Kissaki
commented
13 years ago One option: Add a resource-method HasAccess which the request is passed to.
Open Kissaki opened 13 years ago
Kissaki
commented
13 years ago One option: Add a resource-method HasAccess which the request is passed to.
Kissaki
commented
13 years ago Passing the http.Request to the HasAccess method breaks the abstraction. rest.go abstracted away the HTTP methods, but with the HasAccess check one still had to know the mapping of method->function to actually implement the correct checks. Separate methods HasReadAccess and HasWriteAccess would be feasible.
Kissaki
commented
13 years ago Although feasible, simplifying the various (HTTP) methods into just read and write may not always be ok, if more granular access-control is needed. Trade-off here. Would additional methods and checks for each HTTP method be feasible? Would generate more code and runtime checks.
Kissaki
commented
13 years ago General and http-specific HasAccess method implemented.
hsluoyz
commented
7 years ago Hi, I'm the author of casbin. It is an authorization library that supports models like ACL, RBAC, ABAC.
Related to RBAC, casbin has several advantages:
And you can even customize your own access control model, for example, mix RBAC and ABAC together by using roles and attributes at the same time. It's very flexible.
So please consider using casbin when rest2go implements access control security. Also let me know if there's any question :)
Access-checks (especially when apart from reads it also comes to writes) need to be done on the REST-server.
Unfortunately, using rest.go no data of the request is passed, thus validity and access can not be checked.