search

Dsek-LTH / web

The D-guild's primary web page
https://dsek-lth.github.io/web/
European Union Public License 1.2
21 stars 8 forks source link

Improve access control for markdown #440

Open danieladugyan opened 1 month ago

danieladugyan commented 1 month ago

Right now, markdowns:update is needed to be able to edit any content on the page. This is a regression from how it used to previously work: we had read/write permission for every markdown item, i.e markdowns:sexm:read. Restore the missing functionality.

Macludde commented 1 month ago

No, I don't think so. In zmodel markdowns:update is required but when you are updating a specific markdown, we check if you have markdowns:sexm:update and then use authorizedPrismaClient instead.

This is due to a limitation of the zenstack zmodel language, where we cannot check if a user's policies include markdowns:{name}:update (it doesn't support string interpolation, it doesn't support loops or a few other things). So only way to do it I found is to handle access manually for this

jiashengguo commented 2 weeks ago

Hey, although I'm not quite sure about the problem, ZenStack has recently added a check API which seems related:

https://zenstack.dev/docs/guides/check-permission

If that's not what you need, would you mind creating a FR in ZenStack's repo?