feature: restrict claiming API bindings #2462
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
Comments
s-urbaniak
added
the
kind/feature
|
In the past we spoke not of forbidding it entirely, but allowing it if and only if the permission claim was for "everything", that is - make it clear to users that if they accept a claim on APIBindings, they are giving someone else total admin over all the data in the workspace. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Feature Description
During development of #2089 it came to our attention that API bindings are special in the virtual API export service.
Today, similar to any other resource API bindings can be claimed like any other resource. This is dangerous as it opens up the possibility for service providers to claim API bindings and thus be able to import any arbitrary API into user workspaces. Creating API bindings should be in the autonomy of the actual workspace users and thus claiming it should be prohibited.
Proposed Solution
Needs discussion and design.
Alternative Solutions
No response
Want to contribute?
Additional Context
No response
The text was updated successfully, but these errors were encountered: