search

panictriggers / scolix-web

Scolix REST API
GNU Affero General Public License v3.0
1 stars 0 forks source link

Handle authorization #2

Open J0eppp opened 3 years ago

J0eppp commented 3 years ago

Discussion/documentation about how we want to handle the authorization for the REST API.

J0eppp commented 3 years ago

Steps

  1. Identify every database request.
  2. Check if the user has that permission in the database.
  3. If the user has the right permission, continue, else, return 401 - not authorized.

Example

  1. Teacher requests GET /users/<userame/userid> with a valid session.
  2. Server receives request, checks if the user has the GetUser permission.
  3. Teacher has the Getuser permission. Database fetches the data from the requested user and returns it to the client.
J0eppp commented 3 years ago

This is an example on how we could see whether someone has the permission to perform a certain action.

Definitions

00000000 = 0 = NO PERMISSIONS
00000001 = 1 = READ OWN PROFILE
00000010 = 2 = WRITE OWN PROFILE
00000100 = 4 = READ ALL STUDENT'S PROFILES
00001000 = 8 = WRITE ALL STUDENT'S PROFILES
00010000 = 16 = READ ALL PROFILES
00100000 = 32 = WRITE ALL PROFILES
01000100 = 64 = CREATE NEW PROFILES
10000000 = 128 = DELETE PROFILES

Note: these are just examples

Calculation

To check whether a user has the permission to perform a certain action, you do the following: USER_PERMISSION_INTEGER | PERMISSION_TO_CHECK === USER_PERMISSION_INTEGER

Example

User has the permission to read and write it's own profile USER_PERMISSION_INTEGER = 3 = 00000011 The user requests to see it's own profile so: PERMISSION_TO_CHECK = 1 = 00000001 USER_PERMISSION_INTEGER | PERMISSION_TO_CHECK === 3 = 00000011 | 00000001 === 00000011

showengineer commented 3 years ago

I approve the use of bitfields.