research-subject: Authorization checks system

[exavolt]

Most relevant: CEL, Oso.

Relevant technologies:

• Oso https://www.osohq.com/
• CEL https://github.com/google/cel-spec
• Zanzibar https://research.google/pubs/pub48190/
• Himeji https://medium.com/airbnb-engineering/himeji-a-scalable-centralized-system-for-authorization-at-airbnb-341664924574

An example case:

// service = group chat
// operation = post message
// principal = context user

  allow operation if
    chat accepts new messages
    and ((group member list contains context user and group allows members to post) or 
      group admin list contains context user)
    and group mute list does not contain context user
    and (the group does not require users with a verified phone number to
      post messages or context user has a verified phone number)
    and (the group does not require users with a verified email address to
      post messages or context user has a verified email address).

[exavolt]

Another reference: Firebase Security Rules

service cloud.firestore {
  match /databases/{database}/documents {
    match /stories/{storyid} {
      // Only the authenticated user who authored the document can read or write
      allow read, write: if request.auth != null && request.auth.uid == resource.data.author;
    }
  }
}