Open jsardev opened 6 years ago
Hi,
You should not use the id as identifier of the resource. You should instead use the own
possession like this :
ac.grant("role").createOwn("video").
It's up to you how you implement the own
concept in your application. If you want a example, i have created a middleware for express that check the own possession using a resource array inside the user connection token.
In my application, i have a datatable resource that hold the link between a role and a resource. When the user connect to the app, the resource array is put inside the generated token.
@scandinave Thanks for your reply! Unfortunately, I'm not talking about resources owned by a given user. I mean resources created by user X which should be accessible by user Y, without read:any
.
@scandinave Oh, I guess I misunderstood your reply. Having a resources
property in the user's token/session makes sense 😄 Thanks for the suggestion!
Don't forget to sign your token to avoid any modification.
The other solution if you want user delegating access to another user is to use opened id connect/oauth2. Mayby something like keycloak is what you want.
@scandinave Sure thing. One more question: I need also to distinguish the access to the subtype
of the resource, i.e. media:video
or media:attachment
. I am more clearly coming to a conclusion that I could just need ABAC instead of RBAC, am I right?
AccessControl supported providing attributes like this :
ac.grant("role").createOwn("media", ["video, attachment"])
You can then filter wat can be return to user with the filter method
In my projects, i use this method in my express route before returning the json object to purge unwanted value.
IMO naming it attributes
is very confusing. The only thing it does is filtering properties
of the given resource. Dunno why it's called attributes
.
I'm talking about different situation. Consider a resource like this:
{
"name": "some name",
"type": "video" // this can be also be an "attachment"
}
Now, using accesscontrol
, the only way to handle different grants based on the type
is to call the resource media:video
and media:attachment
- which kinda leads me to a thought that this system is not what I'm looking for.
Yeah, Author tell us that v 3.0 was in preparation but it seams to be a little busy at this time
So I'd like to restrict access to specific resource instances. I came with an idea to just use
.resource('video:id')
for grants but I'm not sure if it's a good way.To be more specific: I'm talking about a case where user X owns a resource, and user Y needs to have access to it, without having a
read:any
grant.Do you recommend any other way to handle this problem?