Open dura0ok opened 5 months ago
Hey @dura0ok ,
the whole idea is to use resources to set distinctive permissions and attach those on each endpoint.
This way, the endpoint is always secured from the exact suitable permissions and can be accessed by any role that has those permissions.
Obvious advantage of this is the fact that permissions can change for each role in time if needed, modifying the access to endpoints without even touching the endpoints themselves.
Hope that helps, cheers!
Yes, it's cool, but it would be cool if the current roles that need to be in order to access the endpoint were displayed in the generated documentation
Well, two points here:
Yes))
@dura0ok sorry, didn't get that one sooner. I don't believe this would be any helpful really, not with that approach anyway, since the scopes defined are only internal. Unless all of those were exposed to user and one could request a custom token with which peemissions they wish in some kind of on demand tokens fashion.
Context:
I have three types of users: Admin, Service Provider, and Applicant. Based on an example provided, I am considering the following implementation:
Service Providers:
Applicants:
Admin:
Database Schema:
Registration Process:
Email Verification:
Assign Permissions:
Admin Creates Service Provider:
Applicant Self-Registration:
Is my workflow a good approach.How can i modify your example to meet my usecase.If not how can i adopt it to fit well in mine
Hey @joshwisehub , sorry for the late response, kinda busy these days.
Well it all sounds good, but with couple of caveats:
In terms of roles and their permissions, if you are to keep them in your database, instead of just in your code, you will need some initialization scripts to get them in your database in the first place. Given that you won't be really able to "secure" them behind some relevant endpoints, as you would cut off yourself in the process or give those endpoints free access, since there would be nothing (roles or permissions) to authorize against in that stage.
On top of the previous point, with your approach you would probably need some definitions duplication. You see, permissions in my example are defined in the codebase so that they can be used at will in routers/endpoints dependencies. If your permissions for example are just in your database, then I don't see how you could have them available for definition time of your endpoints without duplicating the information in your code as well to use them. Remember, endpoints definition with the dependency injection is just like any other Python decorator, so they are evaluated during startup and interpretation, so you can't really have those permissions at this stage if they are only present in your database. Even if you manage to somehow load them in memory before all routers definition starts, I guess it would be quite tricky.
Yeah, it's true will have to load the permissions and roles on initial start up using a migration script, But one final question before trying your approach. Will it be easy to populate the permissions and roles in the UI for example if you connect to a client that use frontend framework like react. To allow adding or assigning permissions or even revoking permissions from a role or a specific user. Since with current implementation, in order to do that you have to go back to the code and manually add a new role or add a set of permissions to a new role. Can you help on how I can handle a scenario where the Administrator of a system will not be a developer, so he can just add a new role and set permissions to that newly added role in the UI without touching the code.
This question comes from the benefits section of your medium article on this topic.
Well, you could handle the whole thing with simple CRUD operations, but you will still have limitations.
What about describe roles, which needed to execute some endpoint?