Recommended way for resource-based access control

[jsardev]

So I'd like to restrict access to specific resource instances. I came with an idea to just use .resource('video:id') for grants but I'm not sure if it's a good way.

To be more specific: I'm talking about a case where user X owns a resource, and user Y needs to have access to it, without having a read:any grant.

Do you recommend any other way to handle this problem?

[scandinave]

Hi, You should not use the id as identifier of the resource. You should instead use the own possession like this : ac.grant("role").createOwn("video").

It's up to you how you implement the own concept in your application. If you want a example, i have created a middleware for express that check the own possession using a resource array inside the user connection token.

In my application, i have a datatable resource that hold the link between a role and a resource. When the user connect to the app, the resource array is put inside the generated token.

[jsardev]

@scandinave Thanks for your reply! Unfortunately, I'm not talking about resources owned by a given user. I mean resources created by user X which should be accessible by user Y, without read:any.

[jsardev]

@scandinave Oh, I guess I misunderstood your reply. Having a resources property in the user's token/session makes sense 😄 Thanks for the suggestion!

[scandinave]

Don't forget to sign your token to avoid any modification.

The other solution if you want user delegating access to another user is to use opened id connect/oauth2. Mayby something like keycloak is what you want.

[jsardev]

@scandinave Sure thing. One more question: I need also to distinguish the access to the subtype of the resource, i.e. media:video or media:attachment. I am more clearly coming to a conclusion that I could just need ABAC instead of RBAC, am I right?

[scandinave]

AccessControl supported providing attributes like this :

ac.grant("role").createOwn("media", ["video, attachment"])

You can then filter wat can be return to user with the filter method

In my projects, i use this method in my express route before returning the json object to purge unwanted value.

[jsardev]

IMO naming it attributes is very confusing. The only thing it does is filtering properties of the given resource. Dunno why it's called attributes.

I'm talking about different situation. Consider a resource like this:

{
    "name": "some name",
    "type": "video" // this can be also be an "attachment"
}

Now, using accesscontrol, the only way to handle different grants based on the type is to call the resource media:video and media:attachment - which kinda leads me to a thought that this system is not what I'm looking for.

[scandinave]

Yeah, Author tell us that v 3.0 was in preparation but it seams to be a little busy at this time