Search for state REVOKED returns VOLATILE and FIXED about base-repo HOT 3 CLOSED

Branch issue-235-Search_for_state_REVOKED_returns_VOLATILE_and_FIXED created!

from base-repo.

Well, the state attribute is a bit special when it comes to search. The reason is, that the state is used to determine whether a resource is visible to a user or not. As you probably know, there are the four states VOLATILE, FIXED, REVOKED, and GONE. Only VOLATILE and FIXED resources are visible to users, typically a resources is created in state VOLATILE and may or may not move to FIXED.

If a resource is deleted, which can be done by someone with ADMINISTRATE permissions (typically the owner), the resource enters the state REVOKED. In this state, the resource is only returned to users with role ADMINISTRATOR, who can then either patch the state back to VOLATILE/FIXED or delete the resource again to enter the state GONE (which also implies that all data is deleted).

Due to these restrictions it is internally enforced, that filtering for REVOKED resources is only performed if the caller has the role ADMINISTRATOR. Otherwise, the state is handled as if it was empty, i.e., filters for VOLATILE and FIXED are applied. Instead, if you provide FIXED as state in your search, only resources in state FIXED are returned.

You now may ask how it is possible assign the ADMINISTRATOR role for search...well, as I assume that you are not using authentication at all, i.e., only use the SELF identity, there is currently no way to do so, mainly for security reasons. Assigning the ADMINISTRATOR role is only possible when using external JSON Web Tokens issued by a KeyCloak instance.

from base-repo.

OK, I understand, thank you for the explanation (and yes you are correct I don't use authentication).

from base-repo.