Closed justinliangg closed 9 months ago
Branch issue-114-SPIKE_Attribute_based_access_control_for_the_APIs created!
https://docs.google.com/spreadsheets/d/18AxrBPgUUgtK0lcNLxSUmxFfxQERglB_L3c7OL6s9DE/edit?usp=sharing As discussed with @justinliangg considering the amount of endpoints that have complex permissions I think this is achievable without zenstack
Basic Information
Currently, implementing a way to retrieve only a sufficient amount of data for a given user role in an API will result in a lot of code duplication and unmaintainable code.
For example, both the client and repairer should be able to access the
/api/repair-request
endpoint. However, a client should only get back repair requests that were created by them and a repairer should only receive repair requests that are assigned to them.There are three different ways to implement this?
/api/repairer/repair-requests
and/api/client/repair-requests
. But might potentially be unmaintainable and a bunch of code that is similar but slightly different.Policies that we will have to implement (There are still more)