SPIKE Attribute based access control for the APIs

[justinliangg]

Basic Information

Currently, implementing a way to retrieve only a sufficient amount of data for a given user role in an API will result in a lot of code duplication and unmaintainable code.

For example, both the client and repairer should be able to access the /api/repair-request endpoint. However, a client should only get back repair requests that were created by them and a repairer should only receive repair requests that are assigned to them.

There are three different ways to implement this?

• Create a separate endpoint for each user role, /api/repairer/repair-requests and /api/client/repair-requests. But might potentially be unmaintainable and a bunch of code that is similar but slightly different.
• All user roles share an endpoint but different queries to the database based on their roles (if or switch case). This will lead to similar issues faced above and a bunch of IF statements everywhere.
• All user roles share an endpoint but we use something like Zenstack to filter the queries retrieved from the database based on the user role by creating "policies" on how the data should be retrieved or mutated based on an attribute. Least amount of code duplication as far as I can tell but an additional learning curve?

Policies that we will have to implement (There are still more)

• A client can only view, update, and delete their own repair requests.
• A repairer can only view and update repair requests assigned to them.
• An event manager can only update and delete events from their own organisation but can view all events.
• An admin can do everything.

[github-actions[bot]]

Branch issue-114-SPIKE_Attribute_based_access_control_for_the_APIs created!

[dct0]

https://docs.google.com/spreadsheets/d/18AxrBPgUUgtK0lcNLxSUmxFfxQERglB_L3c7OL6s9DE/edit?usp=sharing As discussed with @justinliangg considering the amount of endpoints that have complex permissions I think this is achievable without zenstack