Open danieladugyan opened 3 months ago
Completely valid.
This doesn't really work. auth() != null
can't be used even if we remove externalCode as an anonymous user will still have a user object. This is because some policies will have the role "*", and thus they do need a user object which will contain their policies.
Perhaps we should not check for auth() != null
but instead use access policies like everywhere else?
I do agree that externalCode
could be changed to sessionId
however
Our ZenStack login checks are implemented as
auth() != null
. This obviously won't work if we create User objects for logged out users.Proposed solution: Don't create User objects for logged out users. Handle
externalCode
as a separate field outside theUser
object. i.e as a session id.