How to implement record level security

[dmushkov]

Hi team, what can be possible way to implement record/document level security so that a user can only query/update only documents which he "owns"

[ujibang]

You can easily achieve that with a permission, see https://restheart.org/docs/upgrade-to-v6/#mongopermissions

(note: this is valid for restheart v6.x)

This is a yaml example for the fileAclAuthorizer (you can do the same in json with the mongoAclAuthorizer)

- roles: [ user ]
      predicate: method(GET) and path(/coll)
      mongo:
          readFilter: >
                  {"author": "@user.userid"}

the mongo.readFilter adds a filter on the query and limits the results to those documents with the author property equal to the id of the authenticated user

for write requests you can do:

- roles: [ user ]
      predicate: method(POST) and path(/coll)
      mongo:
          mergeRequest:  >
                   {"author": "@user.userid"}

this forces the author property to be set by restheart to the id of the authenticated user on document creation

- roles: [ user ]
      predicate: (method(PATCH) or method(PUT)) and path-template(/coll/{docid})
      mongo:
          writeFilter: > 
                   {"author": "@user.userid"}

this makes sure that the user can only update documents "owned" by her

[dmushkov]

You are fast! Thanks

[dmushkov]

And what will be here

the id of the user is:

- @user.userid with fileRealmAuthenticator

#       - @user._id with mongoRealmAuthenticator"

if I use jwtAuthenticationMechanism ?

[ujibang]

Unfortunately this job is done by AclVarsInterpolator that only supports accounts generated by MongoRealAuthenticator and FileRealmAuthenticator

     * Interpolate values in doc like '@user', '@user.property', @now
     *
     * Supports accounts handled by MongoRealAuthenticator and
     * FileRealmAuthenticator

We'll extend it to support also accounts generated by the jwtAuthenticationMechanism.

I'm doing some analysis, I let you know how this will take, hopefully is going to be quick..

[dmushkov]

currently I solved this with {"author": "@request.userName"} which brings what I need but it's a workaround

[ujibang]

hi @dmushkov

commit 0e920df29643a534c3c9543a82a92eb9b6696500 "extends support of $user variable in ACL permissions and Aggregations to identities generated by the JwtAuthenticationMechanism"

This is a new feature and will be shipped with upcoming RESTHeart 6.2

You can try it now using snapshot builds

[dmushkov]

@ujibang thanks! I will give a try

[ujibang]

let us know if you find any problem helping to test it

[dmushkov]

@ujibang Works like a charm!

[ujibang]

feel free to reopen if you need more help