Open ezekg opened 1 year ago
Some pseudo code for the policy assert:
class LicensePolicy
def update
case bearer
# ...
in role: Role(:user)
deny! if license.metadata_changed? && bearer.cannot?('license.metadata.update')
# ...
end
end
end
A common request is to be able to update a license, machine, or user's metadata from a client-side integration while authenticated as a license or a user. We could introduce this via
{license,machine,user}.metadata.update
permissions, disabled by default.I'm not 100% sold on attribute-level authz yet, but just an initial idea.