Open J0eppp opened 3 years ago
GET /users/<userame/userid>
with a valid session. GetUser
permission. Getuser
permission. Database fetches the data from the requested user and returns it to the client. This is an example on how we could see whether someone has the permission to perform a certain action.
00000000 = 0 = NO PERMISSIONS
00000001 = 1 = READ OWN PROFILE
00000010 = 2 = WRITE OWN PROFILE
00000100 = 4 = READ ALL STUDENT'S PROFILES
00001000 = 8 = WRITE ALL STUDENT'S PROFILES
00010000 = 16 = READ ALL PROFILES
00100000 = 32 = WRITE ALL PROFILES
01000100 = 64 = CREATE NEW PROFILES
10000000 = 128 = DELETE PROFILES
Note: these are just examples
To check whether a user has the permission to perform a certain action, you do the following:
USER_PERMISSION_INTEGER | PERMISSION_TO_CHECK === USER_PERMISSION_INTEGER
User has the permission to read and write it's own profile
USER_PERMISSION_INTEGER = 3 = 00000011
The user requests to see it's own profile so:
PERMISSION_TO_CHECK = 1 = 00000001
USER_PERMISSION_INTEGER | PERMISSION_TO_CHECK === 3 = 00000011 | 00000001 === 00000011
I approve the use of bitfields.
Discussion/documentation about how we want to handle the authorization for the REST API.