect-dodos-speak.md b/.changeset/perfect-dodos-speak.md
@@ -0,0 +1,13 @@
+---
+"fuseki-geosparql": major
+---
+
+Require to be authenticated for endpoints with write access.
+
+Starting this version, all routes that are ending with:
+
+- `/data`
+- `/upload`
+- `/update`
+
+are also protected and require authentication.
diff --git a/README.md b/README.md
@@ -36,6 +36,12 @@ All other routes that have are prefixed with `/$/` needs basic authentication:
 - username: `admin`
 - password: value of the `ADMIN_PASSWORD` environment variable
 
+Some routes that are known to be used for write permissions are also protected; there are the ones ending with:
+
+- `/data`
+- `/upload`
+- `/update`
+
 All other routes are publicly available.
 
 If you want to change this behavior, you will need to change the `config/shiro.ini` file.

diff --git a/config/shiro.ini b/config/shiro.ini
@@ -19,6 +19,9 @@ admin = ${ADMIN_PASSWORD}
 
 ## and the rest are restricted to admin user
 /$/** = authcBasic,user[admin]
+/**/data = authcBasic,user[admin]
+/**/upload = authcBasic,user[admin]
+/**/update = authcBasic,user[admin]
 
 # Everything else
 /**=anon