search

AEB-labs / cruddl

Create a GraphQL API for your database, using the GraphQL SDL to model your schema.
https://aeb-labs.github.io/cruddl/
MIT License
131 stars 17 forks source link

Permisions claim check field with multiple values? #284

Open KK7NZY opened 1 year ago

KK7NZY commented 1 year ago

Hello,

I am currently trying to setup a permissions-profile and was hoping to get some feedback on how to handle permissions for referenced entities and/or suggestions on model design.

For example I have something similar to the following:

type Gallery @rootEntity(permissionProfile: “gallery”) {
    name: String!
    portfolios: [Portfolio!] @relation
    gallery: !ID @accessField
}
type Portfolio @rootEntity {
    name: String!
    images: [Image!] @relation(inverseOf: “portfolio”)
}
type Image @rootEntity {
    name: String!
    url: String!
    portfolio: Portfolio! @relation
}
permissionProfile:
  gallery:
    - access: read
      roles:
        - viewer
      restrictions:
        - field: gallery
          claims: galleries

A user with read permissions would be able to access the name field but would get “Not authorized to read Portfolio objects (in Gallery.portfolios)“ when trying to access porfolios of the gallery . The only way I can think to get around this is to add a Ctx extension to each entity and update the permissions-profile to reference the new context field / or create seperate permission for each entity with the correct feld, claim combination.

type Ctx @entityExtension {
    galleryId: ID @accessField
    portfolioId: ID @accessField
    ownerId: ID @accessField
}
type Gallery @rootEntity(permissionProfile: “gallery”) {
    name: String!
    portfolios: [Portfolio!] @relation
    ctx: @accessField
}
type Portfolio @rootEntity(permissionProfile: “portfolio”) {
    ...
    ctx: Ctx @accessField
}
type Image @rootEntity {
    ...
    ctx: Ctx @accessField
}
permissionProfile:
  gallery:
    - access: read
      roles:
        - viewer
      restrictions:
        - field: ctx.gallery
          claims: galleries
  portfolio:     
     - access: read
        roles:
          - viewer
       restrictions:
         - field: ctx.gallery
           claim: galleries
         - field: ctx.portfolio
           claim: portfolios

Adding Ctx entity solved the authentication issue but a Portfolio in the example can be referenced by many Gallery entities. A a user with access to one gallery and not the another would get access denied when trying to access portfolio in current setup unless ctx.gallery was an array.

I know it is not possible to to have an array as a field value. Is there something I can do that would resolve the scenario mentioned above. Something like any([claim in field for claim in claims]) if isinstance(field, list) else field in claims

Do I need Ctx or is there a better way to handle this use case ?

I am still learning my way around so any help would be appreciated.

Regards, John

mfusser commented 1 year ago

I am not sure if I fully understand what you are trying to achieve but I don't think there is a good way to handle this situation at the moment. There is no way to define something like "allow access to a portfolio if the user has access to any gallery that includes this portfolio". The permissions have to be defined for each rootEntity separately so I think the only way is to give each rootEntity its own profile and make sure from outside that whenever a user gets access to a gallery that they also get access to all necessary portfolio. This will come with some other problems (as I wrote in your other issue ). It seems that your use case does not really fit the way permission profiles work in cruddl.

KK7NZY commented 1 year ago

Thank you for the response. That makes sense to have to write a permissions profile for each Root Entity.

In the example above I was also curious having restriction with a field value that is a list of items. For example If I wanted to store a separate field on the entity that had all the gallery IDs. Then have my restriction compare the values of field list to the claim list.

For example:

{ "claims": { "gallery": [5, 6]  } }
{
  id: "<portfolio_id_1>"
  "ctx": {
    "gallery": [6]
  }
},
{
  id: "<portfolio_id_2>"
  "ctx": {
    "gallery": [42, 73]
  }
},
{
  id: "<portfolio_id_3>"
  "ctx": {
    "gallery": [5]
  }
},

In this example i would expect the user to get response of two portfolios since he has claim of [5, 6].

I created a draft PR here ( https://github.com/AEB-labs/cruddl/pull/287) for example above. Any feedback on this would be much appreciated.

For my current project I need to check value of claim/and or role to a field that is list of values.