Allow licenses and users to update their resources' metadata

keygen-sh / keygen-api

Keygen is a fair source software licensing and distribution API built with Ruby on Rails. For developers, by developers.

https://keygen.sh

Other

824 stars 53 forks source link

Allow licenses and users to update their resources' metadata #735

Open ezekg opened 1 year ago

ezekg commented 1 year ago

A common request is to be able to update a license, machine, or user's metadata from a client-side integration while authenticated as a license or a user. We could introduce this via {license,machine,user}.metadata.update permissions, disabled by default.

I'm not 100% sold on attribute-level authz yet, but just an initial idea.

ezekg commented 1 year ago

Some pseudo code for the policy assert:

class LicensePolicy
  def update
    case bearer
    # ...
    in role: Role(:user)
      deny! if license.metadata_changed? && bearer.cannot?('license.metadata.update')
      # ...
    end
  end
end