Authorization for API actions - Githubissues

okfn / timemapper

Create and share elegant timelines and timemaps fast

http://timemapper.okfnlabs.org/

MIT License

274 stars 60 forks source link

Authorization for API actions #27

Closed rufuspollock closed 12 years ago

rufuspollock commented 12 years ago

CRUD for all objects
Limit read of account to account owner (or strip out password and personal info such as email)
Implementation
Permission = a tuple of (UserRole, Object, Action)
UserRole = Owner | User (logged in user) | Anonymous
Action = (create) | read | update | delete

Config consists of a dictionary:

AUTHORIZATION = {
  {object-type}: {
    anonymous: ['create', 'read'],
    user: ['create', 'read'],
    owner: ['read', 'update', 'delete']
  }

Code:

role = getRole(user, object);
return AUTHORIZATION[object.object_type].findIndex(action) != -1

Issues

TODO: Prevent users changing permission fields on objects (at the moment this is just the owner field ...)