Return 403 for TimeSeries on Public Instance #972
Labels
discussion-point
Something to talk about but take no action yet
enhancement
New feature or request
Security
Issue related to security in some way
Comments
MikeNeilson
added
enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We had talked about the various ways the TimeSeries are handled with filtering.
Currently there exists a flag that is set by districts in CMA to handle this. Then in the SQL package
retrieve_ts(i believe) handles what gets returned.I propose if a TS flag is set to not return various TS that instead of returning an empty TS response we instead return a JSON response with a 403 status code. There might even be null values with dates returned even if the TSID is not listed.
This could also be expanded to the catalog although not sure how involved that could be.
Something like:
{ "message": "TimeSeries ID is disabled due to filtering" }..more? Perhaps consider empty values array and other usual params here for backwards compatability
This is more explicit and helps districts understand why.
One current gotcha with the existing architecture
Districts would continue to expect internal access to all TimeSeries on their T7 CDA instance. So perhaps this rule only applies to "/cwms-data/" until future work has been done?
The text was updated successfully, but these errors were encountered: